const db = require('../models'); const FileDBApi = require('./file'); const crypto = require('crypto'); const Utils = require('../utils'); const bcrypt = require('bcrypt'); const config = require('../../config'); const Sequelize = db.Sequelize; const Op = Sequelize.Op; module.exports = class UsersDBApi { /** * Default includes for findBy() - minimal set for single user lookup * Only loads avatar and app_role with permissions (needed for RBAC) */ static get FIND_BY_INCLUDES() { return [ { association: 'avatar' }, { association: 'app_role', include: [{ association: 'permissions' }], }, ]; } /** * Minimal includes for findAll() - only app_role for list display * Excludes avatar, custom_permissions (rarely needed in list views) */ static get FIND_ALL_INCLUDES() { return [ { model: db.roles, as: 'app_role', required: false, }, ]; } /** * Sensitive fields that should be excluded from query results */ static get SENSITIVE_FIELDS() { return [ 'password', 'emailVerificationToken', 'emailVerificationTokenExpiresAt', 'passwordResetToken', 'passwordResetTokenExpiresAt', ]; } static async create(data, options) { const currentUser = (options && options.currentUser) || { id: null }; const transaction = (options && options.transaction) || undefined; const users = await db.users.create( { id: data.data.id || undefined, firstName: data.data.firstName || null, lastName: data.data.lastName || null, phoneNumber: data.data.phoneNumber || null, email: data.data.email || null, disabled: data.data.disabled || false, password: data.data.password || null, emailVerified: data.data.emailVerified || true, emailVerificationToken: data.data.emailVerificationToken || null, emailVerificationTokenExpiresAt: data.data.emailVerificationTokenExpiresAt || null, passwordResetToken: data.data.passwordResetToken || null, passwordResetTokenExpiresAt: data.data.passwordResetTokenExpiresAt || null, provider: data.data.provider || null, importHash: data.data.importHash || null, createdById: currentUser.id, updatedById: currentUser.id, }, { transaction }, ); if (!data.data.app_role) { const role = await db.roles.findOne({ where: { name: 'User' }, }); if (role) { await users.setApp_role(role, { transaction, }); } } else { await users.setApp_role(data.data.app_role || null, { transaction, }); } await users.setCustom_permissions(data.data.custom_permissions || [], { transaction, }); await FileDBApi.replaceRelationFiles( { belongsTo: db.users.getTableName(), belongsToColumn: 'avatar', belongsToId: users.id, }, data.data.avatar, options, ); return users; } static async bulkImport(data, options) { const currentUser = (options && options.currentUser) || { id: null }; const transaction = (options && options.transaction) || undefined; // Prepare data - wrapping individual data transformations in a map() method const usersData = data.map((item, index) => ({ id: item.id || undefined, firstName: item.firstName || null, lastName: item.lastName || null, phoneNumber: item.phoneNumber || null, email: item.email || null, disabled: item.disabled || false, password: item.password || null, emailVerified: item.emailVerified || false, emailVerificationToken: item.emailVerificationToken || null, emailVerificationTokenExpiresAt: item.emailVerificationTokenExpiresAt || null, passwordResetToken: item.passwordResetToken || null, passwordResetTokenExpiresAt: item.passwordResetTokenExpiresAt || null, provider: item.provider || null, importHash: item.importHash || null, createdById: currentUser.id, updatedById: currentUser.id, createdAt: new Date(Date.now() + index * 1000), })); // Bulk create items const users = await db.users.bulkCreate(usersData, { transaction }); // For each item created, replace relation files for (let i = 0; i < users.length; i++) { await FileDBApi.replaceRelationFiles( { belongsTo: db.users.getTableName(), belongsToColumn: 'avatar', belongsToId: users[i].id, }, data[i].avatar, options, ); } return users; } static async update(id, data, options) { const currentUser = (options && options.currentUser) || { id: null }; const transaction = (options && options.transaction) || undefined; const users = await db.users.findByPk(id, { transaction }); if (!data?.app_role) { data.app_role = users?.app_role?.id; } if (!data?.custom_permissions) { data.custom_permissions = users?.custom_permissions?.map( (item) => item.id, ); } if (data.password) { data.password = bcrypt.hashSync(data.password, config.bcrypt.saltRounds); } else { data.password = users.password; } const updatePayload = {}; if (data.firstName !== undefined) updatePayload.firstName = data.firstName; if (data.lastName !== undefined) updatePayload.lastName = data.lastName; if (data.phoneNumber !== undefined) updatePayload.phoneNumber = data.phoneNumber; if (data.email !== undefined) updatePayload.email = data.email; if (data.disabled !== undefined) updatePayload.disabled = data.disabled; if (data.password !== undefined) updatePayload.password = data.password; if (data.emailVerified !== undefined) updatePayload.emailVerified = data.emailVerified; else updatePayload.emailVerified = true; if (data.emailVerificationToken !== undefined) updatePayload.emailVerificationToken = data.emailVerificationToken; if (data.emailVerificationTokenExpiresAt !== undefined) updatePayload.emailVerificationTokenExpiresAt = data.emailVerificationTokenExpiresAt; if (data.passwordResetToken !== undefined) updatePayload.passwordResetToken = data.passwordResetToken; if (data.passwordResetTokenExpiresAt !== undefined) updatePayload.passwordResetTokenExpiresAt = data.passwordResetTokenExpiresAt; if (data.provider !== undefined) updatePayload.provider = data.provider; updatePayload.updatedById = currentUser.id; await users.update(updatePayload, { transaction }); if (data.app_role !== undefined) { await users.setApp_role( data.app_role, { transaction }, ); } if (data.custom_permissions !== undefined) { await users.setCustom_permissions(data.custom_permissions, { transaction, }); } await FileDBApi.replaceRelationFiles( { belongsTo: db.users.getTableName(), belongsToColumn: 'avatar', belongsToId: users.id, }, data.avatar, options, ); return users; } static async deleteByIds(ids, options) { const currentUser = (options && options.currentUser) || { id: null }; const transaction = (options && options.transaction) || undefined; const users = await db.users.findAll({ where: { id: { [Op.in]: ids, }, }, transaction, }); await db.sequelize.transaction(async (transaction) => { for (const record of users) { await record.update({ deletedBy: currentUser.id }, { transaction }); } for (const record of users) { await record.destroy({ transaction }); } }); return users; } static async remove(id, options) { const currentUser = (options && options.currentUser) || { id: null }; const transaction = (options && options.transaction) || undefined; const users = await db.users.findByPk(id, options); await users.update( { deletedBy: currentUser.id, }, { transaction, }, ); await users.destroy({ transaction, }); return users; } /** * Find a single user by criteria * Uses minimal includes by default (avatar + app_role with permissions) * @param {Object} where - Query conditions * @param {Object} options - Options including transaction and custom includes * @param {Array} options.include - Override default includes if needed */ static async findBy(where, options) { const transaction = (options && options.transaction) || undefined; const include = options?.include ?? this.FIND_BY_INCLUDES; const users = await db.users.findOne({ where, transaction, include, }); if (!users) { return users; } const output = users.get({ plain: true }); // Map nested permissions from app_role for backward compatibility if (output.app_role) { output.app_role_permissions = output.app_role.permissions || []; } return output; } /** * Lightweight user lookup for JWT authentication * Only loads essential fields and app_role with permissions for RBAC * Optimized for the auth flow that runs on every authenticated request */ static async findByForAuth(where, options) { const transaction = (options && options.transaction) || undefined; const user = await db.users.findOne({ where, transaction, attributes: [ 'id', 'email', 'disabled', 'firstName', 'lastName', 'app_roleId', ], include: [ { association: 'app_role', include: [{ association: 'permissions' }], }, ], }); if (!user) { return user; } const output = user.get({ plain: true }); // Map nested permissions from app_role for backward compatibility if (output.app_role) { output.app_role_permissions = output.app_role.permissions || []; } return output; } static async findAll(filter, options) { const limit = filter.limit || 0; let offset = 0; let where = {}; const currentPage = +filter.page; offset = currentPage * limit; const appRoleTerms = filter.app_role ? filter.app_role.split('|') : []; const appRoleValidUuids = Utils.filterValidUuids(appRoleTerms); // Use lightweight includes for list view (only app_role, no custom_permissions or avatar) let include = [ { model: db.roles, as: 'app_role', required: false, where: filter.app_role ? { [Op.or]: [ ...(appRoleValidUuids.length > 0 ? [{ id: { [Op.in]: appRoleValidUuids } }] : []), { name: { [Op.or]: appRoleTerms.map((term) => ({ [Op.iLike]: `%${term}%`, })), }, }, ], } : {}, }, ]; if (filter) { if (filter.id) { if (!Utils.isValidUuid(filter.id)) { return { rows: [], count: 0 }; } where = { ...where, id: filter.id }; } if (filter.firstName) { where = { ...where, [Op.and]: Utils.ilike('users', 'firstName', filter.firstName), }; } if (filter.lastName) { where = { ...where, [Op.and]: Utils.ilike('users', 'lastName', filter.lastName), }; } if (filter.phoneNumber) { where = { ...where, [Op.and]: Utils.ilike('users', 'phoneNumber', filter.phoneNumber), }; } if (filter.email) { where = { ...where, [Op.and]: Utils.ilike('users', 'email', filter.email), }; } if (filter.password) { where = { ...where, [Op.and]: Utils.ilike('users', 'password', filter.password), }; } if (filter.emailVerificationToken) { where = { ...where, [Op.and]: Utils.ilike( 'users', 'emailVerificationToken', filter.emailVerificationToken, ), }; } if (filter.passwordResetToken) { where = { ...where, [Op.and]: Utils.ilike( 'users', 'passwordResetToken', filter.passwordResetToken, ), }; } if (filter.provider) { where = { ...where, [Op.and]: Utils.ilike('users', 'provider', filter.provider), }; } if (filter.emailVerificationTokenExpiresAtRange) { const [start, end] = filter.emailVerificationTokenExpiresAtRange; if (start !== undefined && start !== null && start !== '') { where = { ...where, emailVerificationTokenExpiresAt: { ...where.emailVerificationTokenExpiresAt, [Op.gte]: start, }, }; } if (end !== undefined && end !== null && end !== '') { where = { ...where, emailVerificationTokenExpiresAt: { ...where.emailVerificationTokenExpiresAt, [Op.lte]: end, }, }; } } if (filter.passwordResetTokenExpiresAtRange) { const [start, end] = filter.passwordResetTokenExpiresAtRange; if (start !== undefined && start !== null && start !== '') { where = { ...where, passwordResetTokenExpiresAt: { ...where.passwordResetTokenExpiresAt, [Op.gte]: start, }, }; } if (end !== undefined && end !== null && end !== '') { where = { ...where, passwordResetTokenExpiresAt: { ...where.passwordResetTokenExpiresAt, [Op.lte]: end, }, }; } } if (filter.active !== undefined) { where = { ...where, active: filter.active === true || filter.active === 'true', }; } if (filter.disabled) { where = { ...where, disabled: filter.disabled, }; } if (filter.emailVerified) { where = { ...where, emailVerified: filter.emailVerified, }; } if (filter.custom_permissions) { const searchTerms = filter.custom_permissions.split('|'); const permissionValidUuids = Utils.filterValidUuids(searchTerms); include = [ { model: db.permissions, as: 'custom_permissions_filter', required: searchTerms.length > 0, where: searchTerms.length > 0 ? { [Op.or]: [ ...(permissionValidUuids.length > 0 ? [{ id: { [Op.in]: permissionValidUuids } }] : []), { name: { [Op.or]: searchTerms.map((term) => ({ [Op.iLike]: `%${term}%`, })), }, }, ], } : undefined, }, ...include, ]; } if (filter.createdAtRange) { const [start, end] = filter.createdAtRange; if (start !== undefined && start !== null && start !== '') { where = { ...where, ['createdAt']: { ...where.createdAt, [Op.gte]: start, }, }; } if (end !== undefined && end !== null && end !== '') { where = { ...where, ['createdAt']: { ...where.createdAt, [Op.lte]: end, }, }; } } } const queryOptions = { attributes: { exclude: this.SENSITIVE_FIELDS }, where, include, distinct: true, order: filter.field && filter.sort ? [[filter.field, filter.sort]] : [['createdAt', 'desc']], transaction: options?.transaction, }; if (!options?.countOnly) { queryOptions.limit = limit ? Number(limit) : undefined; queryOptions.offset = offset ? Number(offset) : undefined; } try { const { rows, count } = await db.users.findAndCountAll(queryOptions); return { rows: options?.countOnly ? [] : rows, count: count, }; } catch (error) { console.error('Error executing query:', error); throw error; } } static async findAllAutocomplete(query, limit, offset) { let where = {}; if (query) { const orConditions = [Utils.ilike('users', 'firstName', query)]; if (Utils.isValidUuid(query)) { orConditions.unshift({ id: query }); } where = { [Op.or]: orConditions }; } const records = await db.users.findAll({ attributes: ['id', 'firstName'], where, limit: limit ? Number(limit) : undefined, offset: offset ? Number(offset) : undefined, orderBy: [['firstName', 'ASC']], }); return records.map((record) => ({ id: record.id, label: record.firstName, })); } static async createFromAuth(data, options) { const transaction = (options && options.transaction) || undefined; const users = await db.users.create( { email: data.email, firstName: data.firstName, authenticationUid: data.authenticationUid, password: data.password, }, { transaction }, ); const app_role = await db.roles.findOne({ where: { name: config.roles?.user || 'User' }, }); if (app_role?.id) { await users.setApp_role(app_role?.id || null, { transaction, }); } await users.update( { authenticationUid: users.id, }, { transaction }, ); delete users.password; return users; } static async updatePassword(id, password, options) { const currentUser = (options && options.currentUser) || { id: null }; const transaction = (options && options.transaction) || undefined; const users = await db.users.findByPk(id, { transaction, }); await users.update( { password, authenticationUid: id, updatedById: currentUser.id, }, { transaction }, ); return users; } static async generateEmailVerificationToken(email, options) { return this._generateToken( ['emailVerificationToken', 'emailVerificationTokenExpiresAt'], email, options, ); } static async generatePasswordResetToken(email, options) { return this._generateToken( ['passwordResetToken', 'passwordResetTokenExpiresAt'], email, options, ); } static async findByPasswordResetToken(token, options) { const transaction = (options && options.transaction) || undefined; return db.users.findOne({ where: { passwordResetToken: token, passwordResetTokenExpiresAt: { [db.Sequelize.Op.gt]: Date.now(), }, }, transaction, }); } static async findByEmailVerificationToken(token, options) { const transaction = (options && options.transaction) || undefined; return db.users.findOne({ where: { emailVerificationToken: token, emailVerificationTokenExpiresAt: { [db.Sequelize.Op.gt]: Date.now(), }, }, transaction, }); } static async markEmailVerified(id, options) { const currentUser = (options && options.currentUser) || { id: null }; const transaction = (options && options.transaction) || undefined; const users = await db.users.findByPk(id, { transaction, }); await users.update( { emailVerified: true, updatedById: currentUser.id, }, { transaction }, ); return true; } static async _generateToken(keyNames, email, options) { const currentUser = (options && options.currentUser) || { id: null }; const transaction = (options && options.transaction) || undefined; const users = await db.users.findOne({ where: { email: email.toLowerCase() }, transaction, }); const token = crypto.randomBytes(20).toString('hex'); // Token expires in 24 hours (was 6 minutes - too short for email verification flows) const TOKEN_EXPIRY_MS = 24 * 60 * 60 * 1000; // 24 hours const tokenExpiresAt = Date.now() + TOKEN_EXPIRY_MS; if (users) { await users.update( { [keyNames[0]]: token, [keyNames[1]]: tokenExpiresAt, updatedById: currentUser.id, }, { transaction }, ); } return token; } };