domma-cms 0.23.0 → 0.25.0

package/server/services/users.js

@@ -1,302 +1,302 @@
-/**
- * User Storage Service
- * File-based CRUD — one JSON file per user in content/users/{id}.json.
- * Mirrors the page-per-file pattern from the content service.
- */
-import fs from 'fs/promises';
-import path from 'path';
-import bcrypt from 'bcryptjs';
-import {v4 as uuidv4} from 'uuid';
-import {config} from '../config.js';
-import {deleteProfile, ensureProfile} from './userProfiles.js';
-import * as cache from './cache/index.js';
-
-const USERS_DIR = path.resolve(config.content.usersDir);
-
-const UUID_REGEX = /^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i;
-
-async function ensureDir() {
-    await fs.mkdir(USERS_DIR, { recursive: true });
-}
-
-/**
- * Strip the password field from a user object before returning it to callers.
- *
- * @param {object} user
- * @returns {object}
- */
-function stripPassword(user) {
-    const {password, resetTokenHash, resetTokenExpiry, ...safe} = user;
-    return safe;
-}
-
-/**
- * Read a user file by ID.
- *
- * @param {string} id
- * @returns {Promise<object>} Full user object including password hash
- */
-async function readUserFile(id) {
-    if (!UUID_REGEX.test(id)) {
-        throw new Error('Invalid user ID');
-    }
-    const filePath = path.join(USERS_DIR, `${id}.json`);
-    const raw = await fs.readFile(filePath, 'utf8');
-    return JSON.parse(raw);
-}
-
-/**
- * Write a user file.
- *
- * @param {object} user
- * @returns {Promise<void>}
- */
-async function writeUserFile(user) {
-    if (!UUID_REGEX.test(user.id)) {
-        throw new Error('Invalid user ID');
-    }
-    await ensureDir();
-    const filePath = path.join(USERS_DIR, `${user.id}.json`);
-    await fs.writeFile(filePath, JSON.stringify(user, null, 2) + '\n', 'utf8');
-}
-
-/**
- * List all users (password stripped).
- *
- * @returns {Promise<object[]>}
- */
-export async function listUsers() {
-    await ensureDir();
-    let files;
-    try {
-        files = await fs.readdir(USERS_DIR);
-    } catch {
-        return [];
-    }
-    const jsonFiles = files.filter(f => f.endsWith('.json'));
-    const users = await Promise.all(jsonFiles.map(async (file) => {
-        const raw = await fs.readFile(path.join(USERS_DIR, file), 'utf8');
-        return stripPassword(JSON.parse(raw));
-    }));
-    return users.sort((a, b) => a.name.localeCompare(b.name));
-}
-
-/**
- * Get a single user by ID (password stripped).
- *
- * @param {string} id
- * @returns {Promise<object|null>}
- */
-export async function getUserById(id) {
-    try {
-        return stripPassword(await readUserFile(id));
-    } catch {
-        return null;
-    }
-}
-
-/**
- * Get a user by email address — includes password hash (needed for login).
- *
- * @param {string} email
- * @returns {Promise<object|null>}
- */
-export async function getUserByEmail(email) {
-    await ensureDir();
-    let files;
-    try {
-        files = await fs.readdir(USERS_DIR);
-    } catch {
-        return null;
-    }
-    for (const file of files.filter(f => f.endsWith('.json'))) {
-        const raw = await fs.readFile(path.join(USERS_DIR, file), 'utf8');
-        const user = JSON.parse(raw);
-        if (user.email.toLowerCase() === email.toLowerCase()) return user;
-    }
-    return null;
-}
-
-/**
- * Create a new user.
- *
- * @param {object} data - { name, email, password, role }
- * @returns {Promise<object>} Created user (password stripped)
- */
-export async function createUser({ name, email, password, role = 'user', additionalRoles = [], meta, projects }) {
-    const existing = await getUserByEmail(email);
-    if (existing) throw new Error('A user with that email already exists');
-
-    const hash = await bcrypt.hash(password, config.auth.bcryptRounds);
-    const now = new Date().toISOString();
-    const user = {
-        id: uuidv4(),
-        email: email.toLowerCase().trim(),
-        name: name.trim(),
-        password: hash,
-        role,
-        // Additional roles beyond the primary — permission/visibility checks
-        // grant access if ANY role satisfies. The primary `role` is what
-        // appears in UI badges and is used for hierarchical level comparisons
-        // when a single value is needed.
-        additionalRoles: Array.isArray(additionalRoles) ? additionalRoles.filter(r => r && r !== role) : [],
-        // Project access-scope: when non-empty, the user is restricted to artefacts
-        // tagged with one of these project slugs (see canSeeArtefact in projects.js).
-        projects: Array.isArray(projects) ? projects.filter(Boolean) : [],
-        isActive: true,
-        createdAt: now,
-        updatedAt: now,
-        lastLogin: null,
-        ...(meta != null && {meta})
-    };
-
-    await writeUserFile(user);
-    await ensureProfile(user.id);
-    return stripPassword(user);
-}
-
-/**
- * Update an existing user.
- * Pass a new `password` field to re-hash; omit to keep the existing hash.
- *
- * @param {string} id
- * @param {object} updates
- * @returns {Promise<object>} Updated user (password stripped)
- */
-export async function updateUser(id, updates) {
-    const user = await readUserFile(id);
-    if (!user) throw new Error('User not found');
-
-    if (updates.password) {
-        updates.password = await bcrypt.hash(updates.password, config.auth.bcryptRounds);
-    }
-
-    const updated = {
-        ...user,
-        ...updates,
-        id: user.id,
-        updatedAt: new Date().toISOString()
-    };
-
-    await writeUserFile(updated);
-
-    // Invalidate per-user cache when the project access-scope changes — downstream
-    // request handlers cache scope-filtered responses keyed by `user:<id>`.
-    if (updates.projects !== undefined) {
-        const before = JSON.stringify(user.projects || []);
-        const after  = JSON.stringify(updated.projects || []);
-        if (before !== after) {
-            await cache.invalidateTags([`user:${id}`]);
-        }
-    }
-
-    return stripPassword(updated);
-}
-
-/**
- * Delete a user file.
- *
- * @param {string} id
- * @returns {Promise<void>}
- */
-export async function deleteUser(id) {
-    if (!UUID_REGEX.test(id)) {
-        throw new Error('Invalid user ID');
-    }
-    const filePath = path.join(USERS_DIR, `${id}.json`);
-    await fs.unlink(filePath);
-    try {
-        await deleteProfile(id);
-    } catch {
-        // Profile deletion is best-effort — never block user deletion
-    }
-}
-
-/**
- * Count total users.
- *
- * @returns {Promise<number>}
- */
-export async function countUsers() {
-    await ensureDir();
-    try {
-        const files = await fs.readdir(USERS_DIR);
-        return files.filter(f => f.endsWith('.json')).length;
-    } catch {
-        return 0;
-    }
-}
-
-/**
- * Validate a plain-text password against a bcrypt hash.
- *
- * @param {string} plain
- * @param {string} hash
- * @returns {Promise<boolean>}
- */
-export async function validatePassword(plain, hash) {
-    return bcrypt.compare(plain, hash);
-}
-
-/**
- * Store a hashed reset token and its expiry on a user file.
- *
- * @param {string} id
- * @param {string} tokenHash - SHA-256 hex digest of the plaintext token
- * @param {string} expiry    - ISO timestamp
- * @returns {Promise<void>}
- */
-export async function setResetToken(id, tokenHash, expiry) {
-    const user = await readUserFile(id);
-    user.resetTokenHash = tokenHash;
-    user.resetTokenExpiry = expiry;
-    await writeUserFile(user);
-}
-
-/**
- * Remove the reset token fields from a user file (single-use enforcement).
- *
- * @param {string} id
- * @returns {Promise<void>}
- */
-export async function clearResetToken(id) {
-    const user = await readUserFile(id);
-    delete user.resetTokenHash;
-    delete user.resetTokenExpiry;
-    await writeUserFile(user);
-}
-
-/**
- * Find a user whose stored reset token hash matches the given hash.
- * Returns the full user object (including hash) so the caller can check expiry.
- *
- * @param {string} tokenHash - SHA-256 hex digest to look up
- * @returns {Promise<object|null>}
- */
-export async function getUserByResetToken(tokenHash) {
-    await ensureDir();
-    let files;
-    try {
-        files = await fs.readdir(USERS_DIR);
-    } catch {
-        return null;
-    }
-    for (const file of files.filter(f => f.endsWith('.json'))) {
-        const raw = await fs.readFile(path.join(USERS_DIR, file), 'utf8');
-        const user = JSON.parse(raw);
-        if (user.resetTokenHash === tokenHash) return user;
-    }
-    return null;
-}
-
-/**
- * Record the current timestamp as the user's last login.
- *
- * @param {string} id
- * @returns {Promise<void>}
- */
-export async function touchLastLogin(id) {
-    const user = await readUserFile(id);
-    user.lastLogin = new Date().toISOString();
-    await writeUserFile(user);
-}
+/**
+ * User Storage Service
+ * File-based CRUD — one JSON file per user in content/users/{id}.json.
+ * Mirrors the page-per-file pattern from the content service.
+ */
+import fs from 'fs/promises';
+import path from 'path';
+import bcrypt from 'bcryptjs';
+import {v4 as uuidv4} from 'uuid';
+import {config} from '../config.js';
+import {deleteProfile, ensureProfile} from './userProfiles.js';
+import * as cache from './cache/index.js';
+
+const USERS_DIR = path.resolve(config.content.usersDir);
+
+const UUID_REGEX = /^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[89ab][0-9a-f]{3}-[0-9a-f]{12}$/i;
+
+async function ensureDir() {
+    await fs.mkdir(USERS_DIR, { recursive: true });
+}
+
+/**
+ * Strip the password field from a user object before returning it to callers.
+ *
+ * @param {object} user
+ * @returns {object}
+ */
+function stripPassword(user) {
+    const {password, resetTokenHash, resetTokenExpiry, ...safe} = user;
+    return safe;
+}
+
+/**
+ * Read a user file by ID.
+ *
+ * @param {string} id
+ * @returns {Promise<object>} Full user object including password hash
+ */
+async function readUserFile(id) {
+    if (!UUID_REGEX.test(id)) {
+        throw new Error('Invalid user ID');
+    }
+    const filePath = path.join(USERS_DIR, `${id}.json`);
+    const raw = await fs.readFile(filePath, 'utf8');
+    return JSON.parse(raw);
+}
+
+/**
+ * Write a user file.
+ *
+ * @param {object} user
+ * @returns {Promise<void>}
+ */
+async function writeUserFile(user) {
+    if (!UUID_REGEX.test(user.id)) {
+        throw new Error('Invalid user ID');
+    }
+    await ensureDir();
+    const filePath = path.join(USERS_DIR, `${user.id}.json`);
+    await fs.writeFile(filePath, JSON.stringify(user, null, 2) + '\n', 'utf8');
+}
+
+/**
+ * List all users (password stripped).
+ *
+ * @returns {Promise<object[]>}
+ */
+export async function listUsers() {
+    await ensureDir();
+    let files;
+    try {
+        files = await fs.readdir(USERS_DIR);
+    } catch {
+        return [];
+    }
+    const jsonFiles = files.filter(f => f.endsWith('.json'));
+    const users = await Promise.all(jsonFiles.map(async (file) => {
+        const raw = await fs.readFile(path.join(USERS_DIR, file), 'utf8');
+        return stripPassword(JSON.parse(raw));
+    }));
+    return users.sort((a, b) => a.name.localeCompare(b.name));
+}
+
+/**
+ * Get a single user by ID (password stripped).
+ *
+ * @param {string} id
+ * @returns {Promise<object|null>}
+ */
+export async function getUserById(id) {
+    try {
+        return stripPassword(await readUserFile(id));
+    } catch {
+        return null;
+    }
+}
+
+/**
+ * Get a user by email address — includes password hash (needed for login).
+ *
+ * @param {string} email
+ * @returns {Promise<object|null>}
+ */
+export async function getUserByEmail(email) {
+    await ensureDir();
+    let files;
+    try {
+        files = await fs.readdir(USERS_DIR);
+    } catch {
+        return null;
+    }
+    for (const file of files.filter(f => f.endsWith('.json'))) {
+        const raw = await fs.readFile(path.join(USERS_DIR, file), 'utf8');
+        const user = JSON.parse(raw);
+        if (user.email.toLowerCase() === email.toLowerCase()) return user;
+    }
+    return null;
+}
+
+/**
+ * Create a new user.
+ *
+ * @param {object} data - { name, email, password, role }
+ * @returns {Promise<object>} Created user (password stripped)
+ */
+export async function createUser({ name, email, password, role = 'user', additionalRoles = [], meta, projects }) {
+    const existing = await getUserByEmail(email);
+    if (existing) throw new Error('A user with that email already exists');
+
+    const hash = await bcrypt.hash(password, config.auth.bcryptRounds);
+    const now = new Date().toISOString();
+    const user = {
+        id: uuidv4(),
+        email: email.toLowerCase().trim(),
+        name: name.trim(),
+        password: hash,
+        role,
+        // Additional roles beyond the primary — permission/visibility checks
+        // grant access if ANY role satisfies. The primary `role` is what
+        // appears in UI badges and is used for hierarchical level comparisons
+        // when a single value is needed.
+        additionalRoles: Array.isArray(additionalRoles) ? additionalRoles.filter(r => r && r !== role) : [],
+        // Project access-scope: when non-empty, the user is restricted to artefacts
+        // tagged with one of these project slugs (see canSeeArtefact in projects.js).
+        projects: Array.isArray(projects) ? projects.filter(Boolean) : [],
+        isActive: true,
+        createdAt: now,
+        updatedAt: now,
+        lastLogin: null,
+        ...(meta != null && {meta})
+    };
+
+    await writeUserFile(user);
+    await ensureProfile(user.id);
+    return stripPassword(user);
+}
+
+/**
+ * Update an existing user.
+ * Pass a new `password` field to re-hash; omit to keep the existing hash.
+ *
+ * @param {string} id
+ * @param {object} updates
+ * @returns {Promise<object>} Updated user (password stripped)
+ */
+export async function updateUser(id, updates) {
+    const user = await readUserFile(id);
+    if (!user) throw new Error('User not found');
+
+    if (updates.password) {
+        updates.password = await bcrypt.hash(updates.password, config.auth.bcryptRounds);
+    }
+
+    const updated = {
+        ...user,
+        ...updates,
+        id: user.id,
+        updatedAt: new Date().toISOString()
+    };
+
+    await writeUserFile(updated);
+
+    // Invalidate per-user cache when the project access-scope changes — downstream
+    // request handlers cache scope-filtered responses keyed by `user:<id>`.
+    if (updates.projects !== undefined) {
+        const before = JSON.stringify(user.projects || []);
+        const after  = JSON.stringify(updated.projects || []);
+        if (before !== after) {
+            await cache.invalidateTags([`user:${id}`]);
+        }
+    }
+
+    return stripPassword(updated);
+}
+
+/**
+ * Delete a user file.
+ *
+ * @param {string} id
+ * @returns {Promise<void>}
+ */
+export async function deleteUser(id) {
+    if (!UUID_REGEX.test(id)) {
+        throw new Error('Invalid user ID');
+    }
+    const filePath = path.join(USERS_DIR, `${id}.json`);
+    await fs.unlink(filePath);
+    try {
+        await deleteProfile(id);
+    } catch {
+        // Profile deletion is best-effort — never block user deletion
+    }
+}
+
+/**
+ * Count total users.
+ *
+ * @returns {Promise<number>}
+ */
+export async function countUsers() {
+    await ensureDir();
+    try {
+        const files = await fs.readdir(USERS_DIR);
+        return files.filter(f => f.endsWith('.json')).length;
+    } catch {
+        return 0;
+    }
+}
+
+/**
+ * Validate a plain-text password against a bcrypt hash.
+ *
+ * @param {string} plain
+ * @param {string} hash
+ * @returns {Promise<boolean>}
+ */
+export async function validatePassword(plain, hash) {
+    return bcrypt.compare(plain, hash);
+}
+
+/**
+ * Store a hashed reset token and its expiry on a user file.
+ *
+ * @param {string} id
+ * @param {string} tokenHash - SHA-256 hex digest of the plaintext token
+ * @param {string} expiry    - ISO timestamp
+ * @returns {Promise<void>}
+ */
+export async function setResetToken(id, tokenHash, expiry) {
+    const user = await readUserFile(id);
+    user.resetTokenHash = tokenHash;
+    user.resetTokenExpiry = expiry;
+    await writeUserFile(user);
+}
+
+/**
+ * Remove the reset token fields from a user file (single-use enforcement).
+ *
+ * @param {string} id
+ * @returns {Promise<void>}
+ */
+export async function clearResetToken(id) {
+    const user = await readUserFile(id);
+    delete user.resetTokenHash;
+    delete user.resetTokenExpiry;
+    await writeUserFile(user);
+}
+
+/**
+ * Find a user whose stored reset token hash matches the given hash.
+ * Returns the full user object (including hash) so the caller can check expiry.
+ *
+ * @param {string} tokenHash - SHA-256 hex digest to look up
+ * @returns {Promise<object|null>}
+ */
+export async function getUserByResetToken(tokenHash) {
+    await ensureDir();
+    let files;
+    try {
+        files = await fs.readdir(USERS_DIR);
+    } catch {
+        return null;
+    }
+    for (const file of files.filter(f => f.endsWith('.json'))) {
+        const raw = await fs.readFile(path.join(USERS_DIR, file), 'utf8');
+        const user = JSON.parse(raw);
+        if (user.resetTokenHash === tokenHash) return user;
+    }
+    return null;
+}
+
+/**
+ * Record the current timestamp as the user's last login.
+ *
+ * @param {string} id
+ * @returns {Promise<void>}
+ */
+export async function touchLastLogin(id) {
+    const user = await readUserFile(id);
+    user.lastLogin = new Date().toISOString();
+    await writeUserFile(user);
+}

package/config/connections.json.bak

@@ -1,9 +0,0 @@
-{
-    "default": {
-        "type": "mongodb",
-        "uri": "mongodb://localhost:27017",
-        "database": "domma_cms",
-        "options": {}
-    },
-    "_comment": "Copy this file to connections.json and update with your MongoDB connection details. Each key is a named connection. Collections reference connections by name in their schema.json storage config. The 'default' connection is used when no connection name is specified."
-}