@scryan7371/sdr-security 0.1.2 → 0.1.3

package/README.md

@@ -41,8 +41,8 @@ import { EmailService } from "./notifications/email.service";
               adminEmails,
               user,
             ),
-          sendUserAccountApproved: ({ email, firstName }) =>
-            emailService.sendAccountApproved(email, firstName),
+          sendUserAccountApproved: ({ email }) =>
+            emailService.sendAccountApproved(email),
         }),
         inject: [EmailService],
       },
@@ -52,6 +52,51 @@ import { EmailService } from "./notifications/email.service";
 export class AppModule {}
 ```
 
+### User Table Ownership Model
+
+Consuming apps keep ownership of their own `app_user` table. `sdr-security`
+stores security/auth state in its own tables and links them by user id.
+
+- App-owned table:
+  - `app_user` (at minimum: `id`, `email`, plus any app-specific columns)
+- `sdr-security` tables:
+  - `security_user` (password hash, verified/approved/active flags)
+  - `security_identity` (provider links such as Google subject)
+  - `security_role`, `security_user_role`
+  - `refresh_token`
+  - `security_password_reset_token`
+
+Link key:
+
+- `security_* .user_id` -> `app_user.id`
+
+This lets each app evolve its user schema independently while reusing the same
+security workflows, guards, controllers, and migrations.
+
+Typical app query pattern is a join when you need security state:
+
+```sql
+SELECT u.id, u.email, su.is_active, su.admin_approved_at, su.email_verified_at
+FROM app_user u
+LEFT JOIN security_user su ON su.user_id = u.id
+WHERE u.id = $1;
+```
+
+Nest/TypeORM equivalent:
+
+```ts
+const row = await usersRepo
+  .createQueryBuilder("user")
+  .leftJoin("security_user", "securityUser", "securityUser.user_id = user.id")
+  .select("user.id", "id")
+  .addSelect("user.email", "email")
+  .addSelect("securityUser.is_active", "isActive")
+  .addSelect("securityUser.admin_approved_at", "adminApprovedAt")
+  .addSelect("securityUser.email_verified_at", "emailVerifiedAt")
+  .where("user.id = :id", { id: userId })
+  .getRawOne();
+```
+
 Optional Swagger setup in consuming app:
 
 ```ts
@@ -96,8 +141,6 @@ await sdrSecurity.notifyAdminsOnEmailVerified({
   user: {
     id: user.id,
     email: user.email,
-    firstName: user.firstName,
-    lastName: user.lastName,
   },
   listAdminEmails: () => usersService.listAdminEmails(),
   notifyAdmins: ({ adminEmails, user }) =>
@@ -108,10 +151,8 @@ await sdrSecurity.notifyUserOnAdminApproval({
   approved: body.approved,
   user: {
     email: user.email,
-    firstName: user.firstName,
   },
-  notifyUser: ({ email, firstName }) =>
-    emailService.sendAccountApproved(email, firstName),
+  notifyUser: ({ email }) => emailService.sendAccountApproved(email),
 });
 ```
 

package/dist/api/contracts.d.ts

@@ -3,8 +3,6 @@ export type UserRole = string;
 export type SafeUser = {
     id: string;
     email: string;
-    firstName: string | null;
-    lastName: string | null;
     phone: string | null;
     roles: UserRole[];
     emailVerifiedAt: string | Date | null;

package/dist/api/migrations/1739500000000-create-security-identity.d.ts

@@ -1,7 +1,7 @@
 export declare class CreateSecurityIdentity1739500000000 {
     name: string;
     up(queryRunner: {
-        query: (sql: string, params?: unknown[]) => Promise<unknown>;
+        query: (sql: string) => Promise<unknown>;
     }): Promise<void>;
     down(queryRunner: {
         query: (sql: string) => Promise<unknown>;

package/dist/api/migrations/1739500000000-create-security-identity.js

@@ -4,13 +4,10 @@ exports.CreateSecurityIdentity1739500000000 = void 0;
 class CreateSecurityIdentity1739500000000 {
     name = "CreateSecurityIdentity1739500000000";
     async up(queryRunner) {
-        const userTable = getSafeIdentifier(process.env.USER_TABLE, "app_user");
-        const userSchema = getSafeIdentifier(process.env.USER_TABLE_SCHEMA, "public");
-        const userTableRef = `"${userSchema}"."${userTable}"`;
-        await queryRunner.query(`CREATE EXTENSION IF NOT EXISTS "uuid-ossp"`);
+        const userTableRef = getUserTableReference();
         await queryRunner.query(`
       CREATE TABLE IF NOT EXISTS "security_identity" (
-        "id" uuid PRIMARY KEY NOT NULL DEFAULT uuid_generate_v4(),
+        "id" uuid PRIMARY KEY NOT NULL DEFAULT uuidv7(),
         "user_id" varchar NOT NULL,
         "provider" varchar NOT NULL,
         "provider_subject" varchar NOT NULL,
@@ -21,36 +18,6 @@ class CreateSecurityIdentity1739500000000 {
     `);
         await queryRunner.query(`CREATE UNIQUE INDEX IF NOT EXISTS "IDX_security_identity_provider_subject" ON "security_identity" ("provider", "provider_subject")`);
         await queryRunner.query(`CREATE UNIQUE INDEX IF NOT EXISTS "IDX_security_identity_user_provider" ON "security_identity" ("user_id", "provider")`);
-        const hasGoogleSubjectColumn = (await queryRunner.query(`
-        SELECT 1
-        FROM information_schema.columns
-        WHERE table_schema = $1
-          AND table_name = $2
-          AND column_name = 'google_subject'
-        LIMIT 1
-      `, [userSchema, userTable]));
-        if (hasGoogleSubjectColumn.length > 0) {
-            await queryRunner.query(`
-        INSERT INTO "security_identity" (
-          "user_id",
-          "provider",
-          "provider_subject",
-          "created_at",
-          "updated_at"
-        )
-        SELECT
-          "id",
-          'google',
-          "google_subject",
-          now(),
-          now()
-        FROM ${userTableRef}
-        WHERE "google_subject" IS NOT NULL
-        ON CONFLICT ("provider", "provider_subject") DO NOTHING
-      `);
-            await queryRunner.query(`DROP INDEX IF EXISTS "IDX_app_user_google_subject"`);
-            await queryRunner.query(`ALTER TABLE ${userTableRef} DROP COLUMN IF EXISTS "google_subject"`);
-        }
     }
     async down(queryRunner) {
         await queryRunner.query(`DROP INDEX IF EXISTS "IDX_security_identity_user_provider"`);
@@ -66,3 +33,10 @@ const getSafeIdentifier = (value, fallback) => {
     }
     return resolved;
 };
+const getUserTableReference = () => {
+    const table = getSafeIdentifier(process.env.USER_TABLE, "app_user");
+    const schema = process.env.USER_TABLE_SCHEMA
+        ? getSafeIdentifier(process.env.USER_TABLE_SCHEMA, "public")
+        : "public";
+    return `"${schema}"."${table}"`;
+};

package/dist/api/migrations/1739510000000-create-security-roles.d.ts

@@ -1,7 +1,7 @@
 export declare class CreateSecurityRoles1739510000000 {
     name: string;
     up(queryRunner: {
-        query: (sql: string, params?: unknown[]) => Promise<unknown>;
+        query: (sql: string) => Promise<unknown>;
     }): Promise<void>;
     down(queryRunner: {
         query: (sql: string) => Promise<unknown>;

package/dist/api/migrations/1739510000000-create-security-roles.js

@@ -4,13 +4,9 @@ exports.CreateSecurityRoles1739510000000 = void 0;
 class CreateSecurityRoles1739510000000 {
     name = "CreateSecurityRoles1739510000000";
     async up(queryRunner) {
-        const userTable = getSafeIdentifier(process.env.USER_TABLE, "app_user");
-        const userSchema = getSafeIdentifier(process.env.USER_TABLE_SCHEMA, "public");
-        const userTableRef = `"${userSchema}"."${userTable}"`;
-        await queryRunner.query(`CREATE EXTENSION IF NOT EXISTS "uuid-ossp"`);
         await queryRunner.query(`
       CREATE TABLE IF NOT EXISTS "security_role" (
-        "id" uuid PRIMARY KEY NOT NULL DEFAULT uuid_generate_v4(),
+        "id" uuid PRIMARY KEY NOT NULL DEFAULT uuidv7(),
         "role_key" varchar NOT NULL,
         "description" text,
         "is_system" boolean NOT NULL DEFAULT false,
@@ -20,76 +16,14 @@ class CreateSecurityRoles1739510000000 {
     `);
         await queryRunner.query(`CREATE UNIQUE INDEX IF NOT EXISTS "IDX_security_role_key" ON "security_role" ("role_key")`);
         await queryRunner.query(`
-      CREATE TABLE IF NOT EXISTS "security_user_role" (
-        "id" uuid PRIMARY KEY NOT NULL DEFAULT uuid_generate_v4(),
-        "user_id" varchar NOT NULL,
-        "role_id" uuid NOT NULL,
-        "created_at" timestamptz NOT NULL DEFAULT now(),
-        CONSTRAINT "FK_security_user_role_user_id" FOREIGN KEY ("user_id") REFERENCES ${userTableRef} ("id") ON DELETE CASCADE,
-        CONSTRAINT "FK_security_user_role_role_id" FOREIGN KEY ("role_id") REFERENCES "security_role" ("id") ON DELETE CASCADE
-      )
-    `);
-        await queryRunner.query(`CREATE UNIQUE INDEX IF NOT EXISTS "IDX_security_user_role_user_role" ON "security_user_role" ("user_id", "role_id")`);
-        await queryRunner.query(`
       INSERT INTO "security_role" ("role_key", "description", "is_system", "created_at", "updated_at")
       VALUES ('ADMIN', 'Administrative access', true, now(), now())
       ON CONFLICT ("role_key") DO NOTHING
     `);
-        const hasRoleColumn = (await queryRunner.query(`
-        SELECT 1
-        FROM information_schema.columns
-        WHERE table_schema = $1
-          AND table_name = $2
-          AND column_name = 'role'
-        LIMIT 1
-      `, [userSchema, userTable]));
-        if (hasRoleColumn.length > 0) {
-            await queryRunner.query(`
-        INSERT INTO "security_role" ("role_key", "description", "is_system", "created_at", "updated_at")
-        SELECT DISTINCT
-          CASE
-            WHEN UPPER(TRIM("role")) = 'ADMINISTRATOR' THEN 'ADMIN'
-            ELSE UPPER(TRIM("role"))
-          END AS "role_key",
-          NULL,
-          false,
-          now(),
-          now()
-        FROM ${userTableRef}
-        WHERE "role" IS NOT NULL
-          AND LENGTH(TRIM("role")) > 0
-        ON CONFLICT ("role_key") DO NOTHING
-      `);
-            await queryRunner.query(`
-        INSERT INTO "security_user_role" ("user_id", "role_id", "created_at")
-        SELECT
-          u."id" AS "user_id",
-          r."id" AS "role_id",
-          now()
-        FROM ${userTableRef} u
-        INNER JOIN "security_role" r ON r."role_key" = CASE
-          WHEN UPPER(TRIM(u."role")) = 'ADMINISTRATOR' THEN 'ADMIN'
-          ELSE UPPER(TRIM(u."role"))
-        END
-        WHERE u."role" IS NOT NULL
-          AND LENGTH(TRIM(u."role")) > 0
-        ON CONFLICT ("user_id", "role_id") DO NOTHING
-      `);
-            await queryRunner.query(`ALTER TABLE ${userTableRef} DROP COLUMN IF EXISTS "role"`);
-        }
     }
     async down(queryRunner) {
-        await queryRunner.query(`DROP INDEX IF EXISTS "IDX_security_user_role_user_role"`);
-        await queryRunner.query(`DROP TABLE IF EXISTS "security_user_role"`);
         await queryRunner.query(`DROP INDEX IF EXISTS "IDX_security_role_key"`);
         await queryRunner.query(`DROP TABLE IF EXISTS "security_role"`);
     }
 }
 exports.CreateSecurityRoles1739510000000 = CreateSecurityRoles1739510000000;
-const getSafeIdentifier = (value, fallback) => {
-    const resolved = value?.trim() || fallback;
-    if (!resolved || !/^[A-Za-z_][A-Za-z0-9_]*$/.test(resolved)) {
-        throw new Error(`Invalid SQL identifier: ${resolved}`);
-    }
-    return resolved;
-};

package/dist/api/migrations/1739515000000-create-security-user-roles.d.ts

@@ -0,0 +1,9 @@
+export declare class CreateSecurityUserRoles1739515000000 {
+    name: string;
+    up(queryRunner: {
+        query: (sql: string) => Promise<unknown>;
+    }): Promise<void>;
+    down(queryRunner: {
+        query: (sql: string) => Promise<unknown>;
+    }): Promise<void>;
+}

package/dist/api/migrations/1739515000000-create-security-user-roles.js

@@ -0,0 +1,39 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CreateSecurityUserRoles1739515000000 = void 0;
+class CreateSecurityUserRoles1739515000000 {
+    name = "CreateSecurityUserRoles1739515000000";
+    async up(queryRunner) {
+        const userTableRef = getUserTableReference();
+        await queryRunner.query(`
+      CREATE TABLE IF NOT EXISTS "security_user_role" (
+        "id" uuid PRIMARY KEY NOT NULL DEFAULT uuidv7(),
+        "user_id" varchar NOT NULL,
+        "role_id" uuid NOT NULL,
+        "created_at" timestamptz NOT NULL DEFAULT now(),
+        CONSTRAINT "FK_security_user_role_user_id" FOREIGN KEY ("user_id") REFERENCES ${userTableRef} ("id") ON DELETE CASCADE,
+        CONSTRAINT "FK_security_user_role_role_id" FOREIGN KEY ("role_id") REFERENCES "security_role" ("id") ON DELETE CASCADE
+      )
+    `);
+        await queryRunner.query(`CREATE UNIQUE INDEX IF NOT EXISTS "IDX_security_user_role_user_role" ON "security_user_role" ("user_id", "role_id")`);
+    }
+    async down(queryRunner) {
+        await queryRunner.query(`DROP INDEX IF EXISTS "IDX_security_user_role_user_role"`);
+        await queryRunner.query(`DROP TABLE IF EXISTS "security_user_role"`);
+    }
+}
+exports.CreateSecurityUserRoles1739515000000 = CreateSecurityUserRoles1739515000000;
+const getUserTableReference = () => {
+    const table = getSafeIdentifier(process.env.USER_TABLE, "app_user");
+    const schema = process.env.USER_TABLE_SCHEMA
+        ? getSafeIdentifier(process.env.USER_TABLE_SCHEMA, "public")
+        : "public";
+    return `"${schema}"."${table}"`;
+};
+const getSafeIdentifier = (value, fallback) => {
+    const resolved = value?.trim() || fallback;
+    if (!resolved || !/^[A-Za-z_][A-Za-z0-9_]*$/.test(resolved)) {
+        throw new Error(`Invalid SQL identifier: ${resolved}`);
+    }
+    return resolved;
+};

package/dist/api/migrations/1739520000000-create-password-reset-tokens.js

@@ -7,7 +7,7 @@ class CreatePasswordResetTokens1739520000000 {
         const userTableRef = getUserTableReference();
         await queryRunner.query(`
       CREATE TABLE IF NOT EXISTS "security_password_reset_token" (
-        "id" uuid PRIMARY KEY NOT NULL DEFAULT uuid_generate_v4(),
+        "id" uuid PRIMARY KEY NOT NULL DEFAULT uuidv7(),
         "user_id" varchar NOT NULL,
         "token" varchar NOT NULL,
         "expires_at" timestamptz NOT NULL,

package/dist/api/migrations/1739530000000-create-security-user.d.ts

@@ -0,0 +1,9 @@
+export declare class CreateSecurityUser1739530000000 {
+    name: string;
+    up(queryRunner: {
+        query: (sql: string) => Promise<unknown>;
+    }): Promise<void>;
+    down(queryRunner: {
+        query: (sql: string) => Promise<unknown>;
+    }): Promise<void>;
+}

package/dist/api/migrations/1739530000000-create-security-user.js

@@ -0,0 +1,41 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CreateSecurityUser1739530000000 = void 0;
+class CreateSecurityUser1739530000000 {
+    name = "CreateSecurityUser1739530000000";
+    async up(queryRunner) {
+        const userTableRef = getUserTableReference();
+        await queryRunner.query(`
+      CREATE TABLE IF NOT EXISTS "security_user" (
+        "user_id" varchar PRIMARY KEY NOT NULL,
+        "password_hash" varchar NOT NULL,
+        "email_verified_at" timestamptz,
+        "email_verification_token" varchar,
+        "admin_approved_at" timestamptz,
+        "is_active" boolean NOT NULL DEFAULT true,
+        "created_at" timestamptz NOT NULL DEFAULT now(),
+        CONSTRAINT "FK_security_user_user_id" FOREIGN KEY ("user_id") REFERENCES ${userTableRef} ("id") ON DELETE CASCADE
+      )
+    `);
+        await queryRunner.query(`CREATE UNIQUE INDEX IF NOT EXISTS "IDX_security_user_email_verification_token" ON "security_user" ("email_verification_token") WHERE "email_verification_token" IS NOT NULL`);
+    }
+    async down(queryRunner) {
+        await queryRunner.query(`DROP INDEX IF EXISTS "IDX_security_user_email_verification_token"`);
+        await queryRunner.query(`DROP TABLE IF EXISTS "security_user"`);
+    }
+}
+exports.CreateSecurityUser1739530000000 = CreateSecurityUser1739530000000;
+const getSafeIdentifier = (value, fallback) => {
+    const resolved = value?.trim() || fallback;
+    if (!resolved || !/^[A-Za-z_][A-Za-z0-9_]*$/.test(resolved)) {
+        throw new Error(`Invalid SQL identifier: ${resolved}`);
+    }
+    return resolved;
+};
+const getUserTableReference = () => {
+    const table = getSafeIdentifier(process.env.USER_TABLE, "app_user");
+    const schema = process.env.USER_TABLE_SCHEMA
+        ? getSafeIdentifier(process.env.USER_TABLE_SCHEMA, "public")
+        : "public";
+    return `"${schema}"."${table}"`;
+};

package/dist/api/migrations/index.d.ts

@@ -1,7 +1,8 @@
 import { AddRefreshTokens1700000000001 } from "./1700000000001-add-refresh-tokens";
-import { AddGoogleSubjectToUser1739490000000 } from "./1739490000000-add-google-subject-to-user";
 import { CreateSecurityIdentity1739500000000 } from "./1739500000000-create-security-identity";
 import { CreateSecurityRoles1739510000000 } from "./1739510000000-create-security-roles";
+import { CreateSecurityUserRoles1739515000000 } from "./1739515000000-create-security-user-roles";
 import { CreatePasswordResetTokens1739520000000 } from "./1739520000000-create-password-reset-tokens";
+import { CreateSecurityUser1739530000000 } from "./1739530000000-create-security-user";
 export declare const securityMigrations: (typeof AddRefreshTokens1700000000001)[];
-export { AddRefreshTokens1700000000001, AddGoogleSubjectToUser1739490000000, CreateSecurityIdentity1739500000000, CreateSecurityRoles1739510000000, CreatePasswordResetTokens1739520000000, };
+export { AddRefreshTokens1700000000001, CreateSecurityIdentity1739500000000, CreateSecurityRoles1739510000000, CreateSecurityUserRoles1739515000000, CreatePasswordResetTokens1739520000000, CreateSecurityUser1739530000000, };

package/dist/api/migrations/index.js

@@ -1,20 +1,23 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.CreatePasswordResetTokens1739520000000 = exports.CreateSecurityRoles1739510000000 = exports.CreateSecurityIdentity1739500000000 = exports.AddGoogleSubjectToUser1739490000000 = exports.AddRefreshTokens1700000000001 = exports.securityMigrations = void 0;
+exports.CreateSecurityUser1739530000000 = exports.CreatePasswordResetTokens1739520000000 = exports.CreateSecurityUserRoles1739515000000 = exports.CreateSecurityRoles1739510000000 = exports.CreateSecurityIdentity1739500000000 = exports.AddRefreshTokens1700000000001 = exports.securityMigrations = void 0;
 const _1700000000001_add_refresh_tokens_1 = require("./1700000000001-add-refresh-tokens");
 Object.defineProperty(exports, "AddRefreshTokens1700000000001", { enumerable: true, get: function () { return _1700000000001_add_refresh_tokens_1.AddRefreshTokens1700000000001; } });
-const _1739490000000_add_google_subject_to_user_1 = require("./1739490000000-add-google-subject-to-user");
-Object.defineProperty(exports, "AddGoogleSubjectToUser1739490000000", { enumerable: true, get: function () { return _1739490000000_add_google_subject_to_user_1.AddGoogleSubjectToUser1739490000000; } });
 const _1739500000000_create_security_identity_1 = require("./1739500000000-create-security-identity");
 Object.defineProperty(exports, "CreateSecurityIdentity1739500000000", { enumerable: true, get: function () { return _1739500000000_create_security_identity_1.CreateSecurityIdentity1739500000000; } });
 const _1739510000000_create_security_roles_1 = require("./1739510000000-create-security-roles");
 Object.defineProperty(exports, "CreateSecurityRoles1739510000000", { enumerable: true, get: function () { return _1739510000000_create_security_roles_1.CreateSecurityRoles1739510000000; } });
+const _1739515000000_create_security_user_roles_1 = require("./1739515000000-create-security-user-roles");
+Object.defineProperty(exports, "CreateSecurityUserRoles1739515000000", { enumerable: true, get: function () { return _1739515000000_create_security_user_roles_1.CreateSecurityUserRoles1739515000000; } });
 const _1739520000000_create_password_reset_tokens_1 = require("./1739520000000-create-password-reset-tokens");
 Object.defineProperty(exports, "CreatePasswordResetTokens1739520000000", { enumerable: true, get: function () { return _1739520000000_create_password_reset_tokens_1.CreatePasswordResetTokens1739520000000; } });
+const _1739530000000_create_security_user_1 = require("./1739530000000-create-security-user");
+Object.defineProperty(exports, "CreateSecurityUser1739530000000", { enumerable: true, get: function () { return _1739530000000_create_security_user_1.CreateSecurityUser1739530000000; } });
 exports.securityMigrations = [
     _1700000000001_add_refresh_tokens_1.AddRefreshTokens1700000000001,
-    _1739490000000_add_google_subject_to_user_1.AddGoogleSubjectToUser1739490000000,
     _1739500000000_create_security_identity_1.CreateSecurityIdentity1739500000000,
     _1739510000000_create_security_roles_1.CreateSecurityRoles1739510000000,
+    _1739515000000_create_security_user_roles_1.CreateSecurityUserRoles1739515000000,
     _1739520000000_create_password_reset_tokens_1.CreatePasswordResetTokens1739520000000,
+    _1739530000000_create_security_user_1.CreateSecurityUser1739530000000,
 ];

package/dist/api/migrations/migrations.test.js

@@ -2,10 +2,11 @@
 Object.defineProperty(exports, "__esModule", { value: true });
 const vitest_1 = require("vitest");
 const _1700000000001_add_refresh_tokens_1 = require("./1700000000001-add-refresh-tokens");
-const _1739490000000_add_google_subject_to_user_1 = require("./1739490000000-add-google-subject-to-user");
 const _1739500000000_create_security_identity_1 = require("./1739500000000-create-security-identity");
 const _1739510000000_create_security_roles_1 = require("./1739510000000-create-security-roles");
+const _1739515000000_create_security_user_roles_1 = require("./1739515000000-create-security-user-roles");
 const _1739520000000_create_password_reset_tokens_1 = require("./1739520000000-create-password-reset-tokens");
+const _1739530000000_create_security_user_1 = require("./1739530000000-create-security-user");
 const index_1 = require("./index");
 const originalEnv = { ...process.env };
 (0, vitest_1.afterEach)(() => {
@@ -14,10 +15,17 @@ const originalEnv = { ...process.env };
 });
 (0, vitest_1.describe)("security migrations", () => {
     (0, vitest_1.it)("exports migration list", () => {
-        (0, vitest_1.expect)(index_1.securityMigrations.length).toBe(5);
-        (0, vitest_1.expect)(index_1.securityMigrations[0]).toBe(_1700000000001_add_refresh_tokens_1.AddRefreshTokens1700000000001);
+        (0, vitest_1.expect)(index_1.securityMigrations.length).toBe(6);
+        (0, vitest_1.expect)(index_1.securityMigrations).toEqual([
+            _1700000000001_add_refresh_tokens_1.AddRefreshTokens1700000000001,
+            _1739500000000_create_security_identity_1.CreateSecurityIdentity1739500000000,
+            _1739510000000_create_security_roles_1.CreateSecurityRoles1739510000000,
+            _1739515000000_create_security_user_roles_1.CreateSecurityUserRoles1739515000000,
+            _1739520000000_create_password_reset_tokens_1.CreatePasswordResetTokens1739520000000,
+            _1739530000000_create_security_user_1.CreateSecurityUser1739530000000,
+        ]);
     });
-    (0, vitest_1.it)("runs add refresh tokens migration up/down", async () => {
+    (0, vitest_1.it)("runs refresh token migration up/down", async () => {
         const query = vitest_1.vi.fn().mockResolvedValue(undefined);
         const migration = new _1700000000001_add_refresh_tokens_1.AddRefreshTokens1700000000001();
         await migration.up({ query });
@@ -25,93 +33,29 @@ const originalEnv = { ...process.env };
         (0, vitest_1.expect)(query).toHaveBeenCalledWith(vitest_1.expect.stringContaining('CREATE TABLE "refresh_token"'));
         (0, vitest_1.expect)(query).toHaveBeenCalledWith(vitest_1.expect.stringContaining('DROP TABLE "refresh_token"'));
     });
-    (0, vitest_1.it)("uses schema/table env in refresh token migration", async () => {
-        process.env.USER_TABLE = "users";
-        process.env.USER_TABLE_SCHEMA = "security";
-        const query = vitest_1.vi.fn().mockResolvedValue(undefined);
-        await new _1700000000001_add_refresh_tokens_1.AddRefreshTokens1700000000001().up({ query });
-        (0, vitest_1.expect)(query).toHaveBeenCalledWith(vitest_1.expect.stringContaining('REFERENCES "security"."users" ("id")'));
-    });
-    (0, vitest_1.it)("throws for invalid identifiers in refresh token migration", async () => {
-        process.env.USER_TABLE = "bad-name;drop";
+    (0, vitest_1.it)("runs security identity migration up/down", async () => {
         const query = vitest_1.vi.fn().mockResolvedValue(undefined);
-        await (0, vitest_1.expect)(new _1700000000001_add_refresh_tokens_1.AddRefreshTokens1700000000001().up({ query })).rejects.toThrow("Invalid SQL identifier");
-    });
-    (0, vitest_1.it)("keeps legacy google subject migration as no-op", async () => {
-        const migration = new _1739490000000_add_google_subject_to_user_1.AddGoogleSubjectToUser1739490000000();
-        await (0, vitest_1.expect)(migration.up()).resolves.toBeUndefined();
-        await (0, vitest_1.expect)(migration.down()).resolves.toBeUndefined();
-    });
-    (0, vitest_1.it)("runs security identity migration path with google_subject present", async () => {
-        const query = vitest_1.vi
-            .fn()
-            .mockResolvedValueOnce(undefined)
-            .mockResolvedValueOnce(undefined)
-            .mockResolvedValueOnce(undefined)
-            .mockResolvedValueOnce(undefined)
-            .mockResolvedValueOnce([{ "?column?": 1 }])
-            .mockResolvedValueOnce(undefined)
-            .mockResolvedValueOnce(undefined)
-            .mockResolvedValueOnce(undefined);
         const migration = new _1739500000000_create_security_identity_1.CreateSecurityIdentity1739500000000();
         await migration.up({ query });
         await migration.down({ query });
         (0, vitest_1.expect)(query).toHaveBeenCalledWith(vitest_1.expect.stringContaining('CREATE TABLE IF NOT EXISTS "security_identity"'));
         (0, vitest_1.expect)(query).toHaveBeenCalledWith(vitest_1.expect.stringContaining('DROP TABLE IF EXISTS "security_identity"'));
     });
-    (0, vitest_1.it)("skips google_subject migration block when column absent", async () => {
-        const query = vitest_1.vi
-            .fn()
-            .mockResolvedValueOnce(undefined)
-            .mockResolvedValueOnce(undefined)
-            .mockResolvedValueOnce(undefined)
-            .mockResolvedValueOnce(undefined)
-            .mockResolvedValueOnce([]);
-        await new _1739500000000_create_security_identity_1.CreateSecurityIdentity1739500000000().up({ query });
-        (0, vitest_1.expect)(query).not.toHaveBeenCalledWith(vitest_1.expect.stringContaining('DROP COLUMN IF EXISTS "google_subject"'));
-    });
-    (0, vitest_1.it)("throws for invalid identifiers in identity migration", async () => {
-        process.env.USER_TABLE_SCHEMA = "bad-schema!";
+    (0, vitest_1.it)("runs security role migration up/down", async () => {
         const query = vitest_1.vi.fn().mockResolvedValue(undefined);
-        await (0, vitest_1.expect)(new _1739500000000_create_security_identity_1.CreateSecurityIdentity1739500000000().up({ query })).rejects.toThrow("Invalid SQL identifier");
-    });
-    (0, vitest_1.it)("runs security roles migration path with legacy role column", async () => {
-        const query = vitest_1.vi
-            .fn()
-            .mockResolvedValueOnce(undefined)
-            .mockResolvedValueOnce(undefined)
-            .mockResolvedValueOnce(undefined)
-            .mockResolvedValueOnce(undefined)
-            .mockResolvedValueOnce(undefined)
-            .mockResolvedValueOnce(undefined)
-            .mockResolvedValueOnce([{ "?column?": 1 }])
-            .mockResolvedValueOnce(undefined)
-            .mockResolvedValueOnce(undefined)
-            .mockResolvedValueOnce(undefined);
         const migration = new _1739510000000_create_security_roles_1.CreateSecurityRoles1739510000000();
         await migration.up({ query });
         await migration.down({ query });
         (0, vitest_1.expect)(query).toHaveBeenCalledWith(vitest_1.expect.stringContaining('CREATE TABLE IF NOT EXISTS "security_role"'));
-        (0, vitest_1.expect)(query).toHaveBeenCalledWith(vitest_1.expect.stringContaining('CREATE TABLE IF NOT EXISTS "security_user_role"'));
-        (0, vitest_1.expect)(query).toHaveBeenCalledWith(vitest_1.expect.stringContaining('DROP TABLE IF EXISTS "security_user_role"'));
-    });
-    (0, vitest_1.it)("skips legacy role backfill when role column absent", async () => {
-        const query = vitest_1.vi
-            .fn()
-            .mockResolvedValueOnce(undefined)
-            .mockResolvedValueOnce(undefined)
-            .mockResolvedValueOnce(undefined)
-            .mockResolvedValueOnce(undefined)
-            .mockResolvedValueOnce(undefined)
-            .mockResolvedValueOnce(undefined)
-            .mockResolvedValueOnce([]);
-        await new _1739510000000_create_security_roles_1.CreateSecurityRoles1739510000000().up({ query });
-        (0, vitest_1.expect)(query).not.toHaveBeenCalledWith(vitest_1.expect.stringContaining('DROP COLUMN IF EXISTS "role"'));
+        (0, vitest_1.expect)(query).toHaveBeenCalledWith(vitest_1.expect.stringContaining('DROP TABLE IF EXISTS "security_role"'));
     });
-    (0, vitest_1.it)("throws for invalid identifiers in roles migration", async () => {
-        process.env.USER_TABLE = "bad-name*";
+    (0, vitest_1.it)("runs security user role migration up/down", async () => {
         const query = vitest_1.vi.fn().mockResolvedValue(undefined);
-        await (0, vitest_1.expect)(new _1739510000000_create_security_roles_1.CreateSecurityRoles1739510000000().up({ query })).rejects.toThrow("Invalid SQL identifier");
+        const migration = new _1739515000000_create_security_user_roles_1.CreateSecurityUserRoles1739515000000();
+        await migration.up({ query });
+        await migration.down({ query });
+        (0, vitest_1.expect)(query).toHaveBeenCalledWith(vitest_1.expect.stringContaining('CREATE TABLE IF NOT EXISTS "security_user_role"'));
+        (0, vitest_1.expect)(query).toHaveBeenCalledWith(vitest_1.expect.stringContaining('DROP TABLE IF EXISTS "security_user_role"'));
     });
     (0, vitest_1.it)("runs password reset token migration up/down", async () => {
         const query = vitest_1.vi.fn().mockResolvedValue(undefined);
@@ -121,14 +65,24 @@ const originalEnv = { ...process.env };
         (0, vitest_1.expect)(query).toHaveBeenCalledWith(vitest_1.expect.stringContaining('CREATE TABLE IF NOT EXISTS "security_password_reset_token"'));
         (0, vitest_1.expect)(query).toHaveBeenCalledWith(vitest_1.expect.stringContaining('DROP TABLE IF EXISTS "security_password_reset_token"'));
     });
-    (0, vitest_1.it)("uses default public schema in password reset migration", async () => {
+    (0, vitest_1.it)("runs security user migration up/down", async () => {
         const query = vitest_1.vi.fn().mockResolvedValue(undefined);
-        await new _1739520000000_create_password_reset_tokens_1.CreatePasswordResetTokens1739520000000().up({ query });
-        (0, vitest_1.expect)(query).toHaveBeenCalledWith(vitest_1.expect.stringContaining('REFERENCES "public"."app_user" ("id")'));
+        const migration = new _1739530000000_create_security_user_1.CreateSecurityUser1739530000000();
+        await migration.up({ query });
+        await migration.down({ query });
+        (0, vitest_1.expect)(query).toHaveBeenCalledWith(vitest_1.expect.stringContaining('CREATE TABLE IF NOT EXISTS "security_user"'));
+        (0, vitest_1.expect)(query).toHaveBeenCalledWith(vitest_1.expect.stringContaining('DROP TABLE IF EXISTS "security_user"'));
+    });
+    (0, vitest_1.it)("uses user schema/table env safely", async () => {
+        process.env.USER_TABLE = "users";
+        process.env.USER_TABLE_SCHEMA = "security";
+        const query = vitest_1.vi.fn().mockResolvedValue(undefined);
+        await new _1739530000000_create_security_user_1.CreateSecurityUser1739530000000().up({ query });
+        (0, vitest_1.expect)(query).toHaveBeenCalledWith(vitest_1.expect.stringContaining('REFERENCES "security"."users" ("id")'));
     });
-    (0, vitest_1.it)("throws for invalid identifiers in password reset migration", async () => {
-        process.env.USER_TABLE_SCHEMA = "bad.schema";
+    (0, vitest_1.it)("throws for invalid identifiers", async () => {
+        process.env.USER_TABLE = "bad-name!";
         const query = vitest_1.vi.fn().mockResolvedValue(undefined);
-        await (0, vitest_1.expect)(new _1739520000000_create_password_reset_tokens_1.CreatePasswordResetTokens1739520000000().up({ query })).rejects.toThrow("Invalid SQL identifier");
+        await (0, vitest_1.expect)(new _1739515000000_create_security_user_roles_1.CreateSecurityUserRoles1739515000000().up({ query })).rejects.toThrow("Invalid SQL identifier");
     });
 });

package/dist/api/notification-workflows.d.ts

@@ -1,8 +1,6 @@
 export type VerificationNotificationUser = {
     id: string;
     email: string;
-    firstName?: string | null;
-    lastName?: string | null;
 };
 export declare const notifyAdminsOnEmailVerified: (params: {
     user: VerificationNotificationUser;
@@ -22,11 +20,9 @@ export declare const notifyUserOnAdminApproval: (params: {
     approved: boolean;
     user: {
         email: string;
-        firstName?: string | null;
     };
     notifyUser: (payload: {
         email: string;
-        firstName?: string | null;
     }) => Promise<void>;
 }) => Promise<{
     notified: false;

package/dist/api/notification-workflows.js

@@ -16,7 +16,6 @@ const notifyUserOnAdminApproval = async (params) => {
     }
     await params.notifyUser({
         email: params.user.email,
-        firstName: params.user.firstName,
     });
     return { notified: true };
 };

package/dist/api/notification-workflows.test.js

@@ -12,8 +12,6 @@ const notification_workflows_1 = require("./notification-workflows");
             user: {
                 id: "user-1",
                 email: "user@example.com",
-                firstName: "User",
-                lastName: "One",
             },
             listAdminEmails,
             notifyAdmins,
@@ -44,13 +42,12 @@ const notification_workflows_1 = require("./notification-workflows");
         const notifyUser = vitest_1.vi.fn().mockResolvedValue(undefined);
         const result = await (0, notification_workflows_1.notifyUserOnAdminApproval)({
             approved: true,
-            user: { email: "user@example.com", firstName: "User" },
+            user: { email: "user@example.com" },
             notifyUser,
         });
         (0, vitest_1.expect)(result).toEqual({ notified: true });
         (0, vitest_1.expect)(notifyUser).toHaveBeenCalledWith({
             email: "user@example.com",
-            firstName: "User",
         });
     });
     (0, vitest_1.it)("skips user notification when approval is false", async () => {