@varshylinc/team-management 0.1.0

package/src/server/services/organizations.service.ts

@@ -0,0 +1,110 @@
+import type { Pool } from 'pg';
+import type { TmOrganization, TmMembership } from '../types.js';
+
+export async function createOrg(
+  pool: Pool,
+  { name, slug, ownerUserId }: { name: string; slug: string; ownerUserId: number }
+): Promise<TmOrganization> {
+  const result = await pool.query<TmOrganization>(
+    `INSERT INTO tm_organizations (name, slug, owner_user_id, settings)
+     VALUES ($1, $2, $3, '{}')
+     RETURNING *`,
+    [name, slug, ownerUserId]
+  );
+  return result.rows[0];
+}
+
+export async function getOrg(pool: Pool, orgId: number): Promise<TmOrganization | null> {
+  const result = await pool.query<TmOrganization>(
+    `SELECT * FROM tm_organizations WHERE id = $1 AND deleted_at IS NULL`,
+    [orgId]
+  );
+  return result.rows[0] ?? null;
+}
+
+export async function getOrgBySlug(pool: Pool, slug: string): Promise<TmOrganization | null> {
+  const result = await pool.query<TmOrganization>(
+    `SELECT * FROM tm_organizations WHERE slug = $1 AND deleted_at IS NULL`,
+    [slug]
+  );
+  return result.rows[0] ?? null;
+}
+
+export async function updateOrg(
+  pool: Pool,
+  orgId: number,
+  updates: { name?: string; slug?: string }
+): Promise<TmOrganization> {
+  const fields: string[] = [];
+  const values: unknown[] = [];
+  let idx = 1;
+
+  if (updates.name !== undefined) {
+    fields.push(`name = $${idx++}`);
+    values.push(updates.name);
+  }
+  if (updates.slug !== undefined) {
+    fields.push(`slug = $${idx++}`);
+    values.push(updates.slug);
+  }
+  if (fields.length === 0) {
+    const existing = await getOrg(pool, orgId);
+    if (!existing) throw new Error('Organization not found');
+    return existing;
+  }
+
+  fields.push(`updated_at = NOW()`);
+  values.push(orgId);
+
+  const result = await pool.query<TmOrganization>(
+    `UPDATE tm_organizations SET ${fields.join(', ')} WHERE id = $${idx} AND deleted_at IS NULL RETURNING *`,
+    values
+  );
+  if (result.rows.length === 0) throw new Error('Organization not found or already deleted');
+  return result.rows[0];
+}
+
+export async function softDeleteOrg(
+  pool: Pool,
+  orgId: number,
+  deletedByUserId: number
+): Promise<void> {
+  const result = await pool.query(
+    `UPDATE tm_organizations
+     SET deleted_at = NOW(),
+         delete_scheduled_for = NOW() + INTERVAL '30 days',
+         deleted_by_user_id = $1,
+         updated_at = NOW()
+     WHERE id = $2 AND deleted_at IS NULL`,
+    [deletedByUserId, orgId]
+  );
+  if (result.rowCount === 0) throw new Error('Organization not found or already deleted');
+}
+
+export async function listOrgMembers(
+  pool: Pool,
+  orgId: number,
+  { includeRemoved = false }: { includeRemoved?: boolean } = {}
+): Promise<TmMembership[]> {
+  const whereClause = includeRemoved
+    ? `WHERE org_id = $1`
+    : `WHERE org_id = $1 AND removed_at IS NULL`;
+
+  const result = await pool.query<TmMembership>(
+    `SELECT * FROM tm_memberships ${whereClause} ORDER BY joined_at ASC`,
+    [orgId]
+  );
+  return result.rows;
+}
+
+export async function getActiveMembership(
+  pool: Pool,
+  orgId: number,
+  userId: number
+): Promise<TmMembership | null> {
+  const result = await pool.query<TmMembership>(
+    `SELECT * FROM tm_memberships WHERE org_id = $1 AND user_id = $2 AND removed_at IS NULL`,
+    [orgId, userId]
+  );
+  return result.rows[0] ?? null;
+}

package/src/server/services/ownership.service.ts

@@ -0,0 +1,170 @@
+import type { Pool } from 'pg';
+import type { TmOwnershipTransfer, ServerModuleAdapter } from '../types.js';
+
+const TRANSFER_EXPIRY_HOURS = 48;
+
+export async function initiateTransfer(
+  pool: Pool,
+  adapter: ServerModuleAdapter,
+  {
+    orgId,
+    fromUserId,
+    toUserId,
+    baseUrl,
+  }: { orgId: number; fromUserId: number; toUserId: number; baseUrl: string }
+): Promise<TmOwnershipTransfer> {
+  // Validate target is an active admin (not owner)
+  const targetMembership = await pool.query(
+    `SELECT role FROM tm_memberships WHERE org_id = $1 AND user_id = $2 AND removed_at IS NULL`,
+    [orgId, toUserId]
+  );
+  if (targetMembership.rows.length === 0) {
+    throw new Error('Target user is not a member of this organization');
+  }
+  if (targetMembership.rows[0].role !== 'admin') {
+    throw new Error('Ownership can only be transferred to an admin member');
+  }
+
+  // Check no pending transfer exists
+  const pending = await pool.query(
+    `SELECT id FROM tm_ownership_transfers
+     WHERE org_id = $1 AND status = 'pending' AND expires_at > NOW()`,
+    [orgId]
+  );
+  if (pending.rows.length > 0) {
+    throw new Error('A pending ownership transfer already exists for this organization');
+  }
+
+  const expiresAt = new Date(Date.now() + TRANSFER_EXPIRY_HOURS * 60 * 60 * 1000);
+
+  const result = await pool.query<TmOwnershipTransfer>(
+    `INSERT INTO tm_ownership_transfers (org_id, from_user_id, to_user_id, status, expires_at)
+     VALUES ($1, $2, $3, 'pending', $4)
+     RETURNING *`,
+    [orgId, fromUserId, toUserId, expiresAt]
+  );
+
+  const transfer = result.rows[0];
+
+  // Send email to target user
+  const orgResult = await pool.query(`SELECT name FROM tm_organizations WHERE id = $1`, [orgId]);
+  const fromUser = await adapter.getUserById(fromUserId);
+  const toUser = await adapter.getUserById(toUserId);
+  const orgName = orgResult.rows[0]?.name ?? 'Unknown Organization';
+  const fromName = fromUser?.name ?? fromUser?.email ?? 'The current owner';
+
+  if (toUser?.email) {
+    try {
+      await adapter.sendOwnershipTransferEmail({
+        to: toUser.email,
+        orgName,
+        fromName,
+        transferUrl: `${baseUrl}/orgs/${orgId}/transfer/accept`,
+      });
+    } catch (e) {
+      adapter.logger.warn('[ownership] Failed to send transfer email', {
+        transferId: transfer.id,
+        error: (e as Error).message,
+      });
+    }
+  }
+
+  return transfer;
+}
+
+export async function acceptTransfer(
+  pool: Pool,
+  adapter: ServerModuleAdapter,
+  { orgId, acceptingUserId }: { orgId: number; acceptingUserId: number }
+): Promise<void> {
+  const client = await pool.connect();
+  try {
+    await client.query('BEGIN');
+
+    const transferResult = await client.query<TmOwnershipTransfer>(
+      `SELECT * FROM tm_ownership_transfers
+       WHERE org_id = $1 AND status = 'pending' AND expires_at > NOW()
+       FOR UPDATE`,
+      [orgId]
+    );
+    if (transferResult.rows.length === 0) {
+      throw new Error('No valid pending transfer found for this organization');
+    }
+
+    const transfer = transferResult.rows[0];
+    if (transfer.to_user_id !== acceptingUserId) {
+      throw new Error('Only the designated recipient can accept this transfer');
+    }
+
+    // Atomic: demote old owner first (avoids two-owner constraint), then promote new owner
+    await client.query(
+      `UPDATE tm_memberships SET role = 'admin', updated_at = NOW()
+       WHERE org_id = $1 AND user_id = $2 AND removed_at IS NULL`,
+      [orgId, transfer.from_user_id]
+    );
+    await client.query(
+      `UPDATE tm_memberships SET role = 'owner', updated_at = NOW()
+       WHERE org_id = $1 AND user_id = $2 AND removed_at IS NULL`,
+      [orgId, transfer.to_user_id]
+    );
+
+    // Update denormalized owner_user_id on org
+    await client.query(
+      `UPDATE tm_organizations SET owner_user_id = $1, updated_at = NOW() WHERE id = $2`,
+      [transfer.to_user_id, orgId]
+    );
+
+    // Mark transfer as accepted
+    await client.query(
+      `UPDATE tm_ownership_transfers
+       SET status = 'accepted', accepted_at = NOW()
+       WHERE id = $1`,
+      [transfer.id]
+    );
+
+    await client.query('COMMIT');
+  } catch (e) {
+    await client.query('ROLLBACK');
+    throw e;
+  } finally {
+    client.release();
+  }
+}
+
+export async function cancelTransfer(
+  pool: Pool,
+  { orgId, cancelledByUserId }: { orgId: number; cancelledByUserId: number }
+): Promise<void> {
+  const result = await pool.query(
+    `UPDATE tm_ownership_transfers
+     SET status = 'cancelled', cancelled_at = NOW(), cancelled_by_user_id = $1
+     WHERE org_id = $2 AND status = 'pending'`,
+    [cancelledByUserId, orgId]
+  );
+  if ((result.rowCount ?? 0) === 0) {
+    throw new Error('No pending transfer found to cancel');
+  }
+}
+
+export async function getPendingTransfer(
+  pool: Pool,
+  orgId: number
+): Promise<TmOwnershipTransfer | null> {
+  const result = await pool.query<TmOwnershipTransfer>(
+    `SELECT * FROM tm_ownership_transfers
+     WHERE org_id = $1 AND status = 'pending' AND expires_at > NOW()
+     ORDER BY initiated_at DESC
+     LIMIT 1`,
+    [orgId]
+  );
+  return result.rows[0] ?? null;
+}
+
+export async function expireTransfers(pool: Pool): Promise<number> {
+  const result = await pool.query(
+    `UPDATE tm_ownership_transfers
+     SET status = 'expired'
+     WHERE status = 'pending' AND expires_at <= NOW()`
+  );
+  return result.rowCount ?? 0;
+}

package/src/server/services/password-reset.service.ts

@@ -0,0 +1,94 @@
+import type { Pool } from 'pg';
+import type { TmPasswordResetRequest, ServerModuleAdapter } from '../types.js';
+import { generateToken, sha256 } from '../crypto.js';
+import { writeAuditEvent } from './audit.service.js';
+
+const RESET_EXPIRY_HOURS = 2;
+const RATE_LIMIT_MAX = 3;
+const RATE_LIMIT_WINDOW_HOURS = 1;
+
+export async function requestPasswordReset(
+  pool: Pool,
+  adapter: ServerModuleAdapter,
+  {
+    email,
+    baseUrl,
+    triggeredBySuperAdmin: _triggeredBySuperAdmin = false,
+  }: { email: string; baseUrl: string; triggeredBySuperAdmin?: boolean }
+): Promise<void> {
+  // Always return success — do not leak whether email exists
+  const user = await adapter.findUserByEmail(email);
+  if (!user) return;
+
+  // Rate limit: 3 requests per email per hour
+  const rateCheck = await pool.query(
+    `SELECT COUNT(*) FROM tm_password_reset_requests
+     WHERE user_id = $1 AND created_at > NOW() - INTERVAL '${RATE_LIMIT_WINDOW_HOURS} hours'
+       AND used_at IS NULL`,
+    [user.id]
+  );
+  const count = parseInt(rateCheck.rows[0].count, 10);
+  if (count >= RATE_LIMIT_MAX) {
+    // Silently return — don't reveal rate limit to potential attackers
+    return;
+  }
+
+  const token = generateToken(32);
+  const tokenHash = sha256(token);
+  const expiresAt = new Date(Date.now() + RESET_EXPIRY_HOURS * 60 * 60 * 1000);
+
+  await pool.query(
+    `INSERT INTO tm_password_reset_requests (user_id, token_hash, expires_at)
+     VALUES ($1, $2, $3)`,
+    [user.id, tokenHash, expiresAt]
+  );
+
+  const resetUrl = `${baseUrl}/reset-password?token=${token}`;
+
+  await adapter.sendPasswordResetEmail({ to: email, resetUrl });
+}
+
+export async function resetPassword(
+  pool: Pool,
+  adapter: ServerModuleAdapter,
+  { token, newPassword }: { token: string; newPassword: string }
+): Promise<void> {
+  if (!newPassword || newPassword.length < 8) {
+    throw new Error('Password must be at least 8 characters');
+  }
+
+  const tokenHash = sha256(token);
+
+  const result = await pool.query<TmPasswordResetRequest>(
+    `SELECT * FROM tm_password_reset_requests
+     WHERE token_hash = $1 AND used_at IS NULL AND expires_at > NOW()`,
+    [tokenHash]
+  );
+  if (result.rows.length === 0) {
+    throw new Error('Invalid or expired password reset token');
+  }
+
+  const request = result.rows[0];
+  const hashedPassword = await adapter.hashPassword(newPassword);
+
+  await adapter.setUserPassword(request.user_id, hashedPassword);
+
+  // Mark token as used
+  await pool.query(
+    `UPDATE tm_password_reset_requests SET used_at = NOW() WHERE id = $1`,
+    [request.id]
+  );
+
+  // Invalidate all sessions for security
+  await adapter.invalidateAllUserSessions(request.user_id);
+
+  await writeAuditEvent({
+    pool,
+    orgId: null,
+    actorUserId: request.user_id,
+    action: 'user.password_reset',
+    targetType: 'user',
+    targetId: request.user_id,
+  });
+}
+

package/src/server/services/super-admin.service.ts

@@ -0,0 +1,321 @@
+import type { Pool } from 'pg';
+import type { TmOrganization, TmMembership, OrgRole, ServerModuleAdapter } from '../types.js';
+import { writeAuditEvent } from './audit.service.js';
+import { requestPasswordReset } from './password-reset.service.js';
+
+export async function listAllOrgs(pool: Pool): Promise<TmOrganization[]> {
+  const result = await pool.query<TmOrganization>(
+    `SELECT * FROM tm_organizations ORDER BY created_at DESC`
+  );
+  return result.rows;
+}
+
+export async function getOrgForAdmin(
+  pool: Pool,
+  orgId: number
+): Promise<TmOrganization & { memberCount: number }> {
+  const result = await pool.query(
+    `SELECT o.*,
+            COUNT(m.id) FILTER (WHERE m.removed_at IS NULL) AS member_count
+     FROM tm_organizations o
+     LEFT JOIN tm_memberships m ON m.org_id = o.id
+     WHERE o.id = $1
+     GROUP BY o.id`,
+    [orgId]
+  );
+  if (result.rows.length === 0) throw new Error('Organization not found');
+  const row = result.rows[0];
+  return { ...row, memberCount: parseInt(row.member_count, 10) };
+}
+
+export async function getUserForAdmin(
+  pool: Pool,
+  adapter: ServerModuleAdapter,
+  userId: number
+): Promise<{ id: number; email: string; name?: string; memberships: TmMembership[] }> {
+  const user = await adapter.getUserById(userId);
+  if (!user) throw new Error('User not found');
+
+  const memberships = await pool.query<TmMembership>(
+    `SELECT * FROM tm_memberships WHERE user_id = $1 ORDER BY joined_at DESC`,
+    [userId]
+  );
+  return { ...user, memberships: memberships.rows };
+}
+
+export async function restoreOrg(
+  pool: Pool,
+  {
+    orgId,
+    superAdminUserId,
+    reason,
+  }: { orgId: number; superAdminUserId: number; reason: string }
+): Promise<void> {
+  const result = await pool.query(
+    `UPDATE tm_organizations
+     SET deleted_at = NULL, delete_scheduled_for = NULL, deleted_by_user_id = NULL, updated_at = NOW()
+     WHERE id = $1 AND deleted_at IS NOT NULL`,
+    [orgId]
+  );
+  if ((result.rowCount ?? 0) === 0) throw new Error('Organization not found or not deleted');
+
+  await writeAuditEvent({
+    pool,
+    orgId,
+    actorUserId: superAdminUserId,
+    actorType: 'super_admin',
+    action: 'org.restored',
+    targetType: 'org',
+    targetId: orgId,
+    reason,
+  });
+}
+
+export async function appointOwner(
+  pool: Pool,
+  {
+    orgId,
+    targetUserId,
+    superAdminUserId,
+    reason,
+  }: { orgId: number; targetUserId: number; superAdminUserId: number; reason: string }
+): Promise<void> {
+  const client = await pool.connect();
+  try {
+    await client.query('BEGIN');
+
+    // Demote current owner to admin
+    await client.query(
+      `UPDATE tm_memberships SET role = 'admin', updated_at = NOW()
+       WHERE org_id = $1 AND role = 'owner' AND removed_at IS NULL`,
+      [orgId]
+    );
+
+    // Upsert new owner
+    await client.query(
+      `INSERT INTO tm_memberships (org_id, user_id, role, joined_at)
+       VALUES ($1, $2, 'owner', NOW())
+       ON CONFLICT (org_id, user_id) WHERE removed_at IS NULL
+       DO UPDATE SET role = 'owner', removed_at = NULL, updated_at = NOW()`,
+      [orgId, targetUserId]
+    );
+
+    // Update denormalized owner field
+    await client.query(
+      `UPDATE tm_organizations SET owner_user_id = $1, updated_at = NOW() WHERE id = $2`,
+      [targetUserId, orgId]
+    );
+
+    await client.query('COMMIT');
+  } catch (e) {
+    await client.query('ROLLBACK');
+    throw e;
+  } finally {
+    client.release();
+  }
+
+  await writeAuditEvent({
+    pool,
+    orgId,
+    actorUserId: superAdminUserId,
+    actorType: 'super_admin',
+    action: 'org.owner_appointed',
+    targetType: 'user',
+    targetId: targetUserId,
+    reason,
+  });
+}
+
+export async function hardDeleteOrg(
+  pool: Pool,
+  {
+    orgId,
+    superAdminUserId,
+    legalBasis,
+  }: { orgId: number; superAdminUserId: number; legalBasis: string }
+): Promise<void> {
+  if (!legalBasis || legalBasis.trim().length < 10) {
+    throw new Error('A legal basis of at least 10 characters is required for hard delete');
+  }
+
+  await writeAuditEvent({
+    pool,
+    orgId,
+    actorUserId: superAdminUserId,
+    actorType: 'super_admin',
+    action: 'org.hard_deleted',
+    targetType: 'org',
+    targetId: orgId,
+    reason: legalBasis,
+  });
+
+  // Hard delete — cascades to memberships, invitations, etc.
+  await pool.query(`DELETE FROM tm_organizations WHERE id = $1`, [orgId]);
+}
+
+export async function addMemberAdmin(
+  pool: Pool,
+  {
+    orgId,
+    userId,
+    role,
+    superAdminUserId,
+    reason,
+  }: { orgId: number; userId: number; role: OrgRole; superAdminUserId: number; reason: string }
+): Promise<void> {
+  await pool.query(
+    `INSERT INTO tm_memberships (org_id, user_id, role, joined_at)
+     VALUES ($1, $2, $3, NOW())
+     ON CONFLICT (org_id, user_id)
+     DO UPDATE SET role = EXCLUDED.role, removed_at = NULL, removed_by_user_id = NULL,
+                   removal_reason = NULL, updated_at = NOW()`,
+    [orgId, userId, role]
+  );
+
+  await writeAuditEvent({
+    pool,
+    orgId,
+    actorUserId: superAdminUserId,
+    actorType: 'super_admin',
+    action: 'org.member_added_admin',
+    targetType: 'user',
+    targetId: userId,
+    after: { role },
+    reason,
+  });
+}
+
+export async function removeMemberAdmin(
+  pool: Pool,
+  {
+    orgId,
+    userId,
+    superAdminUserId,
+    reason,
+  }: { orgId: number; userId: number; superAdminUserId: number; reason: string }
+): Promise<void> {
+  await pool.query(
+    `UPDATE tm_memberships
+     SET removed_at = NOW(), removed_by_user_id = $1, removal_reason = $2, updated_at = NOW()
+     WHERE org_id = $3 AND user_id = $4 AND removed_at IS NULL`,
+    [superAdminUserId, reason, orgId, userId]
+  );
+
+  await writeAuditEvent({
+    pool,
+    orgId,
+    actorUserId: superAdminUserId,
+    actorType: 'super_admin',
+    action: 'org.member_removed_admin',
+    targetType: 'user',
+    targetId: userId,
+    reason,
+  });
+}
+
+export async function lockUser(
+  pool: Pool,
+  adapter: ServerModuleAdapter,
+  {
+    userId,
+    superAdminUserId,
+    reason,
+  }: { userId: number; superAdminUserId: number; reason: string }
+): Promise<void> {
+  await pool.query(
+    `INSERT INTO tm_user_locks (user_id, locked_by, reason, locked_at)
+     VALUES ($1, $2, $3, NOW())
+     ON CONFLICT (user_id) DO UPDATE SET locked_by = EXCLUDED.locked_by,
+       reason = EXCLUDED.reason, locked_at = EXCLUDED.locked_at, unlocked_at = NULL`,
+    [userId, superAdminUserId, reason]
+  );
+
+  await adapter.invalidateAllUserSessions(userId);
+
+  await writeAuditEvent({
+    pool,
+    orgId: null,
+    actorUserId: superAdminUserId,
+    actorType: 'super_admin',
+    action: 'user.locked',
+    targetType: 'user',
+    targetId: userId,
+    reason,
+  });
+}
+
+export async function unlockUser(
+  pool: Pool,
+  adapter: ServerModuleAdapter,
+  {
+    userId,
+    superAdminUserId,
+    reason,
+  }: { userId: number; superAdminUserId: number; reason: string }
+): Promise<void> {
+  await pool.query(
+    `UPDATE tm_user_locks SET unlocked_at = NOW() WHERE user_id = $1 AND unlocked_at IS NULL`,
+    [userId]
+  );
+
+  await writeAuditEvent({
+    pool,
+    orgId: null,
+    actorUserId: superAdminUserId,
+    actorType: 'super_admin',
+    action: 'user.unlocked',
+    targetType: 'user',
+    targetId: userId,
+    reason,
+  });
+}
+
+export async function triggerPasswordReset(
+  pool: Pool,
+  adapter: ServerModuleAdapter,
+  {
+    userId,
+    superAdminUserId,
+    reason,
+    baseUrl,
+  }: { userId: number; superAdminUserId: number; reason: string; baseUrl: string }
+): Promise<void> {
+  const user = await adapter.getUserById(userId);
+  if (!user) throw new Error('User not found');
+
+  await requestPasswordReset(pool, adapter, {
+    email: user.email,
+    baseUrl,
+    triggeredBySuperAdmin: true,
+  });
+
+  await writeAuditEvent({
+    pool,
+    orgId: null,
+    actorUserId: superAdminUserId,
+    actorType: 'super_admin',
+    action: 'user.password_reset_triggered',
+    targetType: 'user',
+    targetId: userId,
+    reason,
+  });
+}
+
+export async function seedSuperAdmin(
+  pool: Pool,
+  adapter: ServerModuleAdapter,
+  email: string
+): Promise<void> {
+  const user = await adapter.findUserByEmail(email);
+  if (!user) {
+    // User not found — skip silently (idempotent)
+    return;
+  }
+
+  await pool.query(
+    `INSERT INTO tm_super_admins (user_id, granted_at)
+     VALUES ($1, NOW())
+     ON CONFLICT (user_id) DO NOTHING`,
+    [user.id]
+  );
+}