@scryan7371/sdr-security 0.1.3 → 0.1.5

package/dist/api/migrations/1700000000001-add-refresh-tokens.js

@@ -7,11 +7,11 @@ class AddRefreshTokens1700000000001 {
         const userTableRef = getUserTableReference();
         await queryRunner.query(`
       CREATE TABLE "refresh_token" (
-        "id" varchar PRIMARY KEY NOT NULL,
+        "id" uuid PRIMARY KEY NOT NULL DEFAULT uuidv7(),
         "token_hash" varchar NOT NULL,
         "expires_at" timestamptz NOT NULL,
         "revoked_at" timestamptz,
-        "userId" varchar,
+        "userId" uuid,
         "created_at" timestamptz NOT NULL DEFAULT (CURRENT_TIMESTAMP),
         CONSTRAINT "FK_refresh_token_user" FOREIGN KEY ("userId") REFERENCES ${userTableRef} ("id") ON DELETE CASCADE ON UPDATE NO ACTION
       )

package/dist/api/migrations/1739490000000-create-app-user.d.ts

@@ -0,0 +1,9 @@
+export declare class CreateAppUser1739490000000 {
+    name: string;
+    up(queryRunner: {
+        query: (sql: string) => Promise<unknown>;
+    }): Promise<void>;
+    down(queryRunner: {
+        query: (sql: string) => Promise<unknown>;
+    }): Promise<void>;
+}

package/dist/api/migrations/1739490000000-create-app-user.js

@@ -0,0 +1,34 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.CreateAppUser1739490000000 = void 0;
+class CreateAppUser1739490000000 {
+    name = "CreateAppUser1739490000000";
+    async up(queryRunner) {
+        const userTableRef = getUserTableReference();
+        await queryRunner.query(`
+      CREATE TABLE IF NOT EXISTS ${userTableRef} (
+        "id" uuid PRIMARY KEY NOT NULL,
+        "email" varchar NOT NULL
+      )
+    `);
+    }
+    async down(queryRunner) {
+        const userTableRef = getUserTableReference();
+        await queryRunner.query(`DROP TABLE IF EXISTS ${userTableRef}`);
+    }
+}
+exports.CreateAppUser1739490000000 = CreateAppUser1739490000000;
+const getSafeIdentifier = (value, fallback) => {
+    const resolved = value?.trim() || fallback;
+    if (!resolved || !/^[A-Za-z_][A-Za-z0-9_]*$/.test(resolved)) {
+        throw new Error(`Invalid SQL identifier: ${resolved}`);
+    }
+    return resolved;
+};
+const getUserTableReference = () => {
+    const table = getSafeIdentifier(process.env.USER_TABLE, "app_user");
+    const schema = process.env.USER_TABLE_SCHEMA
+        ? getSafeIdentifier(process.env.USER_TABLE_SCHEMA, "public")
+        : "public";
+    return `"${schema}"."${table}"`;
+};

package/dist/api/migrations/1739500000000-create-security-identity.js

@@ -8,7 +8,7 @@ class CreateSecurityIdentity1739500000000 {
         await queryRunner.query(`
       CREATE TABLE IF NOT EXISTS "security_identity" (
         "id" uuid PRIMARY KEY NOT NULL DEFAULT uuidv7(),
-        "user_id" varchar NOT NULL,
+        "user_id" uuid NOT NULL,
         "provider" varchar NOT NULL,
         "provider_subject" varchar NOT NULL,
         "created_at" timestamptz NOT NULL DEFAULT now(),

package/dist/api/migrations/1739515000000-create-security-user-roles.js

@@ -8,7 +8,7 @@ class CreateSecurityUserRoles1739515000000 {
         await queryRunner.query(`
       CREATE TABLE IF NOT EXISTS "security_user_role" (
         "id" uuid PRIMARY KEY NOT NULL DEFAULT uuidv7(),
-        "user_id" varchar NOT NULL,
+        "user_id" uuid NOT NULL,
         "role_id" uuid NOT NULL,
         "created_at" timestamptz NOT NULL DEFAULT now(),
         CONSTRAINT "FK_security_user_role_user_id" FOREIGN KEY ("user_id") REFERENCES ${userTableRef} ("id") ON DELETE CASCADE,

package/dist/api/migrations/1739520000000-create-password-reset-tokens.js

@@ -8,7 +8,7 @@ class CreatePasswordResetTokens1739520000000 {
         await queryRunner.query(`
       CREATE TABLE IF NOT EXISTS "security_password_reset_token" (
         "id" uuid PRIMARY KEY NOT NULL DEFAULT uuidv7(),
-        "user_id" varchar NOT NULL,
+        "user_id" uuid NOT NULL,
         "token" varchar NOT NULL,
         "expires_at" timestamptz NOT NULL,
         "used_at" timestamptz,

package/dist/api/migrations/1739530000000-create-security-user.js

@@ -7,7 +7,7 @@ class CreateSecurityUser1739530000000 {
         const userTableRef = getUserTableReference();
         await queryRunner.query(`
       CREATE TABLE IF NOT EXISTS "security_user" (
-        "user_id" varchar PRIMARY KEY NOT NULL,
+        "user_id" uuid PRIMARY KEY NOT NULL,
         "password_hash" varchar NOT NULL,
         "email_verified_at" timestamptz,
         "email_verification_token" varchar,

package/dist/api/migrations/index.d.ts

@@ -1,8 +1,10 @@
+import { CreateAppUser1739490000000 } from "./1739490000000-create-app-user";
 import { AddRefreshTokens1700000000001 } from "./1700000000001-add-refresh-tokens";
 import { CreateSecurityIdentity1739500000000 } from "./1739500000000-create-security-identity";
 import { CreateSecurityRoles1739510000000 } from "./1739510000000-create-security-roles";
 import { CreateSecurityUserRoles1739515000000 } from "./1739515000000-create-security-user-roles";
 import { CreatePasswordResetTokens1739520000000 } from "./1739520000000-create-password-reset-tokens";
 import { CreateSecurityUser1739530000000 } from "./1739530000000-create-security-user";
-export declare const securityMigrations: (typeof AddRefreshTokens1700000000001)[];
-export { AddRefreshTokens1700000000001, CreateSecurityIdentity1739500000000, CreateSecurityRoles1739510000000, CreateSecurityUserRoles1739515000000, CreatePasswordResetTokens1739520000000, CreateSecurityUser1739530000000, };
+export declare const allMigrations: (typeof CreateAppUser1739490000000)[];
+export declare const securityMigrations: (typeof CreateAppUser1739490000000)[];
+export { CreateAppUser1739490000000, AddRefreshTokens1700000000001, CreateSecurityIdentity1739500000000, CreateSecurityRoles1739510000000, CreateSecurityUserRoles1739515000000, CreatePasswordResetTokens1739520000000, CreateSecurityUser1739530000000, };

package/dist/api/migrations/index.js

@@ -1,6 +1,8 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.CreateSecurityUser1739530000000 = exports.CreatePasswordResetTokens1739520000000 = exports.CreateSecurityUserRoles1739515000000 = exports.CreateSecurityRoles1739510000000 = exports.CreateSecurityIdentity1739500000000 = exports.AddRefreshTokens1700000000001 = exports.securityMigrations = void 0;
+exports.CreateSecurityUser1739530000000 = exports.CreatePasswordResetTokens1739520000000 = exports.CreateSecurityUserRoles1739515000000 = exports.CreateSecurityRoles1739510000000 = exports.CreateSecurityIdentity1739500000000 = exports.AddRefreshTokens1700000000001 = exports.CreateAppUser1739490000000 = exports.securityMigrations = exports.allMigrations = void 0;
+const _1739490000000_create_app_user_1 = require("./1739490000000-create-app-user");
+Object.defineProperty(exports, "CreateAppUser1739490000000", { enumerable: true, get: function () { return _1739490000000_create_app_user_1.CreateAppUser1739490000000; } });
 const _1700000000001_add_refresh_tokens_1 = require("./1700000000001-add-refresh-tokens");
 Object.defineProperty(exports, "AddRefreshTokens1700000000001", { enumerable: true, get: function () { return _1700000000001_add_refresh_tokens_1.AddRefreshTokens1700000000001; } });
 const _1739500000000_create_security_identity_1 = require("./1739500000000-create-security-identity");
@@ -13,7 +15,8 @@ const _1739520000000_create_password_reset_tokens_1 = require("./1739520000000-c
 Object.defineProperty(exports, "CreatePasswordResetTokens1739520000000", { enumerable: true, get: function () { return _1739520000000_create_password_reset_tokens_1.CreatePasswordResetTokens1739520000000; } });
 const _1739530000000_create_security_user_1 = require("./1739530000000-create-security-user");
 Object.defineProperty(exports, "CreateSecurityUser1739530000000", { enumerable: true, get: function () { return _1739530000000_create_security_user_1.CreateSecurityUser1739530000000; } });
-exports.securityMigrations = [
+exports.allMigrations = [
+    _1739490000000_create_app_user_1.CreateAppUser1739490000000,
     _1700000000001_add_refresh_tokens_1.AddRefreshTokens1700000000001,
     _1739500000000_create_security_identity_1.CreateSecurityIdentity1739500000000,
     _1739510000000_create_security_roles_1.CreateSecurityRoles1739510000000,
@@ -21,3 +24,4 @@ exports.securityMigrations = [
     _1739520000000_create_password_reset_tokens_1.CreatePasswordResetTokens1739520000000,
     _1739530000000_create_security_user_1.CreateSecurityUser1739530000000,
 ];
+exports.securityMigrations = exports.allMigrations.filter((migration) => migration !== _1739490000000_create_app_user_1.CreateAppUser1739490000000);

package/dist/api/migrations/migrations.test.js

@@ -1,6 +1,7 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 const vitest_1 = require("vitest");
+const _1739490000000_create_app_user_1 = require("./1739490000000-create-app-user");
 const _1700000000001_add_refresh_tokens_1 = require("./1700000000001-add-refresh-tokens");
 const _1739500000000_create_security_identity_1 = require("./1739500000000-create-security-identity");
 const _1739510000000_create_security_roles_1 = require("./1739510000000-create-security-roles");
@@ -14,6 +15,18 @@ const originalEnv = { ...process.env };
     vitest_1.vi.restoreAllMocks();
 });
 (0, vitest_1.describe)("security migrations", () => {
+    (0, vitest_1.it)("exports all migration list for test/dev", () => {
+        (0, vitest_1.expect)(index_1.allMigrations.length).toBe(7);
+        (0, vitest_1.expect)(index_1.allMigrations).toEqual([
+            _1739490000000_create_app_user_1.CreateAppUser1739490000000,
+            _1700000000001_add_refresh_tokens_1.AddRefreshTokens1700000000001,
+            _1739500000000_create_security_identity_1.CreateSecurityIdentity1739500000000,
+            _1739510000000_create_security_roles_1.CreateSecurityRoles1739510000000,
+            _1739515000000_create_security_user_roles_1.CreateSecurityUserRoles1739515000000,
+            _1739520000000_create_password_reset_tokens_1.CreatePasswordResetTokens1739520000000,
+            _1739530000000_create_security_user_1.CreateSecurityUser1739530000000,
+        ]);
+    });
     (0, vitest_1.it)("exports migration list", () => {
         (0, vitest_1.expect)(index_1.securityMigrations.length).toBe(6);
         (0, vitest_1.expect)(index_1.securityMigrations).toEqual([
@@ -25,6 +38,14 @@ const originalEnv = { ...process.env };
             _1739530000000_create_security_user_1.CreateSecurityUser1739530000000,
         ]);
     });
+    (0, vitest_1.it)("runs app user migration up/down", async () => {
+        const query = vitest_1.vi.fn().mockResolvedValue(undefined);
+        const migration = new _1739490000000_create_app_user_1.CreateAppUser1739490000000();
+        await migration.up({ query });
+        await migration.down({ query });
+        (0, vitest_1.expect)(query).toHaveBeenCalledWith(vitest_1.expect.stringContaining('CREATE TABLE IF NOT EXISTS "public"."app_user"'));
+        (0, vitest_1.expect)(query).toHaveBeenCalledWith(vitest_1.expect.stringContaining('DROP TABLE IF EXISTS "public"."app_user"'));
+    });
     (0, vitest_1.it)("runs refresh token migration up/down", async () => {
         const query = vitest_1.vi.fn().mockResolvedValue(undefined);
         const migration = new _1700000000001_add_refresh_tokens_1.AddRefreshTokens1700000000001();

package/dist/integration/database.integration.test.js

@@ -95,15 +95,9 @@ const resetSchemaBeforeRun = process.env.SECURITY_TEST_RESET_SCHEMA !== "false";
         }
         await client.query(`CREATE SCHEMA IF NOT EXISTS "${schema}"`);
         await client.query(`SET search_path TO "${schema}", public`);
-        await client.query(`
-      CREATE TABLE IF NOT EXISTS "${schema}"."app_user" (
-        "id" varchar PRIMARY KEY NOT NULL,
-        "email" varchar NOT NULL
-      )
-    `);
         process.env.USER_TABLE = "app_user";
         process.env.USER_TABLE_SCHEMA = schema;
-        for (const Migration of migrations_1.securityMigrations) {
+        for (const Migration of migrations_1.allMigrations) {
             await new Migration().up(runner);
         }
     });
@@ -112,10 +106,9 @@ const resetSchemaBeforeRun = process.env.SECURITY_TEST_RESET_SCHEMA !== "false";
             return;
         }
         if (!keepSchemaForDebug) {
-            for (const Migration of [...migrations_1.securityMigrations].reverse()) {
+            for (const Migration of [...migrations_1.allMigrations].reverse()) {
                 await new Migration().down(runner);
             }
-            await client.query(`DROP TABLE IF EXISTS "${schema}"."app_user"`);
             await client.query(`DROP SCHEMA IF EXISTS "${schema}" CASCADE`);
         }
         await client.end();

package/dist/nest/entities/app-user.entity.js

@@ -17,7 +17,7 @@ let AppUserEntity = class AppUserEntity {
 };
 exports.AppUserEntity = AppUserEntity;
 __decorate([
-    (0, typeorm_1.PrimaryGeneratedColumn)("uuid"),
+    (0, typeorm_1.PrimaryColumn)({ type: "uuid" }),
     __metadata("design:type", String)
 ], AppUserEntity.prototype, "id", void 0);
 __decorate([

package/dist/nest/entities/password-reset-token.entity.d.ts

@@ -5,4 +5,5 @@ export declare class PasswordResetTokenEntity {
     expiresAt: Date;
     usedAt: Date | null;
     createdAt: Date;
+    ensureId(): void;
 }

package/dist/nest/entities/password-reset-token.entity.js

@@ -11,6 +11,7 @@ var __metadata = (this && this.__metadata) || function (k, v) {
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.PasswordResetTokenEntity = void 0;
 const typeorm_1 = require("typeorm");
+const uuid_1 = require("uuid");
 let PasswordResetTokenEntity = class PasswordResetTokenEntity {
     id;
     userId;
@@ -18,14 +19,19 @@ let PasswordResetTokenEntity = class PasswordResetTokenEntity {
     expiresAt;
     usedAt;
     createdAt;
+    ensureId() {
+        if (!this.id) {
+            this.id = (0, uuid_1.v7)();
+        }
+    }
 };
 exports.PasswordResetTokenEntity = PasswordResetTokenEntity;
 __decorate([
-    (0, typeorm_1.PrimaryGeneratedColumn)("uuid"),
+    (0, typeorm_1.PrimaryColumn)({ type: "uuid" }),
     __metadata("design:type", String)
 ], PasswordResetTokenEntity.prototype, "id", void 0);
 __decorate([
-    (0, typeorm_1.Column)({ type: "varchar", name: "user_id" }),
+    (0, typeorm_1.Column)({ type: "uuid", name: "user_id" }),
     __metadata("design:type", String)
 ], PasswordResetTokenEntity.prototype, "userId", void 0);
 __decorate([
@@ -44,6 +50,12 @@ __decorate([
     (0, typeorm_1.CreateDateColumn)({ name: "created_at" }),
     __metadata("design:type", Date)
 ], PasswordResetTokenEntity.prototype, "createdAt", void 0);
+__decorate([
+    (0, typeorm_1.BeforeInsert)(),
+    __metadata("design:type", Function),
+    __metadata("design:paramtypes", []),
+    __metadata("design:returntype", void 0)
+], PasswordResetTokenEntity.prototype, "ensureId", null);
 exports.PasswordResetTokenEntity = PasswordResetTokenEntity = __decorate([
     (0, typeorm_1.Entity)({ name: "security_password_reset_token" })
 ], PasswordResetTokenEntity);

package/dist/nest/entities/refresh-token.entity.js

@@ -21,7 +21,7 @@ let RefreshTokenEntity = class RefreshTokenEntity {
 };
 exports.RefreshTokenEntity = RefreshTokenEntity;
 __decorate([
-    (0, typeorm_1.PrimaryColumn)({ type: "varchar" }),
+    (0, typeorm_1.PrimaryColumn)({ type: "uuid" }),
     __metadata("design:type", String)
 ], RefreshTokenEntity.prototype, "id", void 0);
 __decorate([
@@ -37,7 +37,7 @@ __decorate([
     __metadata("design:type", Object)
 ], RefreshTokenEntity.prototype, "revokedAt", void 0);
 __decorate([
-    (0, typeorm_1.Column)({ type: "varchar", name: "userId", nullable: true }),
+    (0, typeorm_1.Column)({ type: "uuid", name: "userId", nullable: true }),
     __metadata("design:type", Object)
 ], RefreshTokenEntity.prototype, "userId", void 0);
 __decorate([

package/dist/nest/entities/security-role.entity.d.ts

@@ -3,4 +3,5 @@ export declare class SecurityRoleEntity {
     roleKey: string;
     description: string | null;
     isSystem: boolean;
+    ensureId(): void;
 }

package/dist/nest/entities/security-role.entity.js

@@ -10,16 +10,22 @@ var __metadata = (this && this.__metadata) || function (k, v) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.SecurityRoleEntity = void 0;
+const uuid_1 = require("uuid");
 const typeorm_1 = require("typeorm");
 let SecurityRoleEntity = class SecurityRoleEntity {
     id;
     roleKey;
     description;
     isSystem;
+    ensureId() {
+        if (!this.id) {
+            this.id = (0, uuid_1.v7)();
+        }
+    }
 };
 exports.SecurityRoleEntity = SecurityRoleEntity;
 __decorate([
-    (0, typeorm_1.PrimaryGeneratedColumn)("uuid"),
+    (0, typeorm_1.PrimaryColumn)({ type: "uuid" }),
     __metadata("design:type", String)
 ], SecurityRoleEntity.prototype, "id", void 0);
 __decorate([
@@ -34,6 +40,12 @@ __decorate([
     (0, typeorm_1.Column)({ type: "boolean", name: "is_system", default: false }),
     __metadata("design:type", Boolean)
 ], SecurityRoleEntity.prototype, "isSystem", void 0);
+__decorate([
+    (0, typeorm_1.BeforeInsert)(),
+    __metadata("design:type", Function),
+    __metadata("design:paramtypes", []),
+    __metadata("design:returntype", void 0)
+], SecurityRoleEntity.prototype, "ensureId", null);
 exports.SecurityRoleEntity = SecurityRoleEntity = __decorate([
     (0, typeorm_1.Entity)({ name: "security_role" })
 ], SecurityRoleEntity);

package/dist/nest/entities/security-user-role.entity.d.ts

@@ -2,4 +2,5 @@ export declare class SecurityUserRoleEntity {
     id: string;
     userId: string;
     roleId: string;
+    ensureId(): void;
 }

package/dist/nest/entities/security-user-role.entity.js

@@ -10,25 +10,37 @@ var __metadata = (this && this.__metadata) || function (k, v) {
 };
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.SecurityUserRoleEntity = void 0;
+const uuid_1 = require("uuid");
 const typeorm_1 = require("typeorm");
 let SecurityUserRoleEntity = class SecurityUserRoleEntity {
     id;
     userId;
     roleId;
+    ensureId() {
+        if (!this.id) {
+            this.id = (0, uuid_1.v7)();
+        }
+    }
 };
 exports.SecurityUserRoleEntity = SecurityUserRoleEntity;
 __decorate([
-    (0, typeorm_1.PrimaryGeneratedColumn)("uuid"),
+    (0, typeorm_1.PrimaryColumn)({ type: "uuid" }),
     __metadata("design:type", String)
 ], SecurityUserRoleEntity.prototype, "id", void 0);
 __decorate([
-    (0, typeorm_1.Column)({ type: "varchar", name: "user_id" }),
+    (0, typeorm_1.Column)({ type: "uuid", name: "user_id" }),
     __metadata("design:type", String)
 ], SecurityUserRoleEntity.prototype, "userId", void 0);
 __decorate([
     (0, typeorm_1.Column)({ type: "uuid", name: "role_id" }),
     __metadata("design:type", String)
 ], SecurityUserRoleEntity.prototype, "roleId", void 0);
+__decorate([
+    (0, typeorm_1.BeforeInsert)(),
+    __metadata("design:type", Function),
+    __metadata("design:paramtypes", []),
+    __metadata("design:returntype", void 0)
+], SecurityUserRoleEntity.prototype, "ensureId", null);
 exports.SecurityUserRoleEntity = SecurityUserRoleEntity = __decorate([
     (0, typeorm_1.Entity)({ name: "security_user_role" })
 ], SecurityUserRoleEntity);

package/dist/nest/entities/security-user.entity.js

@@ -22,7 +22,7 @@ let SecurityUserEntity = class SecurityUserEntity {
 };
 exports.SecurityUserEntity = SecurityUserEntity;
 __decorate([
-    (0, typeorm_1.PrimaryColumn)({ type: "varchar", name: "user_id" }),
+    (0, typeorm_1.PrimaryColumn)({ type: "uuid", name: "user_id" }),
     __metadata("design:type", String)
 ], SecurityUserEntity.prototype, "userId", void 0);
 __decorate([

package/dist/nest/security-auth.service.js

@@ -17,6 +17,7 @@ const common_1 = require("@nestjs/common");
 const crypto_1 = require("crypto");
 const bcryptjs_1 = require("bcryptjs");
 const jsonwebtoken_1 = require("jsonwebtoken");
+const uuid_1 = require("uuid");
 const typeorm_1 = require("@nestjs/typeorm");
 const typeorm_2 = require("typeorm");
 const roles_1 = require("../api/roles");
@@ -58,6 +59,7 @@ let SecurityAuthService = class SecurityAuthService {
             throw new common_1.BadRequestException("Email already in use");
         }
         const appUser = await this.appUsersRepo.save(this.appUsersRepo.create({
+            id: (0, uuid_1.v7)(),
             email,
         }));
         const securityUser = await this.securityUsersRepo.save(this.securityUsersRepo.create({
@@ -161,6 +163,7 @@ let SecurityAuthService = class SecurityAuthService {
         const expiresAt = new Date(Date.now() +
             (this.options.passwordResetTokenExpiresInMinutes ?? 30) * 60_000);
         await this.passwordResetRepo.save(this.passwordResetRepo.create({
+            id: (0, uuid_1.v7)(),
             userId: appUser.id,
             token,
             expiresAt,
@@ -220,7 +223,7 @@ let SecurityAuthService = class SecurityAuthService {
         const refreshTokenExpiresAt = new Date(Date.now() +
             (this.options.refreshTokenExpiresInDays ?? 30) * 24 * 60 * 60 * 1000);
         await this.refreshTokenRepo.save(this.refreshTokenRepo.create({
-            id: (0, crypto_1.randomUUID)(),
+            id: (0, uuid_1.v7)(),
             userId: appUser.id,
             tokenHash: refreshTokenHash,
             expiresAt: refreshTokenExpiresAt,

package/dist/nest/security-auth.service.test.js

@@ -8,11 +8,13 @@ vitest_1.vi.mock("bcryptjs", () => ({
 }));
 vitest_1.vi.mock("crypto", () => ({
     randomBytes: vitest_1.vi.fn(() => ({ toString: () => "token-bytes" })),
-    randomUUID: vitest_1.vi.fn(() => "uuid-1"),
 }));
 vitest_1.vi.mock("jsonwebtoken", () => ({
     sign: vitest_1.vi.fn(() => "signed-access-token"),
 }));
+vitest_1.vi.mock("uuid", () => ({
+    v7: vitest_1.vi.fn(() => "uuid-1"),
+}));
 const bcryptjs_1 = require("bcryptjs");
 const jsonwebtoken_1 = require("jsonwebtoken");
 const security_auth_service_1 = require("./security-auth.service");

package/dist/nest/security-workflows.controller.d.ts

@@ -49,23 +49,23 @@ export declare class SecurityWorkflowsController {
     } | {
         success: true;
     }>;
-    getUserRoles(id: string): Promise<{
+    getUserRoles(userId: string): Promise<{
         userId: string;
         roles: string[];
     }>;
-    setUserRoles(id: string, body: {
+    setUserRoles(userId: string, body: {
         roles?: string[];
     }): Promise<{
         userId: string;
         roles: string[];
     }>;
-    assignUserRole(id: string, body: {
+    assignUserRole(userId: string, body: {
         role?: string;
     }): Promise<{
         userId: string;
         roles: string[];
     }>;
-    removeUserRole(id: string, role: string): Promise<{
+    removeUserRole(userId: string, role: string): Promise<{
         userId: string;
         roles: string[];
     }>;

package/dist/nest/security-workflows.controller.js

@@ -53,23 +53,23 @@ let SecurityWorkflowsController = class SecurityWorkflowsController {
     async removeRole(role) {
         return this.workflowsService.removeRole(role);
     }
-    async getUserRoles(id) {
-        return this.workflowsService.getUserRoles(id);
+    async getUserRoles(userId) {
+        return this.workflowsService.getUserRoles(userId);
     }
-    async setUserRoles(id, body) {
+    async setUserRoles(userId, body) {
         if (!Array.isArray(body.roles)) {
             throw new common_1.BadRequestException("roles must be an array");
         }
-        return this.workflowsService.setUserRoles(id, body.roles);
+        return this.workflowsService.setUserRoles(userId, body.roles);
     }
-    async assignUserRole(id, body) {
+    async assignUserRole(userId, body) {
         if (!body.role || !body.role.trim()) {
             throw new common_1.BadRequestException("role is required");
         }
-        return this.workflowsService.assignRoleToUser(id, body.role);
+        return this.workflowsService.assignRoleToUser(userId, body.role);
     }
-    async removeUserRole(id, role) {
-        return this.workflowsService.removeRoleFromUser(id, role);
+    async removeUserRole(userId, role) {
+        return this.workflowsService.removeRoleFromUser(userId, role);
     }
 };
 exports.SecurityWorkflowsController = SecurityWorkflowsController;
@@ -136,45 +136,65 @@ __decorate([
     __metadata("design:returntype", Promise)
 ], SecurityWorkflowsController.prototype, "removeRole", null);
 __decorate([
-    (0, common_1.Get)("users/:id/roles"),
+    (0, common_1.Get)("users/:userId/roles"),
     (0, common_1.UseGuards)(security_jwt_guard_1.SecurityJwtGuard, security_admin_guard_1.SecurityAdminGuard),
     (0, swagger_1.ApiOperation)({ summary: "Get assigned roles for a user" }),
+    (0, swagger_1.ApiParam)({
+        name: "userId",
+        description: "User id from app_user.id",
+        type: String,
+    }),
     (0, swagger_1.ApiBearerAuth)(),
-    __param(0, (0, common_1.Param)("id")),
+    __param(0, (0, common_1.Param)("userId")),
     __metadata("design:type", Function),
     __metadata("design:paramtypes", [String]),
     __metadata("design:returntype", Promise)
 ], SecurityWorkflowsController.prototype, "getUserRoles", null);
 __decorate([
-    (0, common_1.Put)("users/:id/roles"),
+    (0, common_1.Put)("users/:userId/roles"),
     (0, common_1.UseGuards)(security_jwt_guard_1.SecurityJwtGuard, security_admin_guard_1.SecurityAdminGuard),
     (0, swagger_1.ApiOperation)({ summary: "Replace user roles" }),
+    (0, swagger_1.ApiParam)({
+        name: "userId",
+        description: "User id from app_user.id",
+        type: String,
+    }),
     (0, swagger_1.ApiBearerAuth)(),
     (0, swagger_1.ApiBody)({ type: workflows_dto_1.SetUserRolesDto }),
-    __param(0, (0, common_1.Param)("id")),
+    __param(0, (0, common_1.Param)("userId")),
     __param(1, (0, common_1.Body)()),
     __metadata("design:type", Function),
     __metadata("design:paramtypes", [String, Object]),
     __metadata("design:returntype", Promise)
 ], SecurityWorkflowsController.prototype, "setUserRoles", null);
 __decorate([
-    (0, common_1.Post)("users/:id/roles"),
+    (0, common_1.Post)("users/:userId/roles"),
     (0, common_1.UseGuards)(security_jwt_guard_1.SecurityJwtGuard, security_admin_guard_1.SecurityAdminGuard),
     (0, swagger_1.ApiOperation)({ summary: "Assign one role to a user" }),
+    (0, swagger_1.ApiParam)({
+        name: "userId",
+        description: "User id from app_user.id",
+        type: String,
+    }),
     (0, swagger_1.ApiBearerAuth)(),
     (0, swagger_1.ApiBody)({ type: workflows_dto_1.AssignRoleDto }),
-    __param(0, (0, common_1.Param)("id")),
+    __param(0, (0, common_1.Param)("userId")),
     __param(1, (0, common_1.Body)()),
     __metadata("design:type", Function),
     __metadata("design:paramtypes", [String, Object]),
     __metadata("design:returntype", Promise)
 ], SecurityWorkflowsController.prototype, "assignUserRole", null);
 __decorate([
-    (0, common_1.Delete)("users/:id/roles/:role"),
+    (0, common_1.Delete)("users/:userId/roles/:role"),
     (0, common_1.UseGuards)(security_jwt_guard_1.SecurityJwtGuard, security_admin_guard_1.SecurityAdminGuard),
     (0, swagger_1.ApiOperation)({ summary: "Remove one role from a user" }),
+    (0, swagger_1.ApiParam)({
+        name: "userId",
+        description: "User id from app_user.id",
+        type: String,
+    }),
     (0, swagger_1.ApiBearerAuth)(),
-    __param(0, (0, common_1.Param)("id")),
+    __param(0, (0, common_1.Param)("userId")),
     __param(1, (0, common_1.Param)("role")),
     __metadata("design:type", Function),
     __metadata("design:paramtypes", [String, String]),

package/dist/nest/security-workflows.service.js

@@ -16,6 +16,7 @@ exports.SecurityWorkflowsService = void 0;
 const common_1 = require("@nestjs/common");
 const typeorm_1 = require("@nestjs/typeorm");
 const typeorm_2 = require("typeorm");
+const uuid_1 = require("uuid");
 const contracts_1 = require("../api/contracts");
 const roles_1 = require("../api/roles");
 const app_user_entity_1 = require("./entities/app-user.entity");
@@ -94,6 +95,7 @@ let SecurityWorkflowsService = class SecurityWorkflowsService {
         let role = await this.rolesRepo.findOne({ where: { roleKey } });
         if (!role) {
             role = this.rolesRepo.create({
+                id: (0, uuid_1.v7)(),
                 roleKey,
                 description: description?.trim() || null,
                 isSystem: roleKey === contracts_1.ADMIN_ROLE,
@@ -139,6 +141,7 @@ let SecurityWorkflowsService = class SecurityWorkflowsService {
         await this.userRolesRepo.delete({ userId });
         if (roles.length > 0) {
             await this.userRolesRepo.save(roles.map((role) => this.userRolesRepo.create({
+                id: (0, uuid_1.v7)(),
                 userId,
                 roleId: role.id,
             })));
@@ -182,6 +185,7 @@ let SecurityWorkflowsService = class SecurityWorkflowsService {
             return;
         }
         await this.rolesRepo.save(missing.map((roleKey) => this.rolesRepo.create({
+            id: (0, uuid_1.v7)(),
             roleKey,
             description: null,
             isSystem: roleKey === contracts_1.ADMIN_ROLE,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@scryan7371/sdr-security",
-  "version": "0.1.3",
+  "version": "0.1.5",
   "description": "Reusable auth/security capability for API and app clients.",
   "main": "dist/index.js",
   "exports": {
@@ -34,7 +34,8 @@
   "dependencies": {
     "@babel/runtime": "7.28.6",
     "bcryptjs": "3.0.3",
-    "jsonwebtoken": "9.0.3"
+    "jsonwebtoken": "9.0.3",
+    "uuid": "11.1.0"
   },
   "peerDependencies": {
     "@nestjs/common": "^11.0.0",

package/src/api/migrations/1700000000001-add-refresh-tokens.ts

@@ -8,11 +8,11 @@ export class AddRefreshTokens1700000000001 {
 
     await queryRunner.query(`
       CREATE TABLE "refresh_token" (
-        "id" varchar PRIMARY KEY NOT NULL,
+        "id" uuid PRIMARY KEY NOT NULL DEFAULT uuidv7(),
         "token_hash" varchar NOT NULL,
         "expires_at" timestamptz NOT NULL,
         "revoked_at" timestamptz,
-        "userId" varchar,
+        "userId" uuid,
         "created_at" timestamptz NOT NULL DEFAULT (CURRENT_TIMESTAMP),
         CONSTRAINT "FK_refresh_token_user" FOREIGN KEY ("userId") REFERENCES ${userTableRef} ("id") ON DELETE CASCADE ON UPDATE NO ACTION
       )

package/src/api/migrations/1739490000000-create-app-user.ts

@@ -0,0 +1,39 @@
+export class CreateAppUser1739490000000 {
+  name = "CreateAppUser1739490000000";
+
+  async up(queryRunner: {
+    query: (sql: string) => Promise<unknown>;
+  }): Promise<void> {
+    const userTableRef = getUserTableReference();
+
+    await queryRunner.query(`
+      CREATE TABLE IF NOT EXISTS ${userTableRef} (
+        "id" uuid PRIMARY KEY NOT NULL,
+        "email" varchar NOT NULL
+      )
+    `);
+  }
+
+  async down(queryRunner: {
+    query: (sql: string) => Promise<unknown>;
+  }): Promise<void> {
+    const userTableRef = getUserTableReference();
+    await queryRunner.query(`DROP TABLE IF EXISTS ${userTableRef}`);
+  }
+}
+
+const getSafeIdentifier = (value: string | undefined, fallback: string) => {
+  const resolved = value?.trim() || fallback;
+  if (!resolved || !/^[A-Za-z_][A-Za-z0-9_]*$/.test(resolved)) {
+    throw new Error(`Invalid SQL identifier: ${resolved}`);
+  }
+  return resolved;
+};
+
+const getUserTableReference = () => {
+  const table = getSafeIdentifier(process.env.USER_TABLE, "app_user");
+  const schema = process.env.USER_TABLE_SCHEMA
+    ? getSafeIdentifier(process.env.USER_TABLE_SCHEMA, "public")
+    : "public";
+  return `"${schema}"."${table}"`;
+};

package/src/api/migrations/1739500000000-create-security-identity.ts

@@ -9,7 +9,7 @@ export class CreateSecurityIdentity1739500000000 {
     await queryRunner.query(`
       CREATE TABLE IF NOT EXISTS "security_identity" (
         "id" uuid PRIMARY KEY NOT NULL DEFAULT uuidv7(),
-        "user_id" varchar NOT NULL,
+        "user_id" uuid NOT NULL,
         "provider" varchar NOT NULL,
         "provider_subject" varchar NOT NULL,
         "created_at" timestamptz NOT NULL DEFAULT now(),

package/src/api/migrations/1739515000000-create-security-user-roles.ts

@@ -9,7 +9,7 @@ export class CreateSecurityUserRoles1739515000000 {
     await queryRunner.query(`
       CREATE TABLE IF NOT EXISTS "security_user_role" (
         "id" uuid PRIMARY KEY NOT NULL DEFAULT uuidv7(),
-        "user_id" varchar NOT NULL,
+        "user_id" uuid NOT NULL,
         "role_id" uuid NOT NULL,
         "created_at" timestamptz NOT NULL DEFAULT now(),
         CONSTRAINT "FK_security_user_role_user_id" FOREIGN KEY ("user_id") REFERENCES ${userTableRef} ("id") ON DELETE CASCADE,

package/src/api/migrations/1739520000000-create-password-reset-tokens.ts

@@ -9,7 +9,7 @@ export class CreatePasswordResetTokens1739520000000 {
     await queryRunner.query(`
       CREATE TABLE IF NOT EXISTS "security_password_reset_token" (
         "id" uuid PRIMARY KEY NOT NULL DEFAULT uuidv7(),
-        "user_id" varchar NOT NULL,
+        "user_id" uuid NOT NULL,
         "token" varchar NOT NULL,
         "expires_at" timestamptz NOT NULL,
         "used_at" timestamptz,

package/src/api/migrations/1739530000000-create-security-user.ts

@@ -8,7 +8,7 @@ export class CreateSecurityUser1739530000000 {
 
     await queryRunner.query(`
       CREATE TABLE IF NOT EXISTS "security_user" (
-        "user_id" varchar PRIMARY KEY NOT NULL,
+        "user_id" uuid PRIMARY KEY NOT NULL,
         "password_hash" varchar NOT NULL,
         "email_verified_at" timestamptz,
         "email_verification_token" varchar,

package/src/api/migrations/index.ts

@@ -1,3 +1,4 @@
+import { CreateAppUser1739490000000 } from "./1739490000000-create-app-user";
 import { AddRefreshTokens1700000000001 } from "./1700000000001-add-refresh-tokens";
 import { CreateSecurityIdentity1739500000000 } from "./1739500000000-create-security-identity";
 import { CreateSecurityRoles1739510000000 } from "./1739510000000-create-security-roles";
@@ -5,7 +6,8 @@ import { CreateSecurityUserRoles1739515000000 } from "./1739515000000-create-sec
 import { CreatePasswordResetTokens1739520000000 } from "./1739520000000-create-password-reset-tokens";
 import { CreateSecurityUser1739530000000 } from "./1739530000000-create-security-user";
 
-export const securityMigrations = [
+export const allMigrations = [
+  CreateAppUser1739490000000,
   AddRefreshTokens1700000000001,
   CreateSecurityIdentity1739500000000,
   CreateSecurityRoles1739510000000,
@@ -14,7 +16,12 @@ export const securityMigrations = [
   CreateSecurityUser1739530000000,
 ];
 
+export const securityMigrations = allMigrations.filter(
+  (migration) => migration !== CreateAppUser1739490000000,
+);
+
 export {
+  CreateAppUser1739490000000,
   AddRefreshTokens1700000000001,
   CreateSecurityIdentity1739500000000,
   CreateSecurityRoles1739510000000,

package/src/api/migrations/migrations.test.ts

@@ -1,11 +1,12 @@
 import { afterEach, describe, expect, it, vi } from "vitest";
+import { CreateAppUser1739490000000 } from "./1739490000000-create-app-user";
 import { AddRefreshTokens1700000000001 } from "./1700000000001-add-refresh-tokens";
 import { CreateSecurityIdentity1739500000000 } from "./1739500000000-create-security-identity";
 import { CreateSecurityRoles1739510000000 } from "./1739510000000-create-security-roles";
 import { CreateSecurityUserRoles1739515000000 } from "./1739515000000-create-security-user-roles";
 import { CreatePasswordResetTokens1739520000000 } from "./1739520000000-create-password-reset-tokens";
 import { CreateSecurityUser1739530000000 } from "./1739530000000-create-security-user";
-import { securityMigrations } from "./index";
+import { allMigrations, securityMigrations } from "./index";
 
 const originalEnv = { ...process.env };
 
@@ -15,6 +16,19 @@ afterEach(() => {
 });
 
 describe("security migrations", () => {
+  it("exports all migration list for test/dev", () => {
+    expect(allMigrations.length).toBe(7);
+    expect(allMigrations).toEqual([
+      CreateAppUser1739490000000,
+      AddRefreshTokens1700000000001,
+      CreateSecurityIdentity1739500000000,
+      CreateSecurityRoles1739510000000,
+      CreateSecurityUserRoles1739515000000,
+      CreatePasswordResetTokens1739520000000,
+      CreateSecurityUser1739530000000,
+    ]);
+  });
+
   it("exports migration list", () => {
     expect(securityMigrations.length).toBe(6);
     expect(securityMigrations).toEqual([
@@ -27,6 +41,21 @@ describe("security migrations", () => {
     ]);
   });
 
+  it("runs app user migration up/down", async () => {
+    const query = vi.fn().mockResolvedValue(undefined);
+    const migration = new CreateAppUser1739490000000();
+
+    await migration.up({ query });
+    await migration.down({ query });
+
+    expect(query).toHaveBeenCalledWith(
+      expect.stringContaining('CREATE TABLE IF NOT EXISTS "public"."app_user"'),
+    );
+    expect(query).toHaveBeenCalledWith(
+      expect.stringContaining('DROP TABLE IF EXISTS "public"."app_user"'),
+    );
+  });
+
   it("runs refresh token migration up/down", async () => {
     const query = vi.fn().mockResolvedValue(undefined);
     const migration = new AddRefreshTokens1700000000001();

package/src/integration/database.integration.test.ts

@@ -2,7 +2,7 @@ import { existsSync, readFileSync } from "node:fs";
 import path from "node:path";
 import { afterAll, beforeAll, describe, expect, it } from "vitest";
 import { Client, ClientConfig } from "pg";
-import { securityMigrations } from "../api/migrations";
+import { allMigrations } from "../api/migrations";
 
 type QueryRunnerLike = {
   query: (sql: string, params?: unknown[]) => Promise<unknown>;
@@ -119,17 +119,10 @@ describe("database integration", () => {
     }
     await client.query(`CREATE SCHEMA IF NOT EXISTS "${schema}"`);
     await client.query(`SET search_path TO "${schema}", public`);
-    await client.query(`
-      CREATE TABLE IF NOT EXISTS "${schema}"."app_user" (
-        "id" varchar PRIMARY KEY NOT NULL,
-        "email" varchar NOT NULL
-      )
-    `);
-
     process.env.USER_TABLE = "app_user";
     process.env.USER_TABLE_SCHEMA = schema;
 
-    for (const Migration of securityMigrations) {
+    for (const Migration of allMigrations) {
       await new Migration().up(runner as never);
     }
   });
@@ -140,10 +133,9 @@ describe("database integration", () => {
     }
 
     if (!keepSchemaForDebug) {
-      for (const Migration of [...securityMigrations].reverse()) {
+      for (const Migration of [...allMigrations].reverse()) {
         await new Migration().down(runner as never);
       }
-      await client.query(`DROP TABLE IF EXISTS "${schema}"."app_user"`);
       await client.query(`DROP SCHEMA IF EXISTS "${schema}" CASCADE`);
     }
     await client.end();

package/src/nest/entities/app-user.entity.ts

@@ -1,8 +1,8 @@
-import { Column, Entity, PrimaryGeneratedColumn } from "typeorm";
+import { Column, Entity, PrimaryColumn } from "typeorm";
 
 @Entity({ name: "app_user" })
 export class AppUserEntity {
-  @PrimaryGeneratedColumn("uuid")
+  @PrimaryColumn({ type: "uuid" })
   id!: string;
 
   @Column({ type: "varchar" })

package/src/nest/entities/password-reset-token.entity.ts

@@ -1,16 +1,18 @@
 import {
+  BeforeInsert,
   Column,
   CreateDateColumn,
   Entity,
-  PrimaryGeneratedColumn,
+  PrimaryColumn,
 } from "typeorm";
+import { v7 as uuidv7 } from "uuid";
 
 @Entity({ name: "security_password_reset_token" })
 export class PasswordResetTokenEntity {
-  @PrimaryGeneratedColumn("uuid")
+  @PrimaryColumn({ type: "uuid" })
   id!: string;
 
-  @Column({ type: "varchar", name: "user_id" })
+  @Column({ type: "uuid", name: "user_id" })
   userId!: string;
 
   @Column({ type: "varchar", unique: true })
@@ -24,4 +26,11 @@ export class PasswordResetTokenEntity {
 
   @CreateDateColumn({ name: "created_at" })
   createdAt!: Date;
+
+  @BeforeInsert()
+  ensureId() {
+    if (!this.id) {
+      this.id = uuidv7();
+    }
+  }
 }

package/src/nest/entities/refresh-token.entity.ts

@@ -2,7 +2,7 @@ import { Column, CreateDateColumn, Entity, PrimaryColumn } from "typeorm";
 
 @Entity({ name: "refresh_token" })
 export class RefreshTokenEntity {
-  @PrimaryColumn({ type: "varchar" })
+  @PrimaryColumn({ type: "uuid" })
   id!: string;
 
   @Column({ type: "varchar", name: "token_hash" })
@@ -14,7 +14,7 @@ export class RefreshTokenEntity {
   @Column({ type: "timestamptz", name: "revoked_at", nullable: true })
   revokedAt!: Date | null;
 
-  @Column({ type: "varchar", name: "userId", nullable: true })
+  @Column({ type: "uuid", name: "userId", nullable: true })
   userId!: string | null;
 
   @CreateDateColumn({ name: "created_at" })

package/src/nest/entities/security-role.entity.ts

@@ -1,8 +1,9 @@
-import { Column, Entity, PrimaryGeneratedColumn } from "typeorm";
+import { v7 as uuidv7 } from "uuid";
+import { BeforeInsert, Column, Entity, PrimaryColumn } from "typeorm";
 
 @Entity({ name: "security_role" })
 export class SecurityRoleEntity {
-  @PrimaryGeneratedColumn("uuid")
+  @PrimaryColumn({ type: "uuid" })
   id!: string;
 
   @Column({ type: "varchar", name: "role_key", unique: true })
@@ -13,4 +14,11 @@ export class SecurityRoleEntity {
 
   @Column({ type: "boolean", name: "is_system", default: false })
   isSystem!: boolean;
+
+  @BeforeInsert()
+  ensureId() {
+    if (!this.id) {
+      this.id = uuidv7();
+    }
+  }
 }

package/src/nest/entities/security-user-role.entity.ts

@@ -1,13 +1,21 @@
-import { Column, Entity, PrimaryGeneratedColumn } from "typeorm";
+import { v7 as uuidv7 } from "uuid";
+import { BeforeInsert, Column, Entity, PrimaryColumn } from "typeorm";
 
 @Entity({ name: "security_user_role" })
 export class SecurityUserRoleEntity {
-  @PrimaryGeneratedColumn("uuid")
+  @PrimaryColumn({ type: "uuid" })
   id!: string;
 
-  @Column({ type: "varchar", name: "user_id" })
+  @Column({ type: "uuid", name: "user_id" })
   userId!: string;
 
   @Column({ type: "uuid", name: "role_id" })
   roleId!: string;
+
+  @BeforeInsert()
+  ensureId() {
+    if (!this.id) {
+      this.id = uuidv7();
+    }
+  }
 }

package/src/nest/entities/security-user.entity.ts

@@ -2,7 +2,7 @@ import { Column, CreateDateColumn, Entity, PrimaryColumn } from "typeorm";
 
 @Entity({ name: "security_user" })
 export class SecurityUserEntity {
-  @PrimaryColumn({ type: "varchar", name: "user_id" })
+  @PrimaryColumn({ type: "uuid", name: "user_id" })
   userId!: string;
 
   @Column({ type: "varchar", name: "password_hash" })

package/src/nest/security-auth.service.test.ts

@@ -10,13 +10,16 @@ vi.mock("bcryptjs", () => ({
 
 vi.mock("crypto", () => ({
   randomBytes: vi.fn(() => ({ toString: () => "token-bytes" })),
-  randomUUID: vi.fn(() => "uuid-1"),
 }));
 
 vi.mock("jsonwebtoken", () => ({
   sign: vi.fn(() => "signed-access-token"),
 }));
 
+vi.mock("uuid", () => ({
+  v7: vi.fn(() => "uuid-1"),
+}));
+
 import { compare } from "bcryptjs";
 import { sign } from "jsonwebtoken";
 import { SecurityAuthService } from "./security-auth.service";

package/src/nest/security-auth.service.ts

@@ -4,9 +4,10 @@ import {
   Injectable,
   UnauthorizedException,
 } from "@nestjs/common";
-import { randomBytes, randomUUID } from "crypto";
+import { randomBytes } from "crypto";
 import { compare, hash } from "bcryptjs";
 import { sign, type SignOptions } from "jsonwebtoken";
+import { v7 as uuidv7 } from "uuid";
 import { InjectRepository } from "@nestjs/typeorm";
 import { In, IsNull, Repository } from "typeorm";
 import { AuthResponse, RegisterResponse } from "../api/contracts";
@@ -60,6 +61,7 @@ export class SecurityAuthService {
 
     const appUser = await this.appUsersRepo.save(
       this.appUsersRepo.create({
+        id: uuidv7(),
         email,
       }),
     );
@@ -195,6 +197,7 @@ export class SecurityAuthService {
     );
     await this.passwordResetRepo.save(
       this.passwordResetRepo.create({
+        id: uuidv7(),
         userId: appUser.id,
         token,
         expiresAt,
@@ -283,7 +286,7 @@ export class SecurityAuthService {
 
     await this.refreshTokenRepo.save(
       this.refreshTokenRepo.create({
-        id: randomUUID(),
+        id: uuidv7(),
         userId: appUser.id,
         tokenHash: refreshTokenHash,
         expiresAt: refreshTokenExpiresAt,

package/src/nest/security-workflows.controller.ts

@@ -10,7 +10,13 @@ import {
   Put,
   UseGuards,
 } from "@nestjs/common";
-import { ApiBearerAuth, ApiBody, ApiOperation, ApiTags } from "@nestjs/swagger";
+import {
+  ApiBearerAuth,
+  ApiBody,
+  ApiOperation,
+  ApiParam,
+  ApiTags,
+} from "@nestjs/swagger";
 import { SecurityAdminGuard } from "./security-admin.guard";
 import { SecurityJwtGuard } from "./security-jwt.guard";
 import { SecurityWorkflowsService } from "./security-workflows.service";
@@ -101,49 +107,72 @@ export class SecurityWorkflowsController {
     return this.workflowsService.removeRole(role);
   }
 
-  @Get("users/:id/roles")
+  @Get("users/:userId/roles")
   @UseGuards(SecurityJwtGuard, SecurityAdminGuard)
   @ApiOperation({ summary: "Get assigned roles for a user" })
+  @ApiParam({
+    name: "userId",
+    description: "User id from app_user.id",
+    type: String,
+  })
   @ApiBearerAuth()
-  async getUserRoles(@Param("id") id: string) {
-    return this.workflowsService.getUserRoles(id);
+  async getUserRoles(@Param("userId") userId: string) {
+    return this.workflowsService.getUserRoles(userId);
   }
 
-  @Put("users/:id/roles")
+  @Put("users/:userId/roles")
   @UseGuards(SecurityJwtGuard, SecurityAdminGuard)
   @ApiOperation({ summary: "Replace user roles" })
+  @ApiParam({
+    name: "userId",
+    description: "User id from app_user.id",
+    type: String,
+  })
   @ApiBearerAuth()
   @ApiBody({ type: SetUserRolesDto })
   async setUserRoles(
-    @Param("id") id: string,
+    @Param("userId") userId: string,
     @Body() body: { roles?: string[] },
   ) {
     if (!Array.isArray(body.roles)) {
       throw new BadRequestException("roles must be an array");
     }
-    return this.workflowsService.setUserRoles(id, body.roles);
+    return this.workflowsService.setUserRoles(userId, body.roles);
   }
 
-  @Post("users/:id/roles")
+  @Post("users/:userId/roles")
   @UseGuards(SecurityJwtGuard, SecurityAdminGuard)
   @ApiOperation({ summary: "Assign one role to a user" })
+  @ApiParam({
+    name: "userId",
+    description: "User id from app_user.id",
+    type: String,
+  })
   @ApiBearerAuth()
   @ApiBody({ type: AssignRoleDto })
   async assignUserRole(
-    @Param("id") id: string,
+    @Param("userId") userId: string,
     @Body() body: { role?: string },
   ) {
     if (!body.role || !body.role.trim()) {
       throw new BadRequestException("role is required");
     }
-    return this.workflowsService.assignRoleToUser(id, body.role);
+    return this.workflowsService.assignRoleToUser(userId, body.role);
   }
 
-  @Delete("users/:id/roles/:role")
+  @Delete("users/:userId/roles/:role")
   @UseGuards(SecurityJwtGuard, SecurityAdminGuard)
   @ApiOperation({ summary: "Remove one role from a user" })
+  @ApiParam({
+    name: "userId",
+    description: "User id from app_user.id",
+    type: String,
+  })
   @ApiBearerAuth()
-  async removeUserRole(@Param("id") id: string, @Param("role") role: string) {
-    return this.workflowsService.removeRoleFromUser(id, role);
+  async removeUserRole(
+    @Param("userId") userId: string,
+    @Param("role") role: string,
+  ) {
+    return this.workflowsService.removeRoleFromUser(userId, role);
   }
 }

package/src/nest/security-workflows.service.ts

@@ -1,6 +1,7 @@
 import { Inject, Injectable, NotFoundException } from "@nestjs/common";
 import { InjectRepository } from "@nestjs/typeorm";
 import { In, Repository } from "typeorm";
+import { v7 as uuidv7 } from "uuid";
 import { ADMIN_ROLE } from "../api/contracts";
 import { normalizeRoleName } from "../api/roles";
 import { AppUserEntity } from "./entities/app-user.entity";
@@ -106,6 +107,7 @@ export class SecurityWorkflowsService {
     let role = await this.rolesRepo.findOne({ where: { roleKey } });
     if (!role) {
       role = this.rolesRepo.create({
+        id: uuidv7(),
         roleKey,
         description: description?.trim() || null,
         isSystem: roleKey === ADMIN_ROLE,
@@ -158,6 +160,7 @@ export class SecurityWorkflowsService {
       await this.userRolesRepo.save(
         roles.map((role) =>
           this.userRolesRepo.create({
+            id: uuidv7(),
             userId,
             roleId: role.id,
           }),
@@ -210,6 +213,7 @@ export class SecurityWorkflowsService {
     await this.rolesRepo.save(
       missing.map((roleKey) =>
         this.rolesRepo.create({
+          id: uuidv7(),
           roleKey,
           description: null,
           isSystem: roleKey === ADMIN_ROLE,