insforge 1.3.0 → 1.4.8

package/backend/src/services/auth/auth.service.ts

@@ -13,6 +13,7 @@ import type {
   CreateAdminSessionResponse,
   AuthMetadataSchema,
   OAuthProvidersSchema,
+  AuthOptions,
 } from '@insforge/shared-schemas';
 import { OAuthConfigService } from '@/services/auth/oauth-config.service.js';
 import { AuthConfigService } from './auth-config.service.js';
@@ -109,7 +110,12 @@ export class AuthService {
    * User registration
    * Otherwise, returns user with access token for immediate login
    */
-  async register(email: string, password: string, name?: string): Promise<CreateUserResponse> {
+  async register(
+    email: string,
+    password: string,
+    name?: string,
+    options?: AuthOptions
+  ): Promise<CreateUserResponse> {
     // Get email auth configuration and validate password
     const authConfigService = AuthConfigService.getInstance();
     const emailAuthConfig = await authConfigService.getAuthConfig();
@@ -130,16 +136,11 @@ export class AuthService {
     try {
       await client.query('BEGIN');
 
+      const profile = name ? JSON.stringify({ name }) : '{}';
       await client.query(
-        `INSERT INTO _accounts (id, email, password, name, email_verified, created_at, updated_at)
-         VALUES ($1, $2, $3, $4, $5, NOW(), NOW())`,
-        [userId, email, hashedPassword, name || null, false]
-      );
-
-      await client.query(
-        `INSERT INTO users (id, nickname, created_at, updated_at)
-         VALUES ($1, $2, NOW(), NOW())`,
-        [userId, name || null]
+        `INSERT INTO auth.users (id, email, password, profile, email_verified, created_at, updated_at)
+         VALUES ($1, $2, $3, $4::jsonb, $5, NOW(), NOW())`,
+        [userId, email, hashedPassword, profile, false]
       );
 
       await client.query('COMMIT');
@@ -163,7 +164,8 @@ export class AuthService {
     if (emailAuthConfig.requireEmailVerification) {
       try {
         if (emailAuthConfig.verifyEmailMethod === 'link') {
-          await this.sendVerificationEmailWithLink(email);
+          const redirectTo = emailAuthConfig.signInRedirectTo || options?.emailRedirectTo;
+          await this.sendVerificationEmailWithLink(email, redirectTo);
         } else {
           await this.sendVerificationEmailWithCode(email);
         }
@@ -243,7 +245,7 @@ export class AuthService {
   async sendVerificationEmailWithCode(email: string): Promise<void> {
     // Check if user exists
     const pool = this.getPool();
-    const result = await pool.query('SELECT * FROM _accounts WHERE email = $1', [email]);
+    const result = await pool.query('SELECT * FROM auth.users WHERE email = $1', [email]);
     const dbUser = result.rows[0];
     if (!dbUser) {
       // Silently succeed to prevent user enumeration
@@ -261,7 +263,8 @@ export class AuthService {
 
     // Send email with verification code
     const emailService = EmailService.getInstance();
-    await emailService.sendWithTemplate(email, dbUser.name || 'User', 'email-verification-code', {
+    const userName = dbUser.profile?.name || 'User';
+    await emailService.sendWithTemplate(email, userName, 'email-verification-code', {
       token: code,
     });
   }
@@ -271,10 +274,10 @@ export class AuthService {
    * Creates a long cryptographic token and sends it via email as a clickable link
    * The link contains only the token (no email) for better privacy and security
    */
-  async sendVerificationEmailWithLink(email: string): Promise<void> {
+  async sendVerificationEmailWithLink(email: string, emailRedirectTo?: string): Promise<void> {
     // Check if user exists
     const pool = this.getPool();
-    const result = await pool.query('SELECT * FROM _accounts WHERE email = $1', [email]);
+    const result = await pool.query('SELECT * FROM auth.users WHERE email = $1', [email]);
     const dbUser = result.rows[0];
     if (!dbUser) {
       // Silently succeed to prevent user enumeration
@@ -291,11 +294,13 @@ export class AuthService {
     );
 
     // Build verification link URL using backend API endpoint
-    const linkUrl = `${getApiBaseUrl()}/auth/verify-email?token=${token}`;
+    // Include redirectTo parameter if provided
+    const linkUrl = `${getApiBaseUrl()}/auth/verify-email?token=${token}${emailRedirectTo ? `&redirectTo=${encodeURIComponent(emailRedirectTo)}` : ''}`;
 
     // Send email with verification link
     const emailService = EmailService.getInstance();
-    await emailService.sendWithTemplate(email, dbUser.name || 'User', 'email-verification-link', {
+    const userName = dbUser.profile?.name || 'User';
+    await emailService.sendWithTemplate(email, userName, 'email-verification-link', {
       link: linkUrl,
     });
   }
@@ -323,7 +328,7 @@ export class AuthService {
 
       // Update account email verification status
       const result = await client.query(
-        `UPDATE _accounts
+        `UPDATE auth.users
          SET email_verified = true, updated_at = NOW()
          WHERE email = $1
          RETURNING id`,
@@ -389,7 +394,7 @@ export class AuthService {
 
       // Update account email verification status
       const result = await client.query(
-        `UPDATE _accounts
+        `UPDATE auth.users
          SET email_verified = true, updated_at = NOW()
          WHERE email = $1
          RETURNING id`,
@@ -439,7 +444,7 @@ export class AuthService {
   async sendResetPasswordEmailWithCode(email: string): Promise<void> {
     // Check if user exists
     const pool = this.getPool();
-    const result = await pool.query('SELECT * FROM _accounts WHERE email = $1', [email]);
+    const result = await pool.query('SELECT * FROM auth.users WHERE email = $1', [email]);
     const dbUser = result.rows[0];
     if (!dbUser) {
       // Silently succeed to prevent user enumeration
@@ -457,7 +462,8 @@ export class AuthService {
 
     // Send email with reset password code
     const emailService = EmailService.getInstance();
-    await emailService.sendWithTemplate(email, dbUser.name || 'User', 'reset-password-code', {
+    const userName = dbUser.profile?.name || 'User';
+    await emailService.sendWithTemplate(email, userName, 'reset-password-code', {
       token: code,
     });
   }
@@ -470,7 +476,7 @@ export class AuthService {
   async sendResetPasswordEmailWithLink(email: string): Promise<void> {
     // Check if user exists
     const pool = this.getPool();
-    const result = await pool.query('SELECT * FROM _accounts WHERE email = $1', [email]);
+    const result = await pool.query('SELECT * FROM auth.users WHERE email = $1', [email]);
     const dbUser = result.rows[0];
     if (!dbUser) {
       // Silently succeed to prevent user enumeration
@@ -491,7 +497,8 @@ export class AuthService {
 
     // Send email with password reset link
     const emailService = EmailService.getInstance();
-    await emailService.sendWithTemplate(email, dbUser.name || 'User', 'reset-password-link', {
+    const userName = dbUser.profile?.name || 'User';
+    await emailService.sendWithTemplate(email, userName, 'reset-password-link', {
       link: linkUrl,
     });
   }
@@ -562,7 +569,7 @@ export class AuthService {
 
       // Update password in the database
       const result = await client.query(
-        `UPDATE _accounts
+        `UPDATE auth.users
          SET password = $1, updated_at = NOW()
          WHERE email = $2
          RETURNING id`,
@@ -612,10 +619,11 @@ export class AuthService {
       user: {
         id: ADMIN_ID,
         email: email,
-        name: 'Administrator',
         emailVerified: true,
         createdAt: new Date().toISOString(),
         updatedAt: new Date().toISOString(),
+        profile: { name: 'Administrator' },
+        metadata: null,
       },
       accessToken,
     };
@@ -643,10 +651,11 @@ export class AuthService {
         user: {
           id: ADMIN_ID,
           email: email as string,
-          name: 'Administrator',
           emailVerified: true,
           createdAt: new Date().toISOString(),
           updatedAt: new Date().toISOString(),
+          profile: { name: 'Administrator' },
+          metadata: null,
         },
         accessToken,
       };
@@ -679,9 +688,9 @@ export class AuthService {
   ): Promise<CreateSessionResponse> {
     const pool = this.getPool();
 
-    // First, try to find existing user by provider ID in _account_providers table
+    // First, try to find existing user by provider ID in auth.user_providers table
     const accountResult = await pool.query(
-      'SELECT * FROM _account_providers WHERE provider = $1 AND provider_account_id = $2',
+      'SELECT * FROM auth.user_providers WHERE provider = $1 AND provider_account_id = $2',
       [provider, providerId]
     );
     const account = accountResult.rows[0];
@@ -689,13 +698,13 @@ export class AuthService {
     if (account) {
       // Found existing OAuth user, update last login time
       await pool.query(
-        'UPDATE _account_providers SET updated_at = CURRENT_TIMESTAMP WHERE provider = $1 AND provider_account_id = $2',
+        'UPDATE auth.user_providers SET updated_at = CURRENT_TIMESTAMP WHERE provider = $1 AND provider_account_id = $2',
         [provider, providerId]
       );
 
       // Update email_verified to true if not already verified (OAuth login means email is trusted)
       await pool.query(
-        'UPDATE _accounts SET email_verified = true WHERE id = $1 AND email_verified = false',
+        'UPDATE auth.users SET email_verified = true WHERE id = $1 AND email_verified = false',
         [account.user_id]
       );
 
@@ -715,16 +724,16 @@ export class AuthService {
     }
 
     // If not found by provider_id, try to find by email in _user table
-    const existingUserResult = await pool.query('SELECT * FROM _accounts WHERE email = $1', [
+    const existingUserResult = await pool.query('SELECT * FROM auth.users WHERE email = $1', [
       email,
     ]);
     const existingUser = existingUserResult.rows[0];
 
     if (existingUser) {
-      // Found existing user by email, create _account_providers record to link OAuth
+      // Found existing user by email, create auth.user_providers record to link OAuth
       await pool.query(
         `
-        INSERT INTO _account_providers (
+        INSERT INTO auth.user_providers (
           user_id, provider, provider_account_id,
           provider_data, created_at, updated_at
         )
@@ -735,7 +744,7 @@ export class AuthService {
 
       // Update email_verified to true (OAuth login means email is trusted)
       await pool.query(
-        'UPDATE _accounts SET email_verified = true WHERE id = $1 AND email_verified = false',
+        'UPDATE auth.users SET email_verified = true WHERE id = $1 AND email_verified = false',
         [existingUser.id]
       );
 
@@ -795,26 +804,19 @@ export class AuthService {
       await client.query('BEGIN');
 
       // Create user record (without password for OAuth users)
+      const profile = JSON.stringify({ name: userName, avatar_url: avatarUrl });
       await client.query(
         `
-        INSERT INTO _accounts (id, email, name, email_verified, created_at, updated_at)
-        VALUES ($1, $2, $3, true, CURRENT_TIMESTAMP, CURRENT_TIMESTAMP)
-      `,
-        [userId, email, userName]
-      );
-
-      await client.query(
-        `
-        INSERT INTO users (id, nickname, avatar_url, created_at, updated_at)
-        VALUES ($1, $2, $3, CURRENT_TIMESTAMP, CURRENT_TIMESTAMP)
+        INSERT INTO auth.users (id, email, profile, email_verified, created_at, updated_at)
+        VALUES ($1, $2, $3::jsonb, true, CURRENT_TIMESTAMP, CURRENT_TIMESTAMP)
       `,
-        [userId, userName, avatarUrl]
+        [userId, email, profile]
       );
 
-      // Create _account_providers record
+      // Create auth.user_providers record
       await client.query(
         `
-        INSERT INTO _account_providers (
+        INSERT INTO auth.user_providers (
           user_id, provider, provider_account_id,
           provider_data, created_at, updated_at
         )
@@ -828,10 +830,11 @@ export class AuthService {
       const user: UserSchema = {
         id: userId,
         email,
-        name: userName,
         emailVerified: true,
         createdAt: new Date().toISOString(),
         updatedAt: new Date().toISOString(),
+        profile: { name: userName, avatar_url: avatarUrl },
+        metadata: null,
       };
 
       const accessToken = this.tokenManager.generateToken({
@@ -850,10 +853,15 @@ export class AuthService {
   }
 
   async getMetadata(): Promise<AuthMetadataSchema> {
+    const authConfigService = AuthConfigService.getInstance();
     const oAuthConfigService = OAuthConfigService.getInstance();
-    const oAuthConfigs = await oAuthConfigService.getAllConfigs();
+    const [oAuthProviders, authConfigs] = await Promise.all([
+      oAuthConfigService.getConfiguredProviders(),
+      authConfigService.getPublicAuthConfig(),
+    ]);
     return {
-      oauths: oAuthConfigs,
+      oAuthProviders,
+      ...authConfigs,
     };
   }
 
@@ -989,14 +997,17 @@ export class AuthService {
       SELECT
         u.id,
         u.email,
-        u.name,
+        u.profile,
+        u.metadata,
         u.email_verified,
+        u.is_project_admin,
+        u.is_anonymous,
         u.created_at,
         u.updated_at,
         u.password,
         STRING_AGG(a.provider, ',') as providers
-      FROM _accounts u
-      LEFT JOIN _account_providers a ON u.id = a.user_id
+      FROM auth.users u
+      LEFT JOIN auth.user_providers a ON u.id = a.user_id
       WHERE u.email = $1
       GROUP BY u.id
     `,
@@ -1017,14 +1028,17 @@ export class AuthService {
       SELECT
         u.id,
         u.email,
-        u.name,
+        u.profile,
+        u.metadata,
         u.email_verified,
+        u.is_project_admin,
+        u.is_anonymous,
         u.created_at,
         u.updated_at,
         u.password,
         STRING_AGG(a.provider, ',') as providers
-      FROM _accounts u
-      LEFT JOIN _account_providers a ON u.id = a.user_id
+      FROM auth.users u
+      LEFT JOIN auth.user_providers a ON u.id = a.user_id
       WHERE u.id = $1
       GROUP BY u.id
     `,
@@ -1039,36 +1053,29 @@ export class AuthService {
    * @private
    */
   private transformUserRecordToSchema(dbUser: UserRecord): UserSchema {
-    const identities = [];
     const providers: string[] = [];
 
     // Add social providers if any
     if (dbUser.providers) {
       dbUser.providers.split(',').forEach((provider: string) => {
-        identities.push({ provider });
         providers.push(provider);
       });
     }
 
     // Add email provider if password exists
     if (dbUser.password) {
-      identities.push({ provider: 'email' });
       providers.push('email');
     }
 
-    // Use first provider to determine type: 'email' or 'social'
-    const firstProvider = providers[0];
-    const providerType = firstProvider === 'email' ? 'email' : 'social';
-
     return {
       id: dbUser.id,
       email: dbUser.email,
-      name: dbUser.name,
       emailVerified: dbUser.email_verified,
       createdAt: dbUser.created_at,
       updatedAt: dbUser.updated_at,
-      identities: identities,
-      providerType: providerType,
+      providers: providers,
+      profile: dbUser.profile,
+      metadata: dbUser.metadata,
     };
   }
 
@@ -1085,19 +1092,23 @@ export class AuthService {
       SELECT
         u.id,
         u.email,
-        u.name,
+        u.profile,
+        u.metadata,
         u.email_verified,
+        u.is_project_admin,
+        u.is_anonymous,
         u.created_at,
         u.updated_at,
         u.password,
         STRING_AGG(a.provider, ',') as providers
-      FROM _accounts u
-      LEFT JOIN _account_providers a ON u.id = a.user_id
+      FROM auth.users u
+      LEFT JOIN auth.user_providers a ON u.id = a.user_id
+      WHERE u.is_project_admin = false AND u.is_anonymous = false
     `;
     const params: (string | number)[] = [];
 
     if (search) {
-      query += ' WHERE u.email LIKE $1 OR u.name LIKE $2';
+      query += ` AND (u.email LIKE $1 OR u.profile->>'name' LIKE $2)`;
       params.push(`%${search}%`, `%${search}%`);
     }
 
@@ -1110,11 +1121,12 @@ export class AuthService {
     // Transform users
     const users = dbUsers.map((dbUser) => this.transformUserRecordToSchema(dbUser));
 
-    // Get total count
-    let countQuery = 'SELECT COUNT(*) as count FROM _accounts';
+    // Get total count (exclude admins and anonymous users)
+    let countQuery =
+      'SELECT COUNT(*) as count FROM auth.users WHERE is_project_admin = false AND is_anonymous = false';
     const countParams: string[] = [];
     if (search) {
-      countQuery += ' WHERE email LIKE $1 OR name LIKE $2';
+      countQuery += ` AND (email LIKE $1 OR profile->>'name' LIKE $2)`;
       countParams.push(`%${search}%`, `%${search}%`);
     }
     const countResult = await pool.query(countQuery, countParams);
@@ -1137,13 +1149,61 @@ export class AuthService {
     return this.transformUserRecordToSchema(dbUser);
   }
 
+  /**
+   * Get user profile by ID (public endpoint - returns id and profile)
+   */
+  async getProfileById(
+    userId: string
+  ): Promise<{ id: string; profile: Record<string, unknown> | null } | null> {
+    const pool = this.getPool();
+    const result = await pool.query(`SELECT id, profile FROM auth.users WHERE id = $1`, [userId]);
+
+    if (result.rows.length === 0) {
+      return null;
+    }
+
+    return {
+      id: result.rows[0].id,
+      profile: result.rows[0].profile,
+    };
+  }
+
+  /**
+   * Update user profile (for authenticated user updating their own profile)
+   */
+  async updateProfile(
+    userId: string,
+    profile: Record<string, unknown>
+  ): Promise<{ id: string; profile: Record<string, unknown> | null }> {
+    const pool = this.getPool();
+    const result = await pool.query(
+      `UPDATE auth.users
+       SET profile = COALESCE(profile, '{}'::jsonb) || $1::jsonb, updated_at = NOW()
+       WHERE id = $2
+       RETURNING id, profile`,
+      [profile, userId]
+    );
+
+    if (result.rows.length === 0) {
+      throw new AppError('User not found', 404, ERROR_CODES.NOT_FOUND);
+    }
+
+    return {
+      id: result.rows[0].id,
+      profile: result.rows[0].profile,
+    };
+  }
+
   /**
    * Delete multiple users by IDs
    */
   async deleteUsers(userIds: string[]): Promise<number> {
     const pool = this.getPool();
     const placeholders = userIds.map((_, i) => `$${i + 1}`).join(',');
-    const result = await pool.query(`DELETE FROM _accounts WHERE id IN (${placeholders})`, userIds);
+    const result = await pool.query(
+      `DELETE FROM auth.users WHERE id IN (${placeholders})`,
+      userIds
+    );
 
     return result.rowCount || 0;
   }

package/backend/src/services/auth/index.ts

@@ -1,4 +1,4 @@
-export { AuthService } from './auth.service.js';
-export { AuthConfigService } from './auth-config.service.js';
-export { AuthOTPService } from './auth-otp.service.js';
-export { OAuthConfigService } from './oauth-config.service.js';
+export { AuthService } from './auth.service.js';
+export { AuthConfigService } from './auth-config.service.js';
+export { AuthOTPService } from './auth-otp.service.js';
+export { OAuthConfigService } from './oauth-config.service.js';

package/backend/src/services/auth/oauth-config.service.ts

@@ -62,7 +62,7 @@ export class OAuthConfigService {
           use_shared_key as "useSharedKey",
           created_at as "createdAt",
           updated_at as "updatedAt"
-         FROM _oauth_configs
+         FROM auth.oauth_configs
          ORDER BY provider ASC`
       );
 
@@ -82,7 +82,7 @@ export class OAuthConfigService {
       const result = await this.getPool().query(
         `SELECT
           provider
-         FROM _oauth_configs
+         FROM auth.oauth_configs
          ORDER BY provider ASC`
       );
 
@@ -108,7 +108,7 @@ export class OAuthConfigService {
           use_shared_key as "useSharedKey",
           created_at as "createdAt",
           updated_at as "updatedAt"
-         FROM _oauth_configs
+         FROM auth.oauth_configs
          WHERE LOWER(provider) = LOWER($1)
          LIMIT 1`,
         [provider]
@@ -133,7 +133,7 @@ export class OAuthConfigService {
       const result = await this.getPool().query(
         `SELECT
           secret_id as "secretId"
-         FROM _oauth_configs
+         FROM auth.oauth_configs
          WHERE LOWER(provider) = LOWER($1)
          LIMIT 1`,
         [provider]
@@ -167,7 +167,7 @@ export class OAuthConfigService {
 
       // Check if config already exists for this provider
       const existingConfig = await client.query(
-        'SELECT id FROM _oauth_configs WHERE LOWER(provider) = LOWER($1)',
+        'SELECT id FROM auth.oauth_configs WHERE LOWER(provider) = LOWER($1)',
         [input.provider]
       );
 
@@ -235,7 +235,7 @@ export class OAuthConfigService {
 
       // Create new OAuth config
       const result = await client.query(
-        `INSERT INTO _oauth_configs (provider, client_id, secret_id, redirect_uri, scopes, use_shared_key)
+        `INSERT INTO auth.oauth_configs (provider, client_id, secret_id, redirect_uri, scopes, use_shared_key)
          VALUES ($1, $2, $3, $4, $5, $6)
          RETURNING
            id,
@@ -282,7 +282,7 @@ export class OAuthConfigService {
 
       // Get existing config with secret_id
       const existingResult = await client.query(
-        `SELECT id, secret_id as "secretId" FROM _oauth_configs WHERE LOWER(provider) = LOWER($1)`,
+        `SELECT id, secret_id as "secretId" FROM auth.oauth_configs WHERE LOWER(provider) = LOWER($1)`,
         [provider]
       );
 
@@ -306,7 +306,7 @@ export class OAuthConfigService {
             value: input.clientSecret,
           });
           // Add secret_id to the update query
-          await client.query(`UPDATE _oauth_configs SET secret_id = $1 WHERE id = $2`, [
+          await client.query(`UPDATE auth.oauth_configs SET secret_id = $1 WHERE id = $2`, [
             secret.id,
             existingConfig.id,
           ]);
@@ -353,7 +353,7 @@ export class OAuthConfigService {
         values.push(provider.toLowerCase());
 
         const result = await client.query(
-          `UPDATE _oauth_configs
+          `UPDATE auth.oauth_configs
            SET ${updates.join(', ')}
            WHERE LOWER(provider) = $${paramCount}
            RETURNING
@@ -406,7 +406,7 @@ export class OAuthConfigService {
 
       // Get existing config with secret_id
       const existingResult = await client.query(
-        `SELECT id, secret_id as "secretId" FROM _oauth_configs WHERE LOWER(provider) = LOWER($1)`,
+        `SELECT id, secret_id as "secretId" FROM auth.oauth_configs WHERE LOWER(provider) = LOWER($1)`,
         [provider]
       );
 
@@ -419,13 +419,13 @@ export class OAuthConfigService {
 
       // Delete OAuth config (secret will be restricted due to foreign key)
       const result = await client.query(
-        'DELETE FROM _oauth_configs WHERE LOWER(provider) = LOWER($1)',
+        'DELETE FROM auth.oauth_configs WHERE LOWER(provider) = LOWER($1)',
         [provider]
       );
 
       // Try to delete the associated secret (will fail if still referenced)
       try {
-        await client.query('DELETE FROM _secrets WHERE id = $1', [existingConfig.secretId]);
+        await client.query('DELETE FROM system.secrets WHERE id = $1', [existingConfig.secretId]);
         logger.info('Associated secret deleted', { secretId: existingConfig.secretId });
       } catch {
         logger.warn('Could not delete associated secret, it may be in use elsewhere', {