npm - @scryan7371/sdr-security - Versions diffs - 0.1.2 → 0.1.4 - Mend

@scryan7371/sdr-security 0.1.2 → 0.1.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (83) hide show

package/src/nest/security-auth.service.test.ts CHANGED Viewed

@@ -10,13 +10,16 @@ vi.mock("bcryptjs", () => ({
 vi.mock("crypto", () => ({
   randomBytes: vi.fn(() => ({ toString: () => "token-bytes" })),
-  randomUUID: vi.fn(() => "uuid-1"),
 }));
 vi.mock("jsonwebtoken", () => ({
   sign: vi.fn(() => "signed-access-token"),
 }));
+vi.mock("uuid", () => ({
+  v7: vi.fn(() => "uuid-1"),
+}));
 import { compare } from "bcryptjs";
 import { sign } from "jsonwebtoken";
 import { SecurityAuthService } from "./security-auth.service";
@@ -39,9 +42,11 @@ const makeNotifier = () => ({
 const makeUser = () => ({
   id: "user-1",
   email: "user@example.com",
+});
+const makeSecurityUser = () => ({
+  userId: "user-1",
   passwordHash: "hashed:Secret123",
-  firstName: "A",
-  lastName: "B",
   emailVerifiedAt: new Date("2026-01-01T00:00:00.000Z"),
   emailVerificationToken: null,
   adminApprovedAt: new Date("2026-01-01T00:00:00.000Z"),
@@ -49,7 +54,8 @@ const makeUser = () => ({
 });
 const setup = () => {
-  const usersRepo = makeRepo();
+  const appUsersRepo = makeRepo();
+  const securityUsersRepo = makeRepo();
   const refreshTokenRepo = makeRepo();
   const passwordResetRepo = makeRepo();
   const rolesRepo = makeRepo();
@@ -57,7 +63,8 @@ const setup = () => {
   const notifier = makeNotifier();
   const service = new SecurityAuthService(
-    usersRepo as never,
+    appUsersRepo as never,
+    securityUsersRepo as never,
     refreshTokenRepo as never,
     passwordResetRepo as never,
     rolesRepo as never,
@@ -75,7 +82,8 @@ const setup = () => {
   return {
     service,
-    usersRepo,
+    appUsersRepo,
+    securityUsersRepo,
     refreshTokenRepo,
     passwordResetRepo,
     rolesRepo,
@@ -90,29 +98,35 @@ describe("SecurityAuthService", () => {
   });
   it("registers user and sends verification", async () => {
-    const { service, usersRepo, userRolesRepo, rolesRepo, notifier } = setup();
-    usersRepo.findOne.mockResolvedValue(null);
-    usersRepo.save.mockResolvedValue(makeUser());
+    const {
+      service,
+      appUsersRepo,
+      securityUsersRepo,
+      userRolesRepo,
+      rolesRepo,
+      notifier,
+    } = setup();
+    appUsersRepo.findOne.mockResolvedValue(null);
+    appUsersRepo.save.mockResolvedValue(makeUser());
+    securityUsersRepo.save.mockResolvedValue(makeSecurityUser());
     userRolesRepo.find.mockResolvedValue([]);
     rolesRepo.find.mockResolvedValue([]);
     const result = await service.register({
       email: "USER@example.com",
       password: "Secret123",
-      firstName: "A",
-      lastName: "B",
     });
     expect(result.success).toBe(true);
-    expect(usersRepo.create).toHaveBeenCalledWith(
+    expect(appUsersRepo.create).toHaveBeenCalledWith(
       expect.objectContaining({ email: "user@example.com" }),
     );
     expect(notifier.sendEmailVerification).toHaveBeenCalled();
   });
   it("rejects duplicate email on register", async () => {
-    const { service, usersRepo } = setup();
-    usersRepo.findOne.mockResolvedValue(makeUser());
+    const { service, appUsersRepo } = setup();
+    appUsersRepo.findOne.mockResolvedValue(makeUser());
     await expect(
       service.register({ email: "user@example.com", password: "Secret123" }),
@@ -120,11 +134,18 @@ describe("SecurityAuthService", () => {
   });
   it("handles login success and auth failures", async () => {
-    const { service, usersRepo, userRolesRepo, rolesRepo, refreshTokenRepo } =
-      setup();
+    const {
+      service,
+      appUsersRepo,
+      securityUsersRepo,
+      userRolesRepo,
+      rolesRepo,
+      refreshTokenRepo,
+    } = setup();
     const user = makeUser();
-    usersRepo.findOne.mockResolvedValue(user);
+    appUsersRepo.findOne.mockResolvedValue(user);
+    securityUsersRepo.findOne.mockResolvedValue(makeSecurityUser());
     userRolesRepo.find.mockResolvedValue([{ roleId: "r1" }]);
     rolesRepo.find.mockResolvedValue([{ id: "r1", roleKey: "admin" }]);
@@ -136,30 +157,31 @@ describe("SecurityAuthService", () => {
     expect(sign).toHaveBeenCalled();
     expect(refreshTokenRepo.save).toHaveBeenCalled();
-    usersRepo.findOne.mockResolvedValue(null);
+    appUsersRepo.findOne.mockResolvedValue(null);
     await expect(
       service.login({ email: "none@example.com", password: "Secret123" }),
     ).rejects.toBeInstanceOf(UnauthorizedException);
   });
   it("blocks login when account is inactive or missing approvals", async () => {
-    const { service, usersRepo } = setup();
-    const inactive = { ...makeUser(), isActive: false };
-    usersRepo.findOne.mockResolvedValue(inactive);
+    const { service, appUsersRepo, securityUsersRepo } = setup();
+    const inactive = { ...makeSecurityUser(), isActive: false };
+    appUsersRepo.findOne.mockResolvedValue(makeUser());
+    securityUsersRepo.findOne.mockResolvedValue(inactive);
     await expect(
-      service.login({ email: inactive.email, password: "Secret123" }),
+      service.login({ email: "x@example.com", password: "Secret123" }),
     ).rejects.toThrow("Account is inactive");
-    usersRepo.findOne.mockResolvedValue({
-      ...makeUser(),
+    securityUsersRepo.findOne.mockResolvedValue({
+      ...makeSecurityUser(),
       emailVerifiedAt: null,
     });
     await expect(
       service.login({ email: "x@example.com", password: "Secret123" }),
     ).rejects.toThrow("Email verification required");
-    usersRepo.findOne.mockResolvedValue({
-      ...makeUser(),
+    securityUsersRepo.findOne.mockResolvedValue({
+      ...makeSecurityUser(),
       adminApprovedAt: null,
     });
     await expect(
@@ -168,8 +190,14 @@ describe("SecurityAuthService", () => {
   });
   it("refreshes and revokes tokens", async () => {
-    const { service, usersRepo, refreshTokenRepo, userRolesRepo, rolesRepo } =
-      setup();
+    const {
+      service,
+      appUsersRepo,
+      securityUsersRepo,
+      refreshTokenRepo,
+      userRolesRepo,
+      rolesRepo,
+    } = setup();
     refreshTokenRepo.find.mockResolvedValue([
       {
         id: "rt1",
@@ -178,7 +206,8 @@ describe("SecurityAuthService", () => {
         expiresAt: new Date(Date.now() + 60_000),
       },
     ]);
-    usersRepo.findOne.mockResolvedValue(makeUser());
+    appUsersRepo.findOne.mockResolvedValue(makeUser());
+    securityUsersRepo.findOne.mockResolvedValue(makeSecurityUser());
     userRolesRepo.find.mockResolvedValue([]);
     rolesRepo.find.mockResolvedValue([]);
@@ -196,7 +225,7 @@ describe("SecurityAuthService", () => {
   });
   it("rejects invalid refresh token and missing refresh user", async () => {
-    const { service, refreshTokenRepo, usersRepo } = setup();
+    const { service, refreshTokenRepo, appUsersRepo } = setup();
     refreshTokenRepo.find.mockResolvedValue([]);
     await expect(service.refresh("bad-token")).rejects.toThrow(
@@ -211,7 +240,7 @@ describe("SecurityAuthService", () => {
         expiresAt: new Date(Date.now() + 60_000),
       },
     ]);
-    usersRepo.findOne.mockResolvedValue(null);
+    appUsersRepo.findOne.mockResolvedValue(null);
     await expect(service.refresh("token-bytes")).rejects.toThrow(
       "User not found",
@@ -219,8 +248,8 @@ describe("SecurityAuthService", () => {
   });
   it("changes password", async () => {
-    const { service, usersRepo } = setup();
-    usersRepo.findOne.mockResolvedValue(makeUser());
+    const { service, securityUsersRepo } = setup();
+    securityUsersRepo.findOne.mockResolvedValue(makeSecurityUser());
     await expect(
       service.changePassword({
@@ -230,7 +259,7 @@ describe("SecurityAuthService", () => {
       }),
     ).resolves.toEqual({ success: true });
-    usersRepo.findOne.mockResolvedValue(null);
+    securityUsersRepo.findOne.mockResolvedValue(null);
     await expect(
       service.changePassword({
         userId: "missing",
@@ -241,8 +270,15 @@ describe("SecurityAuthService", () => {
   });
   it("handles forgot/reset password flow", async () => {
-    const { service, usersRepo, passwordResetRepo, notifier } = setup();
-    usersRepo.findOne.mockResolvedValue(makeUser());
+    const {
+      service,
+      appUsersRepo,
+      securityUsersRepo,
+      passwordResetRepo,
+      notifier,
+    } = setup();
+    appUsersRepo.findOne.mockResolvedValue(makeUser());
+    securityUsersRepo.findOne.mockResolvedValue(makeSecurityUser());
     passwordResetRepo.findOne.mockResolvedValue({
       id: "pr1",
       userId: "user-1",
@@ -267,8 +303,8 @@ describe("SecurityAuthService", () => {
   });
   it("returns success for unknown forgot email and rejects bad reset token", async () => {
-    const { service, usersRepo, passwordResetRepo } = setup();
-    usersRepo.findOne.mockResolvedValue(null);
+    const { service, appUsersRepo, passwordResetRepo } = setup();
+    appUsersRepo.findOne.mockResolvedValue(null);
     await expect(
       service.requestForgotPassword("none@example.com"),
     ).resolves.toEqual({
@@ -293,10 +329,8 @@ describe("SecurityAuthService", () => {
   });
   it("verifies email token and reads user roles", async () => {
-    const { service, usersRepo, userRolesRepo, rolesRepo } = setup();
-    usersRepo.findOne
-      .mockResolvedValueOnce(makeUser())
-      .mockResolvedValueOnce(makeUser());
+    const { service, securityUsersRepo, userRolesRepo, rolesRepo } = setup();
+    securityUsersRepo.findOne.mockResolvedValue(makeSecurityUser());
     userRolesRepo.find.mockResolvedValue([{ roleId: "r1" }]);
     rolesRepo.find.mockResolvedValue([{ id: "r1", roleKey: "coach" }]);
@@ -310,8 +344,8 @@ describe("SecurityAuthService", () => {
   });
   it("rejects invalid email verification token", async () => {
-    const { service, usersRepo } = setup();
-    usersRepo.findOne.mockResolvedValue(null);
+    const { service, securityUsersRepo } = setup();
+    securityUsersRepo.findOne.mockResolvedValue(null);
     await expect(service.verifyEmailByToken("missing")).rejects.toThrow(
       "Invalid verification token",

package/src/nest/security-auth.service.ts CHANGED Viewed

@@ -4,9 +4,10 @@ import {
   Injectable,
   UnauthorizedException,
 } from "@nestjs/common";
-import { randomBytes, randomUUID } from "crypto";
+import { randomBytes } from "crypto";
 import { compare, hash } from "bcryptjs";
 import { sign, type SignOptions } from "jsonwebtoken";
+import { v7 as uuidv7 } from "uuid";
 import { InjectRepository } from "@nestjs/typeorm";
 import { In, IsNull, Repository } from "typeorm";
 import { AuthResponse, RegisterResponse } from "../api/contracts";
@@ -18,6 +19,7 @@ import { AppUserEntity } from "./entities/app-user.entity";
 import { PasswordResetTokenEntity } from "./entities/password-reset-token.entity";
 import { RefreshTokenEntity } from "./entities/refresh-token.entity";
 import { SecurityRoleEntity } from "./entities/security-role.entity";
+import { SecurityUserEntity } from "./entities/security-user.entity";
 import { SecurityUserRoleEntity } from "./entities/security-user-role.entity";
 import { SECURITY_WORKFLOW_NOTIFIER } from "./tokens";
 import { SecurityWorkflowNotifier } from "./contracts";
@@ -30,7 +32,9 @@ const PASSWORD_ROUNDS = 12;
 export class SecurityAuthService {
   constructor(
     @InjectRepository(AppUserEntity)
-    private readonly usersRepo: Repository<AppUserEntity>,
+    private readonly appUsersRepo: Repository<AppUserEntity>,
+    @InjectRepository(SecurityUserEntity)
+    private readonly securityUsersRepo: Repository<SecurityUserEntity>,
     @InjectRepository(RefreshTokenEntity)
     private readonly refreshTokenRepo: Repository<RefreshTokenEntity>,
     @InjectRepository(PasswordResetTokenEntity)
@@ -48,21 +52,23 @@ export class SecurityAuthService {
   async register(params: {
     email: string;
     password: string;
-    firstName?: string | null;
-    lastName?: string | null;
   }): Promise<RegisterResponse> {
     const email = sanitizeEmail(params.email);
-    const existing = await this.usersRepo.findOne({ where: { email } });
+    const existing = await this.appUsersRepo.findOne({ where: { email } });
     if (existing) {
       throw new BadRequestException("Email already in use");
     }
-    const user = await this.usersRepo.save(
-      this.usersRepo.create({
+    const appUser = await this.appUsersRepo.save(
+      this.appUsersRepo.create({
+        id: uuidv7(),
         email,
+      }),
+    );
+    const securityUser = await this.securityUsersRepo.save(
+      this.securityUsersRepo.create({
+        userId: appUser.id,
         passwordHash: await hash(params.password, PASSWORD_ROUNDS),
-        firstName: params.firstName ?? null,
-        lastName: params.lastName ?? null,
         emailVerifiedAt: null,
         emailVerificationToken: null,
         adminApprovedAt: null,
@@ -70,17 +76,19 @@ export class SecurityAuthService {
       }),
     );
-    const verificationToken = await this.createEmailVerificationToken(user.id);
+    const verificationToken = await this.createEmailVerificationToken(
+      appUser.id,
+    );
     if (this.notifier.sendEmailVerification) {
       await this.notifier.sendEmailVerification({
-        email: user.email,
+        email: appUser.email,
         token: verificationToken,
       });
     }
     return {
       success: true,
-      user: await this.toSafeUser(user),
+      user: await this.toSafeUser(appUser, securityUser),
       debugToken: verificationToken,
     };
   }
@@ -90,17 +98,23 @@ export class SecurityAuthService {
     password: string;
   }): Promise<AuthResponse> {
     const email = sanitizeEmail(params.email);
-    const user = await this.usersRepo.findOne({ where: { email } });
-    if (!user) {
+    const appUser = await this.appUsersRepo.findOne({ where: { email } });
+    if (!appUser) {
+      throw new UnauthorizedException("Invalid credentials");
+    }
+    const securityUser = await this.securityUsersRepo.findOne({
+      where: { userId: appUser.id },
+    });
+    if (!securityUser) {
       throw new UnauthorizedException("Invalid credentials");
     }
-    const ok = await compare(params.password, user.passwordHash);
+    const ok = await compare(params.password, securityUser.passwordHash);
     if (!ok) {
       throw new UnauthorizedException("Invalid credentials");
     }
-    this.assertCanAuthenticate(user);
-    return this.issueTokens(user);
+    this.assertCanAuthenticate(securityUser);
+    return this.issueTokens(appUser, securityUser);
   }
   async refresh(refreshToken: string): Promise<AuthResponse> {
@@ -112,14 +126,20 @@ export class SecurityAuthService {
       { id: record.id },
       { revokedAt: new Date() },
     );
-    const user = await this.usersRepo.findOne({
+    const appUser = await this.appUsersRepo.findOne({
       where: { id: record.userId ?? "" },
     });
-    if (!user) {
+    if (!appUser) {
+      throw new UnauthorizedException("User not found");
+    }
+    const securityUser = await this.securityUsersRepo.findOne({
+      where: { userId: appUser.id },
+    });
+    if (!securityUser) {
       throw new UnauthorizedException("User not found");
     }
-    this.assertCanAuthenticate(user);
-    return this.issueTokens(user);
+    this.assertCanAuthenticate(securityUser);
+    return this.issueTokens(appUser, securityUser);
   }
   async logout(refreshToken?: string) {
@@ -141,16 +161,18 @@ export class SecurityAuthService {
     currentPassword: string;
     newPassword: string;
   }) {
-    const user = await this.usersRepo.findOne({ where: { id: params.userId } });
-    if (!user) {
+    const securityUser = await this.securityUsersRepo.findOne({
+      where: { userId: params.userId },
+    });
+    if (!securityUser) {
       throw new BadRequestException("User not found");
     }
-    const ok = await compare(params.currentPassword, user.passwordHash);
+    const ok = await compare(params.currentPassword, securityUser.passwordHash);
     if (!ok) {
       throw new UnauthorizedException("Current password is incorrect");
     }
-    await this.usersRepo.update(
-      { id: user.id },
+    await this.securityUsersRepo.update(
+      { userId: securityUser.userId },
       { passwordHash: await hash(params.newPassword, PASSWORD_ROUNDS) },
     );
     return { success: true as const };
@@ -158,8 +180,14 @@ export class SecurityAuthService {
   async requestForgotPassword(emailInput: string) {
     const email = sanitizeEmail(emailInput);
-    const user = await this.usersRepo.findOne({ where: { email } });
-    if (!user) {
+    const appUser = await this.appUsersRepo.findOne({ where: { email } });
+    if (!appUser) {
+      return { success: true as const };
+    }
+    const securityUser = await this.securityUsersRepo.findOne({
+      where: { userId: appUser.id },
+    });
+    if (!securityUser) {
       return { success: true as const };
     }
     const token = randomBytes(EMAIL_TOKEN_BYTES).toString("hex");
@@ -169,14 +197,15 @@ export class SecurityAuthService {
     );
     await this.passwordResetRepo.save(
       this.passwordResetRepo.create({
-        userId: user.id,
+        id: uuidv7(),
+        userId: appUser.id,
         token,
         expiresAt,
         usedAt: null,
       }),
     );
     if (this.notifier.sendPasswordReset) {
-      await this.notifier.sendPasswordReset({ email: user.email, token });
+      await this.notifier.sendPasswordReset({ email: appUser.email, token });
     }
     return { success: true as const };
   }
@@ -186,8 +215,8 @@ export class SecurityAuthService {
     if (!reset || reset.usedAt || reset.expiresAt.getTime() <= Date.now()) {
       throw new BadRequestException("Invalid password reset token");
     }
-    await this.usersRepo.update(
-      { id: reset.userId },
+    await this.securityUsersRepo.update(
+      { userId: reset.userId },
       { passwordHash: await hash(newPassword, PASSWORD_ROUNDS) },
     );
     await this.passwordResetRepo.update(
@@ -198,14 +227,14 @@ export class SecurityAuthService {
   }
   async verifyEmailByToken(token: string) {
-    const user = await this.usersRepo.findOne({
+    const user = await this.securityUsersRepo.findOne({
       where: { emailVerificationToken: token },
     });
     if (!user) {
       throw new BadRequestException("Invalid verification token");
     }
-    await this.usersRepo.update(
-      { id: user.id },
+    await this.securityUsersRepo.update(
+      { userId: user.userId },
       { emailVerifiedAt: new Date(), emailVerificationToken: null },
     );
     return { success: true as const };
@@ -215,7 +244,14 @@ export class SecurityAuthService {
     return { userId, roles: await this.getUserRoleKeys(userId) };
   }
-  private assertCanAuthenticate(user: AppUserEntity) {
+  async getUserIdByVerificationToken(token: string): Promise<string | null> {
+    const user = await this.securityUsersRepo.findOne({
+      where: { emailVerificationToken: token },
+    });
+    return user?.userId ?? null;
+  }
+  private assertCanAuthenticate(user: SecurityUserEntity) {
     if (!user.isActive) {
       throw new UnauthorizedException("Account is inactive");
     }
@@ -230,11 +266,14 @@ export class SecurityAuthService {
     }
   }
-  private async issueTokens(user: AppUserEntity): Promise<AuthResponse> {
-    const roles = await this.getUserRoleKeys(user.id);
+  private async issueTokens(
+    appUser: AppUserEntity,
+    securityUser: SecurityUserEntity,
+  ): Promise<AuthResponse> {
+    const roles = await this.getUserRoleKeys(appUser.id);
     const accessTokenExpiresIn = this.options.accessTokenExpiresIn ?? "15m";
     const accessToken = sign(
-      { sub: user.id, email: user.email, roles },
+      { sub: appUser.id, email: appUser.email, roles },
       this.options.jwtSecret,
       { expiresIn: accessTokenExpiresIn as SignOptions["expiresIn"] },
     );
@@ -247,8 +286,8 @@ export class SecurityAuthService {
     await this.refreshTokenRepo.save(
       this.refreshTokenRepo.create({
-        id: randomUUID(),
-        userId: user.id,
+        id: uuidv7(),
+        userId: appUser.id,
         tokenHash: refreshTokenHash,
         expiresAt: refreshTokenExpiresAt,
         revokedAt: null,
@@ -260,14 +299,14 @@ export class SecurityAuthService {
       accessTokenExpiresIn,
       refreshToken,
       refreshTokenExpiresAt,
-      user: await this.toSafeUser(user),
+      user: await this.toSafeUser(appUser, securityUser),
     };
   }
   private async createEmailVerificationToken(userId: string) {
     const token = randomBytes(EMAIL_TOKEN_BYTES).toString("hex");
-    await this.usersRepo.update(
-      { id: userId },
+    await this.securityUsersRepo.update(
+      { userId },
       { emailVerificationToken: token },
     );
     return token;
@@ -302,18 +341,19 @@ export class SecurityAuthService {
     return roles.map((role) => normalizeRoleName(role.roleKey)).sort();
   }
-  private async toSafeUser(user: AppUserEntity) {
+  private async toSafeUser(
+    appUser: AppUserEntity,
+    securityUser: SecurityUserEntity,
+  ) {
     return {
-      id: user.id,
-      email: user.email,
-      firstName: user.firstName,
-      lastName: user.lastName,
+      id: appUser.id,
+      email: appUser.email,
       phone: null,
-      roles: await this.getUserRoleKeys(user.id),
-      emailVerifiedAt: user.emailVerifiedAt,
+      roles: await this.getUserRoleKeys(appUser.id),
+      emailVerifiedAt: securityUser.emailVerifiedAt,
       phoneVerifiedAt: null,
-      adminApprovedAt: user.adminApprovedAt,
-      isActive: user.isActive,
+      adminApprovedAt: securityUser.adminApprovedAt,
+      isActive: securityUser.isActive,
     };
   }
 }

package/src/nest/security-workflows.module.ts CHANGED Viewed

@@ -7,6 +7,7 @@ import { SecurityAdminGuard } from "./security-admin.guard";
 import { SecurityJwtGuard } from "./security-jwt.guard";
 import { AppUserEntity } from "./entities/app-user.entity";
 import { SecurityRoleEntity } from "./entities/security-role.entity";
+import { SecurityUserEntity } from "./entities/security-user.entity";
 import { SecurityUserRoleEntity } from "./entities/security-user-role.entity";
 import { SecurityWorkflowsController } from "./security-workflows.controller";
 import { SecurityWorkflowsService } from "./security-workflows.service";
@@ -33,6 +34,7 @@ export class SecurityWorkflowsModule {
       imports: [
         TypeOrmModule.forFeature([
           AppUserEntity,
+          SecurityUserEntity,
           SecurityRoleEntity,
           SecurityUserRoleEntity,
         ]),