npm - @scryan7371/sdr-security - Versions diffs - 0.1.2 → 0.1.4 - Mend

@scryan7371/sdr-security 0.1.2 → 0.1.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (83) hide show

package/dist/nest/security-workflows.service.js CHANGED Viewed

@@ -16,26 +16,30 @@ exports.SecurityWorkflowsService = void 0;
 const common_1 = require("@nestjs/common");
 const typeorm_1 = require("@nestjs/typeorm");
 const typeorm_2 = require("typeorm");
+const uuid_1 = require("uuid");
 const contracts_1 = require("../api/contracts");
 const roles_1 = require("../api/roles");
 const app_user_entity_1 = require("./entities/app-user.entity");
 const security_role_entity_1 = require("./entities/security-role.entity");
+const security_user_entity_1 = require("./entities/security-user.entity");
 const security_user_role_entity_1 = require("./entities/security-user-role.entity");
 const tokens_1 = require("./tokens");
 let SecurityWorkflowsService = class SecurityWorkflowsService {
-    usersRepo;
+    appUsersRepo;
+    securityUsersRepo;
     rolesRepo;
     userRolesRepo;
     notifier;
-    constructor(usersRepo, rolesRepo, userRolesRepo, notifier) {
-        this.usersRepo = usersRepo;
+    constructor(appUsersRepo, securityUsersRepo, rolesRepo, userRolesRepo, notifier) {
+        this.appUsersRepo = appUsersRepo;
+        this.securityUsersRepo = securityUsersRepo;
         this.rolesRepo = rolesRepo;
         this.userRolesRepo = userRolesRepo;
         this.notifier = notifier;
     }
     async markEmailVerifiedAndNotifyAdmins(userId) {
-        await this.usersRepo.update({ id: userId }, { emailVerifiedAt: new Date(), emailVerificationToken: null });
-        const user = await this.usersRepo.findOne({ where: { id: userId } });
+        await this.securityUsersRepo.update({ userId }, { emailVerifiedAt: new Date(), emailVerificationToken: null });
+        const user = await this.appUsersRepo.findOne({ where: { id: userId } });
         if (!user) {
             throw new common_1.NotFoundException("User not found");
         }
@@ -48,15 +52,13 @@ let SecurityWorkflowsService = class SecurityWorkflowsService {
             user: {
                 id: user.id,
                 email: user.email,
-                firstName: user.firstName,
-                lastName: user.lastName,
             },
         });
         return { success: true, notified: true, adminEmails };
     }
     async setAdminApprovalAndNotifyUser(userId, approved) {
-        await this.usersRepo.update({ id: userId }, { adminApprovedAt: approved ? new Date() : null });
-        const user = await this.usersRepo.findOne({ where: { id: userId } });
+        await this.securityUsersRepo.update({ userId }, { adminApprovedAt: approved ? new Date() : null });
+        const user = await this.appUsersRepo.findOne({ where: { id: userId } });
         if (!user) {
             throw new common_1.NotFoundException("User not found");
         }
@@ -65,7 +67,6 @@ let SecurityWorkflowsService = class SecurityWorkflowsService {
         }
         await this.notifier.sendUserAccountApproved({
             email: user.email,
-            firstName: user.firstName,
         });
         return { success: true, notified: true };
     }
@@ -74,8 +75,9 @@ let SecurityWorkflowsService = class SecurityWorkflowsService {
             .createQueryBuilder("userRole")
             .innerJoin("security_role", "role", "role.id = userRole.role_id")
             .innerJoin("app_user", "user", "user.id = userRole.user_id")
+            .innerJoin("security_user", "securityUser", "securityUser.user_id = userRole.user_id")
             .where("role.role_key = :roleKey", { roleKey: contracts_1.ADMIN_ROLE })
-            .andWhere("user.is_active = :isActive", { isActive: true })
+            .andWhere("securityUser.is_active = :isActive", { isActive: true })
             .select("DISTINCT user.email", "email")
             .getRawMany();
         return rows.map((row) => row.email).filter(Boolean);
@@ -93,6 +95,7 @@ let SecurityWorkflowsService = class SecurityWorkflowsService {
         let role = await this.rolesRepo.findOne({ where: { roleKey } });
         if (!role) {
             role = this.rolesRepo.create({
+                id: (0, uuid_1.v7)(),
                 roleKey,
                 description: description?.trim() || null,
                 isSystem: roleKey === contracts_1.ADMIN_ROLE,
@@ -138,6 +141,7 @@ let SecurityWorkflowsService = class SecurityWorkflowsService {
         await this.userRolesRepo.delete({ userId });
         if (roles.length > 0) {
             await this.userRolesRepo.save(roles.map((role) => this.userRolesRepo.create({
+                id: (0, uuid_1.v7)(),
                 userId,
                 roleId: role.id,
             })));
@@ -158,11 +162,11 @@ let SecurityWorkflowsService = class SecurityWorkflowsService {
         return this.setUserRoles(userId, nextRoles);
     }
     async setUserActive(userId, active) {
-        await this.usersRepo.update({ id: userId }, { isActive: active });
+        await this.securityUsersRepo.update({ userId }, { isActive: active });
         return { success: true, userId, active };
     }
     async assertUserExists(userId) {
-        const user = await this.usersRepo.findOne({ where: { id: userId } });
+        const user = await this.appUsersRepo.findOne({ where: { id: userId } });
         if (!user) {
             throw new common_1.NotFoundException("User not found");
         }
@@ -181,6 +185,7 @@ let SecurityWorkflowsService = class SecurityWorkflowsService {
             return;
         }
         await this.rolesRepo.save(missing.map((roleKey) => this.rolesRepo.create({
+            id: (0, uuid_1.v7)(),
             roleKey,
             description: null,
             isSystem: roleKey === contracts_1.ADMIN_ROLE,
@@ -191,10 +196,12 @@ exports.SecurityWorkflowsService = SecurityWorkflowsService;
 exports.SecurityWorkflowsService = SecurityWorkflowsService = __decorate([
     (0, common_1.Injectable)(),
     __param(0, (0, typeorm_1.InjectRepository)(app_user_entity_1.AppUserEntity)),
-    __param(1, (0, typeorm_1.InjectRepository)(security_role_entity_1.SecurityRoleEntity)),
-    __param(2, (0, typeorm_1.InjectRepository)(security_user_role_entity_1.SecurityUserRoleEntity)),
-    __param(3, (0, common_1.Inject)(tokens_1.SECURITY_WORKFLOW_NOTIFIER)),
+    __param(1, (0, typeorm_1.InjectRepository)(security_user_entity_1.SecurityUserEntity)),
+    __param(2, (0, typeorm_1.InjectRepository)(security_role_entity_1.SecurityRoleEntity)),
+    __param(3, (0, typeorm_1.InjectRepository)(security_user_role_entity_1.SecurityUserRoleEntity)),
+    __param(4, (0, common_1.Inject)(tokens_1.SECURITY_WORKFLOW_NOTIFIER)),
     __metadata("design:paramtypes", [typeorm_2.Repository,
+        typeorm_2.Repository,
         typeorm_2.Repository,
         typeorm_2.Repository, Object])
 ], SecurityWorkflowsService);

package/dist/nest/security-workflows.service.test.js CHANGED Viewed

@@ -19,25 +19,31 @@ const makeNotifier = () => ({
 const makeUser = () => ({
     id: "user-1",
     email: "user@example.com",
-    firstName: "A",
-    lastName: "B",
     isActive: true,
 });
 const setup = () => {
-    const usersRepo = makeRepo();
+    const appUsersRepo = makeRepo();
+    const securityUsersRepo = makeRepo();
     const rolesRepo = makeRepo();
     const userRolesRepo = makeRepo();
     const notifier = makeNotifier();
-    const service = new security_workflows_service_1.SecurityWorkflowsService(usersRepo, rolesRepo, userRolesRepo, notifier);
-    return { service, usersRepo, rolesRepo, userRolesRepo, notifier };
+    const service = new security_workflows_service_1.SecurityWorkflowsService(appUsersRepo, securityUsersRepo, rolesRepo, userRolesRepo, notifier);
+    return {
+        service,
+        appUsersRepo,
+        securityUsersRepo,
+        rolesRepo,
+        userRolesRepo,
+        notifier,
+    };
 };
 (0, vitest_1.describe)("SecurityWorkflowsService", () => {
     (0, vitest_1.beforeEach)(() => {
         vitest_1.vi.clearAllMocks();
     });
     (0, vitest_1.it)("marks email verified and notifies admins", async () => {
-        const { service, usersRepo, userRolesRepo, notifier } = setup();
-        usersRepo.findOne.mockResolvedValue(makeUser());
+        const { service, appUsersRepo, userRolesRepo, notifier } = setup();
+        appUsersRepo.findOne.mockResolvedValue(makeUser());
         const getRawMany = vitest_1.vi
             .fn()
             .mockResolvedValue([{ email: "admin@example.com" }]);
@@ -58,8 +64,8 @@ const setup = () => {
         (0, vitest_1.expect)(notifier.sendAdminsUserEmailVerified).toHaveBeenCalled();
     });
     (0, vitest_1.it)("returns not-notified when no admins are present", async () => {
-        const { service, usersRepo, userRolesRepo } = setup();
-        usersRepo.findOne.mockResolvedValue(makeUser());
+        const { service, appUsersRepo, userRolesRepo } = setup();
+        appUsersRepo.findOne.mockResolvedValue(makeUser());
         const qb = {
             innerJoin: vitest_1.vi.fn().mockReturnThis(),
             where: vitest_1.vi.fn().mockReturnThis(),
@@ -71,23 +77,22 @@ const setup = () => {
         await (0, vitest_1.expect)(service.markEmailVerifiedAndNotifyAdmins("user-1")).resolves.toEqual({ success: true, notified: false, adminEmails: [] });
     });
     (0, vitest_1.it)("throws when user is missing during verification flow", async () => {
-        const { service, usersRepo } = setup();
-        usersRepo.findOne.mockResolvedValue(null);
+        const { service, appUsersRepo } = setup();
+        appUsersRepo.findOne.mockResolvedValue(null);
         await (0, vitest_1.expect)(service.markEmailVerifiedAndNotifyAdmins("missing")).rejects.toBeInstanceOf(common_1.NotFoundException);
     });
     (0, vitest_1.it)("handles admin approval notifications", async () => {
-        const { service, usersRepo, notifier } = setup();
-        usersRepo.findOne.mockResolvedValue(makeUser());
+        const { service, appUsersRepo, notifier } = setup();
+        appUsersRepo.findOne.mockResolvedValue(makeUser());
         await (0, vitest_1.expect)(service.setAdminApprovalAndNotifyUser("user-1", false)).resolves.toEqual({ success: true, notified: false });
         await (0, vitest_1.expect)(service.setAdminApprovalAndNotifyUser("user-1", true)).resolves.toEqual({ success: true, notified: true });
         (0, vitest_1.expect)(notifier.sendUserAccountApproved).toHaveBeenCalledWith({
             email: "user@example.com",
-            firstName: "A",
         });
     });
     (0, vitest_1.it)("throws when approval target user is missing", async () => {
-        const { service, usersRepo } = setup();
-        usersRepo.findOne.mockResolvedValue(null);
+        const { service, appUsersRepo } = setup();
+        appUsersRepo.findOne.mockResolvedValue(null);
         await (0, vitest_1.expect)(service.setAdminApprovalAndNotifyUser("missing", true)).rejects.toBeInstanceOf(common_1.NotFoundException);
     });
     (0, vitest_1.it)("manages role catalog and protected role removal", async () => {
@@ -125,8 +130,8 @@ const setup = () => {
         (0, vitest_1.expect)(userRolesRepo.delete).toHaveBeenCalledWith({ roleId: "r2" });
     });
     (0, vitest_1.it)("gets and sets user roles", async () => {
-        const { service, usersRepo, userRolesRepo, rolesRepo } = setup();
-        usersRepo.findOne.mockResolvedValue(makeUser());
+        const { service, appUsersRepo, userRolesRepo, rolesRepo } = setup();
+        appUsersRepo.findOne.mockResolvedValue(makeUser());
         userRolesRepo.find.mockResolvedValue([{ roleId: "r1" }]);
         rolesRepo.find.mockResolvedValue([{ id: "r1", roleKey: "ADMIN" }]);
         await (0, vitest_1.expect)(service.getUserRoles("user-1")).resolves.toEqual({
@@ -143,8 +148,8 @@ const setup = () => {
         (0, vitest_1.expect)(userRolesRepo.save).toHaveBeenCalled();
     });
     (0, vitest_1.it)("assigns and removes role from user", async () => {
-        const { service, usersRepo, userRolesRepo, rolesRepo } = setup();
-        usersRepo.findOne.mockResolvedValue(makeUser());
+        const { service, appUsersRepo, userRolesRepo, rolesRepo } = setup();
+        appUsersRepo.findOne.mockResolvedValue(makeUser());
         userRolesRepo.find.mockResolvedValue([]);
         rolesRepo.find.mockResolvedValue([]);
         await service.assignRoleToUser("user-1", "coach");
@@ -156,17 +161,17 @@ const setup = () => {
         (0, vitest_1.expect)(userRolesRepo.delete).toHaveBeenCalledWith({ userId: "user-1" });
     });
     (0, vitest_1.it)("sets user active state", async () => {
-        const { service, usersRepo } = setup();
+        const { service, securityUsersRepo } = setup();
         await (0, vitest_1.expect)(service.setUserActive("user-1", false)).resolves.toEqual({
             success: true,
             userId: "user-1",
             active: false,
         });
-        (0, vitest_1.expect)(usersRepo.update).toHaveBeenCalledWith({ id: "user-1" }, { isActive: false });
+        (0, vitest_1.expect)(securityUsersRepo.update).toHaveBeenCalledWith({ userId: "user-1" }, { isActive: false });
     });
     (0, vitest_1.it)("throws when role operations target missing user", async () => {
-        const { service, usersRepo } = setup();
-        usersRepo.findOne.mockResolvedValue(null);
+        const { service, appUsersRepo } = setup();
+        appUsersRepo.findOne.mockResolvedValue(null);
         await (0, vitest_1.expect)(service.getUserRoles("missing")).rejects.toBeInstanceOf(common_1.NotFoundException);
         await (0, vitest_1.expect)(service.setUserRoles("missing", ["ADMIN"])).rejects.toBeInstanceOf(common_1.NotFoundException);
     });

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@scryan7371/sdr-security",
-  "version": "0.1.2",
+  "version": "0.1.4",
   "description": "Reusable auth/security capability for API and app clients.",
   "main": "dist/index.js",
   "exports": {
@@ -34,7 +34,8 @@
   "dependencies": {
     "@babel/runtime": "7.28.6",
     "bcryptjs": "3.0.3",
-    "jsonwebtoken": "9.0.3"
+    "jsonwebtoken": "9.0.3",
+    "uuid": "11.1.0"
   },
   "peerDependencies": {
     "@nestjs/common": "^11.0.0",
@@ -62,10 +63,10 @@
     "@nestjs/typeorm": "11.0.0",
     "@types/jsonwebtoken": "9.0.10",
     "@types/node": "^25.2.3",
-    "@types/pg": "8.15.5",
+    "@types/pg": "8.16.0",
     "@vitest/coverage-v8": "^4.0.18",
     "eslint": "9.18.0",
-    "pg": "8.16.3",
+    "pg": "8.18.0",
     "prettier": "3.8.1",
     "typeorm": "0.3.28",
     "typescript": "5.9.3",

package/src/api/contracts.ts CHANGED Viewed

@@ -4,8 +4,6 @@ export type UserRole = string;
 export type SafeUser = {
   id: string;
   email: string;
-  firstName: string | null;
-  lastName: string | null;
   phone: string | null;
   roles: UserRole[];
   emailVerifiedAt: string | Date | null;

package/src/api/migrations/1700000000001-add-refresh-tokens.ts CHANGED Viewed

@@ -8,12 +8,14 @@ export class AddRefreshTokens1700000000001 {
     await queryRunner.query(`
       CREATE TABLE "refresh_token" (
-        "id" varchar PRIMARY KEY NOT NULL,
+        "id" uuid PRIMARY KEY NOT NULL DEFAULT uuidv7(),
         "token_hash" varchar NOT NULL,
         "expires_at" timestamptz NOT NULL,
         "revoked_at" timestamptz,
-        "userId" varchar,
+        "userId" uuid,
         "created_at" timestamptz NOT NULL DEFAULT (CURRENT_TIMESTAMP),
+        CONSTRAINT "CHK_refresh_token_id_uuidv7" CHECK ("id"::text ~* '^[0-9a-f]{8}-[0-9a-f]{4}-7[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$'),
+        CONSTRAINT "CHK_refresh_token_userId_uuidv7" CHECK ("userId" IS NULL OR "userId"::text ~* '^[0-9a-f]{8}-[0-9a-f]{4}-7[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$'),
         CONSTRAINT "FK_refresh_token_user" FOREIGN KEY ("userId") REFERENCES ${userTableRef} ("id") ON DELETE CASCADE ON UPDATE NO ACTION
       )
     `);

package/src/api/migrations/1739500000000-create-security-identity.ts CHANGED Viewed

@@ -2,25 +2,20 @@ export class CreateSecurityIdentity1739500000000 {
   name = "CreateSecurityIdentity1739500000000";
   async up(queryRunner: {
-    query: (sql: string, params?: unknown[]) => Promise<unknown>;
+    query: (sql: string) => Promise<unknown>;
   }): Promise<void> {
-    const userTable = getSafeIdentifier(process.env.USER_TABLE, "app_user");
-    const userSchema = getSafeIdentifier(
-      process.env.USER_TABLE_SCHEMA,
-      "public",
-    );
-    const userTableRef = `"${userSchema}"."${userTable}"`;
-    await queryRunner.query(`CREATE EXTENSION IF NOT EXISTS "uuid-ossp"`);
+    const userTableRef = getUserTableReference();
     await queryRunner.query(`
       CREATE TABLE IF NOT EXISTS "security_identity" (
-        "id" uuid PRIMARY KEY NOT NULL DEFAULT uuid_generate_v4(),
-        "user_id" varchar NOT NULL,
+        "id" uuid PRIMARY KEY NOT NULL DEFAULT uuidv7(),
+        "user_id" uuid NOT NULL,
         "provider" varchar NOT NULL,
         "provider_subject" varchar NOT NULL,
         "created_at" timestamptz NOT NULL DEFAULT now(),
         "updated_at" timestamptz NOT NULL DEFAULT now(),
+        CONSTRAINT "CHK_security_identity_id_uuidv7" CHECK ("id"::text ~* '^[0-9a-f]{8}-[0-9a-f]{4}-7[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$'),
+        CONSTRAINT "CHK_security_identity_user_id_uuidv7" CHECK ("user_id"::text ~* '^[0-9a-f]{8}-[0-9a-f]{4}-7[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$'),
         CONSTRAINT "FK_security_identity_user_id" FOREIGN KEY ("user_id") REFERENCES ${userTableRef} ("id") ON DELETE CASCADE
       )
     `);
@@ -31,46 +26,6 @@ export class CreateSecurityIdentity1739500000000 {
     await queryRunner.query(
       `CREATE UNIQUE INDEX IF NOT EXISTS "IDX_security_identity_user_provider" ON "security_identity" ("user_id", "provider")`,
     );
-    const hasGoogleSubjectColumn = (await queryRunner.query(
-      `
-        SELECT 1
-        FROM information_schema.columns
-        WHERE table_schema = $1
-          AND table_name = $2
-          AND column_name = 'google_subject'
-        LIMIT 1
-      `,
-      [userSchema, userTable],
-    )) as Array<{ "?column?": number }>;
-    if (hasGoogleSubjectColumn.length > 0) {
-      await queryRunner.query(`
-        INSERT INTO "security_identity" (
-          "user_id",
-          "provider",
-          "provider_subject",
-          "created_at",
-          "updated_at"
-        )
-        SELECT
-          "id",
-          'google',
-          "google_subject",
-          now(),
-          now()
-        FROM ${userTableRef}
-        WHERE "google_subject" IS NOT NULL
-        ON CONFLICT ("provider", "provider_subject") DO NOTHING
-      `);
-      await queryRunner.query(
-        `DROP INDEX IF EXISTS "IDX_app_user_google_subject"`,
-      );
-      await queryRunner.query(
-        `ALTER TABLE ${userTableRef} DROP COLUMN IF EXISTS "google_subject"`,
-      );
-    }
   }
   async down(queryRunner: {
@@ -93,3 +48,11 @@ const getSafeIdentifier = (value: string | undefined, fallback: string) => {
   }
   return resolved;
 };
+const getUserTableReference = () => {
+  const table = getSafeIdentifier(process.env.USER_TABLE, "app_user");
+  const schema = process.env.USER_TABLE_SCHEMA
+    ? getSafeIdentifier(process.env.USER_TABLE_SCHEMA, "public")
+    : "public";
+  return `"${schema}"."${table}"`;
+};

package/src/api/migrations/1739510000000-create-security-roles.ts CHANGED Viewed

@@ -2,25 +2,17 @@ export class CreateSecurityRoles1739510000000 {
   name = "CreateSecurityRoles1739510000000";
   async up(queryRunner: {
-    query: (sql: string, params?: unknown[]) => Promise<unknown>;
+    query: (sql: string) => Promise<unknown>;
   }): Promise<void> {
-    const userTable = getSafeIdentifier(process.env.USER_TABLE, "app_user");
-    const userSchema = getSafeIdentifier(
-      process.env.USER_TABLE_SCHEMA,
-      "public",
-    );
-    const userTableRef = `"${userSchema}"."${userTable}"`;
-    await queryRunner.query(`CREATE EXTENSION IF NOT EXISTS "uuid-ossp"`);
     await queryRunner.query(`
       CREATE TABLE IF NOT EXISTS "security_role" (
-        "id" uuid PRIMARY KEY NOT NULL DEFAULT uuid_generate_v4(),
+        "id" uuid PRIMARY KEY NOT NULL DEFAULT uuidv7(),
         "role_key" varchar NOT NULL,
         "description" text,
         "is_system" boolean NOT NULL DEFAULT false,
         "created_at" timestamptz NOT NULL DEFAULT now(),
-        "updated_at" timestamptz NOT NULL DEFAULT now()
+        "updated_at" timestamptz NOT NULL DEFAULT now(),
+        CONSTRAINT "CHK_security_role_id_uuidv7" CHECK ("id"::text ~* '^[0-9a-f]{8}-[0-9a-f]{4}-7[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$')
       )
     `);
@@ -28,95 +20,17 @@ export class CreateSecurityRoles1739510000000 {
       `CREATE UNIQUE INDEX IF NOT EXISTS "IDX_security_role_key" ON "security_role" ("role_key")`,
     );
-    await queryRunner.query(`
-      CREATE TABLE IF NOT EXISTS "security_user_role" (
-        "id" uuid PRIMARY KEY NOT NULL DEFAULT uuid_generate_v4(),
-        "user_id" varchar NOT NULL,
-        "role_id" uuid NOT NULL,
-        "created_at" timestamptz NOT NULL DEFAULT now(),
-        CONSTRAINT "FK_security_user_role_user_id" FOREIGN KEY ("user_id") REFERENCES ${userTableRef} ("id") ON DELETE CASCADE,
-        CONSTRAINT "FK_security_user_role_role_id" FOREIGN KEY ("role_id") REFERENCES "security_role" ("id") ON DELETE CASCADE
-      )
-    `);
-    await queryRunner.query(
-      `CREATE UNIQUE INDEX IF NOT EXISTS "IDX_security_user_role_user_role" ON "security_user_role" ("user_id", "role_id")`,
-    );
     await queryRunner.query(`
       INSERT INTO "security_role" ("role_key", "description", "is_system", "created_at", "updated_at")
       VALUES ('ADMIN', 'Administrative access', true, now(), now())
       ON CONFLICT ("role_key") DO NOTHING
     `);
-    const hasRoleColumn = (await queryRunner.query(
-      `
-        SELECT 1
-        FROM information_schema.columns
-        WHERE table_schema = $1
-          AND table_name = $2
-          AND column_name = 'role'
-        LIMIT 1
-      `,
-      [userSchema, userTable],
-    )) as Array<{ "?column?": number }>;
-    if (hasRoleColumn.length > 0) {
-      await queryRunner.query(`
-        INSERT INTO "security_role" ("role_key", "description", "is_system", "created_at", "updated_at")
-        SELECT DISTINCT
-          CASE
-            WHEN UPPER(TRIM("role")) = 'ADMINISTRATOR' THEN 'ADMIN'
-            ELSE UPPER(TRIM("role"))
-          END AS "role_key",
-          NULL,
-          false,
-          now(),
-          now()
-        FROM ${userTableRef}
-        WHERE "role" IS NOT NULL
-          AND LENGTH(TRIM("role")) > 0
-        ON CONFLICT ("role_key") DO NOTHING
-      `);
-      await queryRunner.query(`
-        INSERT INTO "security_user_role" ("user_id", "role_id", "created_at")
-        SELECT
-          u."id" AS "user_id",
-          r."id" AS "role_id",
-          now()
-        FROM ${userTableRef} u
-        INNER JOIN "security_role" r ON r."role_key" = CASE
-          WHEN UPPER(TRIM(u."role")) = 'ADMINISTRATOR' THEN 'ADMIN'
-          ELSE UPPER(TRIM(u."role"))
-        END
-        WHERE u."role" IS NOT NULL
-          AND LENGTH(TRIM(u."role")) > 0
-        ON CONFLICT ("user_id", "role_id") DO NOTHING
-      `);
-      await queryRunner.query(
-        `ALTER TABLE ${userTableRef} DROP COLUMN IF EXISTS "role"`,
-      );
-    }
   }
   async down(queryRunner: {
     query: (sql: string) => Promise<unknown>;
   }): Promise<void> {
-    await queryRunner.query(
-      `DROP INDEX IF EXISTS "IDX_security_user_role_user_role"`,
-    );
-    await queryRunner.query(`DROP TABLE IF EXISTS "security_user_role"`);
     await queryRunner.query(`DROP INDEX IF EXISTS "IDX_security_role_key"`);
     await queryRunner.query(`DROP TABLE IF EXISTS "security_role"`);
   }
 }
-const getSafeIdentifier = (value: string | undefined, fallback: string) => {
-  const resolved = value?.trim() || fallback;
-  if (!resolved || !/^[A-Za-z_][A-Za-z0-9_]*$/.test(resolved)) {
-    throw new Error(`Invalid SQL identifier: ${resolved}`);
-  }
-  return resolved;
-};

package/src/api/migrations/1739515000000-create-security-user-roles.ts ADDED Viewed

@@ -0,0 +1,52 @@
+export class CreateSecurityUserRoles1739515000000 {
+  name = "CreateSecurityUserRoles1739515000000";
+  async up(queryRunner: {
+    query: (sql: string) => Promise<unknown>;
+  }): Promise<void> {
+    const userTableRef = getUserTableReference();
+    await queryRunner.query(`
+      CREATE TABLE IF NOT EXISTS "security_user_role" (
+        "id" uuid PRIMARY KEY NOT NULL DEFAULT uuidv7(),
+        "user_id" uuid NOT NULL,
+        "role_id" uuid NOT NULL,
+        "created_at" timestamptz NOT NULL DEFAULT now(),
+        CONSTRAINT "CHK_security_user_role_id_uuidv7" CHECK ("id"::text ~* '^[0-9a-f]{8}-[0-9a-f]{4}-7[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$'),
+        CONSTRAINT "CHK_security_user_role_user_id_uuidv7" CHECK ("user_id"::text ~* '^[0-9a-f]{8}-[0-9a-f]{4}-7[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$'),
+        CONSTRAINT "CHK_security_user_role_role_id_uuidv7" CHECK ("role_id"::text ~* '^[0-9a-f]{8}-[0-9a-f]{4}-7[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$'),
+        CONSTRAINT "FK_security_user_role_user_id" FOREIGN KEY ("user_id") REFERENCES ${userTableRef} ("id") ON DELETE CASCADE,
+        CONSTRAINT "FK_security_user_role_role_id" FOREIGN KEY ("role_id") REFERENCES "security_role" ("id") ON DELETE CASCADE
+      )
+    `);
+    await queryRunner.query(
+      `CREATE UNIQUE INDEX IF NOT EXISTS "IDX_security_user_role_user_role" ON "security_user_role" ("user_id", "role_id")`,
+    );
+  }
+  async down(queryRunner: {
+    query: (sql: string) => Promise<unknown>;
+  }): Promise<void> {
+    await queryRunner.query(
+      `DROP INDEX IF EXISTS "IDX_security_user_role_user_role"`,
+    );
+    await queryRunner.query(`DROP TABLE IF EXISTS "security_user_role"`);
+  }
+}
+const getUserTableReference = () => {
+  const table = getSafeIdentifier(process.env.USER_TABLE, "app_user");
+  const schema = process.env.USER_TABLE_SCHEMA
+    ? getSafeIdentifier(process.env.USER_TABLE_SCHEMA, "public")
+    : "public";
+  return `"${schema}"."${table}"`;
+};
+const getSafeIdentifier = (value: string | undefined, fallback: string) => {
+  const resolved = value?.trim() || fallback;
+  if (!resolved || !/^[A-Za-z_][A-Za-z0-9_]*$/.test(resolved)) {
+    throw new Error(`Invalid SQL identifier: ${resolved}`);
+  }
+  return resolved;
+};

package/src/api/migrations/1739520000000-create-password-reset-tokens.ts CHANGED Viewed

@@ -8,12 +8,14 @@ export class CreatePasswordResetTokens1739520000000 {
     await queryRunner.query(`
       CREATE TABLE IF NOT EXISTS "security_password_reset_token" (
-        "id" uuid PRIMARY KEY NOT NULL DEFAULT uuid_generate_v4(),
-        "user_id" varchar NOT NULL,
+        "id" uuid PRIMARY KEY NOT NULL DEFAULT uuidv7(),
+        "user_id" uuid NOT NULL,
         "token" varchar NOT NULL,
         "expires_at" timestamptz NOT NULL,
         "used_at" timestamptz,
         "created_at" timestamptz NOT NULL DEFAULT now(),
+        CONSTRAINT "CHK_security_password_reset_token_id_uuidv7" CHECK ("id"::text ~* '^[0-9a-f]{8}-[0-9a-f]{4}-7[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$'),
+        CONSTRAINT "CHK_security_password_reset_token_user_id_uuidv7" CHECK ("user_id"::text ~* '^[0-9a-f]{8}-[0-9a-f]{4}-7[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$'),
         CONSTRAINT "FK_security_password_reset_token_user_id" FOREIGN KEY ("user_id") REFERENCES ${userTableRef} ("id") ON DELETE CASCADE
       )
     `);

package/src/api/migrations/1739530000000-create-security-user.ts ADDED Viewed

@@ -0,0 +1,52 @@
+export class CreateSecurityUser1739530000000 {
+  name = "CreateSecurityUser1739530000000";
+  async up(queryRunner: {
+    query: (sql: string) => Promise<unknown>;
+  }): Promise<void> {
+    const userTableRef = getUserTableReference();
+    await queryRunner.query(`
+      CREATE TABLE IF NOT EXISTS "security_user" (
+        "user_id" uuid PRIMARY KEY NOT NULL,
+        "password_hash" varchar NOT NULL,
+        "email_verified_at" timestamptz,
+        "email_verification_token" varchar,
+        "admin_approved_at" timestamptz,
+        "is_active" boolean NOT NULL DEFAULT true,
+        "created_at" timestamptz NOT NULL DEFAULT now(),
+        CONSTRAINT "CHK_security_user_user_id_uuidv7" CHECK ("user_id"::text ~* '^[0-9a-f]{8}-[0-9a-f]{4}-7[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$'),
+        CONSTRAINT "FK_security_user_user_id" FOREIGN KEY ("user_id") REFERENCES ${userTableRef} ("id") ON DELETE CASCADE
+      )
+    `);
+    await queryRunner.query(
+      `CREATE UNIQUE INDEX IF NOT EXISTS "IDX_security_user_email_verification_token" ON "security_user" ("email_verification_token") WHERE "email_verification_token" IS NOT NULL`,
+    );
+  }
+  async down(queryRunner: {
+    query: (sql: string) => Promise<unknown>;
+  }): Promise<void> {
+    await queryRunner.query(
+      `DROP INDEX IF EXISTS "IDX_security_user_email_verification_token"`,
+    );
+    await queryRunner.query(`DROP TABLE IF EXISTS "security_user"`);
+  }
+}
+const getSafeIdentifier = (value: string | undefined, fallback: string) => {
+  const resolved = value?.trim() || fallback;
+  if (!resolved || !/^[A-Za-z_][A-Za-z0-9_]*$/.test(resolved)) {
+    throw new Error(`Invalid SQL identifier: ${resolved}`);
+  }
+  return resolved;
+};
+const getUserTableReference = () => {
+  const table = getSafeIdentifier(process.env.USER_TABLE, "app_user");
+  const schema = process.env.USER_TABLE_SCHEMA
+    ? getSafeIdentifier(process.env.USER_TABLE_SCHEMA, "public")
+    : "public";
+  return `"${schema}"."${table}"`;
+};