admin/40227-vm
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
40227-vm/backend/src/services/users.ts

617 lines
18 KiB
TypeScript
Raw Blame History

import crypto from 'crypto';
import { PassThrough } from 'stream';
import csv from 'csv-parser';
import bcrypt from 'bcrypt';
import type { Transaction } from 'sequelize';
import db from '@/db/models';
import UsersDBApi from '@/db/api/users';
import OrganizationsDBApi from '@/db/api/organizations';
import ValidationError from '@/shared/errors/validation';
import AuthService from '@/services/auth';
import {
assertCanAssignUserRole,
assertCanCreateUserWithRole,
assertCanDeleteUserWithRole,
assertCanUpdateUserWithRole,
} from '@/services/shared/role-policy';
import { getOrganizationId, hasGlobalAccess } from '@/services/shared/access';
import { ROLE_NAMES, ROLE_SCOPES } from '@/shared/constants/roles';
import config from '@/shared/config';
import type { AuthenticatedUser, CurrentUser, FileInput } from '@/db/api/types';
/**
* A non-global actor may only manage users in its own organization. Cross-tenant
* targets are reported as not-found so existence is not leaked.
*/
function assertSameTenant(
currentUser: CurrentUser | undefined,
target: AuthenticatedUser,
): void {
if (hasGlobalAccess(currentUser)) return;
const actorOrg = getOrganizationId(currentUser);
if (!actorOrg || actorOrg !== target.organizationId) {
throw new ValidationError('iam.errors.userNotFound');
}
}
type CreateData = Parameters<typeof UsersDBApi.create>[0]['data'];
type UpdateData = Parameters<typeof UsersDBApi.update>[1];
type ListFilter = Parameters<typeof UsersDBApi.findAll>[0];
type BulkRow = Parameters<typeof UsersDBApi.bulkImport>[0][number];
type InvitationCredential = {
email: string;
temporaryPassword: string;
};
interface CreateUserResult {
id: string;
organizationId: string | null;
temporaryPassword?: string;
}
const TEMPORARY_PASSWORD_BYTES = 18;
function generateTemporaryPassword(): string {
return crypto.randomBytes(TEMPORARY_PASSWORD_BYTES).toString('base64url');
}
async function hashPassword(password: string): Promise<string> {
return bcrypt.hash(password, config.bcrypt.saltRounds);
}
async function setGeneratedTemporaryPassword(
data: CreateData | BulkRow,
): Promise<InvitationCredential> {
const email = String(data.email ?? '');
const temporaryPassword = generateTemporaryPassword();
data.password = await hashPassword(temporaryPassword);
data.emailVerified = true;
return { email, temporaryPassword };
}
async function hashIncomingPassword(data: UpdateData): Promise<void> {
if (typeof data.password === 'string') {
data.password = await hashPassword(data.password);
}
}
/** Parses an uploaded CSV buffer into bulk-import rows. */
function parseCsvRows(fileBuffer: Buffer): Promise<BulkRow[]> {
const bufferStream = new PassThrough();
const results: BulkRow[] = [];
bufferStream.end(Buffer.from(fileBuffer));
return new Promise((resolve, reject) => {
bufferStream
.pipe(csv())
.on('data', (row: BulkRow) => results.push(row))
.on('end', () => resolve(results))
.on('error', reject);
});
}
async function normalizeTenantAssignment(
data: CreateData | UpdateData,
transaction: Transaction,
): Promise<void> {
if (data.classId) {
const cls = await db.classes.findByPk(data.classId, {
attributes: ['id', 'campusId', 'organizationId'],
transaction,
});
if (!cls) throw new ValidationError('classesNotFound');
data.campusId = cls.campusId;
data.organizations = cls.organizationId ?? data.organizations;
}
if (data.campusId) {
const campus = await db.campuses.findByPk(data.campusId, {
attributes: ['id', 'organizationId', 'schoolId'],
transaction,
});
if (!campus) throw new ValidationError('campusesNotFound');
data.schoolId = campus.schoolId;
data.organizations = campus.organizationId ?? data.organizations;
}
if (data.schoolId) {
const school = await db.schools.findByPk(data.schoolId, {
attributes: ['id', 'organizationId'],
transaction,
});
if (!school) throw new ValidationError('schoolsNotFound');
data.organizations = school.organizationId ?? data.organizations;
}
}
function normalizeAvatarInput(data: CreateData | UpdateData): void {
const rawAvatar = (data as { avatar?: unknown }).avatar;
if (rawAvatar === null) {
data.avatar = [];
return;
}
if (typeof rawAvatar !== 'string') {
return;
}
if (rawAvatar.length === 0) {
data.avatar = [];
return;
}
const privateUrl = rawAvatar;
const name = privateUrl.split('/').pop() || 'avatar';
data.avatar = [{ new: true, name, privateUrl, publicUrl: privateUrl }] satisfies FileInput[];
}
function assertNoCustomPermissionChanges(data: CreateData | UpdateData): void {
if (
data.custom_permissions !== undefined
|| data.custom_permissions_filter !== undefined
) {
throw new ValidationError('auth.forbidden');
}
}
function assertClassScopedUserCreate(
currentUser: CurrentUser | undefined,
targetRole: string | null | undefined,
data: CreateData,
): void {
if (currentUser?.app_role?.scope !== ROLE_SCOPES.CLASS) {
return;
}
if (!currentUser.classId) {
throw new ValidationError('auth.forbidden');
}
if (targetRole === ROLE_NAMES.STUDENT && data.classId === currentUser.classId) {
assertNoCustomPermissionChanges(data);
return;
}
if (
targetRole === ROLE_NAMES.GUARDIAN
&& data.classId === undefined
&& data.campusId === undefined
&& data.schoolId === undefined
&& (data.organizations === undefined || data.organizations === null)
) {
assertNoCustomPermissionChanges(data);
return;
}
throw new ValidationError('auth.forbidden');
}
async function isGuardianLinkedToCurrentClass(
guardianId: string,
classId: string,
transaction: Transaction,
): Promise<boolean> {
const directClassLink = await db.guardian_students.findOne({
where: { guardianId },
include: [
{
model: db.users,
as: 'student',
attributes: ['id', 'classId'],
where: { classId },
required: true,
},
],
transaction,
});
if (directClassLink) {
return true;
}
const link = await db.guardian_students.findOne({
where: { guardianId },
include: [
{
model: db.users,
as: 'student',
attributes: ['id'],
required: true,
include: [
{
model: db.class_enrollments,
as: 'class_enrollments_student',
attributes: ['id'],
where: { classId },
required: true,
},
],
},
],
transaction,
});
return Boolean(link);
}
async function isStudentInClass(
studentId: string,
classId: string,
transaction: Transaction,
): Promise<boolean> {
const enrollment = await db.class_enrollments.findOne({
where: { studentId, classId },
attributes: ['id'],
transaction,
});
return Boolean(enrollment);
}
async function assertClassScopedUserUpdate(
currentUser: CurrentUser | undefined,
target: AuthenticatedUser,
nextRole: string | null | undefined,
data: UpdateData,
transaction: Transaction,
): Promise<void> {
if (currentUser?.app_role?.scope !== ROLE_SCOPES.CLASS) {
return;
}
if (!currentUser.classId) {
throw new ValidationError('auth.forbidden');
}
const targetRole = target.app_role?.name ?? null;
const targetClassId = target.classId ?? null;
const requestedClassId = data.classId !== undefined ? data.classId : targetClassId;
const targetIsInCurrentClass = targetRole === ROLE_NAMES.STUDENT && (
targetClassId === currentUser.classId
|| await isStudentInClass(target.id, currentUser.classId, transaction)
);
const requestedClassIsAllowed =
requestedClassId === null || requestedClassId === currentUser.classId;
if (
targetRole === ROLE_NAMES.STUDENT
&& nextRole === ROLE_NAMES.STUDENT
&& targetIsInCurrentClass
&& requestedClassIsAllowed
) {
assertNoCustomPermissionChanges(data);
return;
}
if (
targetRole === ROLE_NAMES.GUARDIAN
&& nextRole === ROLE_NAMES.GUARDIAN
&& data.classId === undefined
&& data.campusId === undefined
&& data.schoolId === undefined
&& data.organizations === undefined
&& await isGuardianLinkedToCurrentClass(target.id, currentUser.classId, transaction)
) {
assertNoCustomPermissionChanges(data);
return;
}
assertNoCustomPermissionChanges(data);
throw new ValidationError('auth.forbidden');
}
class UsersService {
static async create(
data: CreateData,
currentUser?: CurrentUser,
sendInvitationEmails = true,
host?: string,
) {
const transaction = await db.sequelize.transaction();
const globalAccess = currentUser?.app_role?.globalAccess ?? false;
const email = data.email;
const invitationsToSend: InvitationCredential[] = [];
let createdId: string;
let createdOrganizationId: string | null = null;
try {
if (email) {
const user = await UsersDBApi.findBy({ email }, { transaction });
if (user) {
throw new ValidationError('iam.errors.userAlreadyExists');
}
// Relational policy: the actor must be allowed to assign this role.
if (data.app_role) {
const newRole = await db.roles.findByPk(data.app_role, {
transaction,
});
assertCanCreateUserWithRole(currentUser, newRole?.name ?? null);
assertClassScopedUserCreate(currentUser, newRole?.name ?? null, data);
// §3.4 provisioning: creating an `owner` auto-creates the company and
// links the owner to it. The org starts minimal; the owner fills it in.
if (newRole?.name === ROLE_NAMES.OWNER && !data.organizations) {
const organization = await OrganizationsDBApi.create(
{},
{ currentUser, transaction },
);
data.organizations = organization.id;
createdOrganizationId = organization.id;
}
} else {
assertClassScopedUserCreate(currentUser, null, data);
}
// Non-global actors create users only within their own organization.
if (!globalAccess && !data.organizations) {
const actorOrg = getOrganizationId(currentUser);
if (actorOrg) data.organizations = actorOrg;
}
await normalizeTenantAssignment(data, transaction);
normalizeAvatarInput(data);
const invitation = await setGeneratedTemporaryPassword(data);
const created = await UsersDBApi.create({ data }, globalAccess, {
currentUser,
transaction,
});
createdId = created.id;
invitationsToSend.push(invitation);
} else {
throw new ValidationError('iam.errors.emailRequired');
}
await transaction.commit();
} catch (error) {
await transaction.rollback();
throw error;
}
if (invitationsToSend.length && sendInvitationEmails && AuthService.isEmailConfigured()) {
await Promise.all(
invitationsToSend.map((invitation) =>
AuthService.sendInvitationEmail(
invitation.email,
invitation.temporaryPassword,
host,
),
),
);
}
const result: CreateUserResult = {
id: createdId,
organizationId: createdOrganizationId,
};
const createdInvitation = invitationsToSend[0];
if (createdInvitation && !AuthService.isEmailConfigured()) {
result.temporaryPassword = createdInvitation.temporaryPassword;
}
return result;
}
static async createOwnerWithOrganization(
data: Omit<CreateData, 'app_role' | 'organizations'>,
currentUser?: CurrentUser,
sendInvitationEmails = true,
host?: string,
) {
const ownerRole = await db.roles.findOne({
where: { name: ROLE_NAMES.OWNER },
});
if (!ownerRole?.id) {
throw new ValidationError('iam.errors.roleNotFound');
}
return UsersService.create(
{
...data,
app_role: ownerRole.id,
organizations: null,
},
currentUser,
sendInvitationEmails,
host,
);
}
static async bulkImport(
fileBuffer: Buffer,
currentUser?: CurrentUser,
sendInvitationEmails = true,
host?: string,
) {
const rows = await parseCsvRows(fileBuffer);
const invitationsToSend: InvitationCredential[] = [];
const transaction = await db.sequelize.transaction();
try {
const hasAllEmails = rows.every((row) => row.email);
if (!hasAllEmails) {
throw new ValidationError('importer.errors.userEmailMissing');
}
for (const row of rows) {
if (!row.app_role) continue;
const role = await db.roles.findByPk(row.app_role, { transaction });
assertCanCreateUserWithRole(currentUser, role?.name ?? null);
}
for (const row of rows) {
invitationsToSend.push(await setGeneratedTemporaryPassword(row));
}
const createdUsers = await UsersDBApi.bulkImport(rows, {
transaction,
ignoreDuplicates: true,
validate: true,
currentUser,
});
const credentialsByEmail = new Map(
invitationsToSend.map((invitation) => [invitation.email, invitation]),
);
invitationsToSend.splice(
0,
invitationsToSend.length,
...createdUsers
.map((user) => credentialsByEmail.get(user.email))
.filter((invitation): invitation is InvitationCredential => Boolean(invitation)),
);
await transaction.commit();
} catch (error) {
await transaction.rollback();
throw error;
}
if (invitationsToSend.length && sendInvitationEmails && AuthService.isEmailConfigured()) {
await Promise.all(
invitationsToSend.map((invitation) =>
AuthService.sendInvitationEmail(
invitation.email,
invitation.temporaryPassword,
host,
),
),
);
}
}
static async update(data: UpdateData, id: string, currentUser?: CurrentUser) {
const transaction = await db.sequelize.transaction();
const globalAccess = currentUser?.app_role?.globalAccess ?? false;
try {
const users = await UsersDBApi.findBy({ id }, { transaction });
if (!users) {
throw new ValidationError('iam.errors.userNotFound');
}
// Tenant + relational policy: the target must be in the actor's org, and
// the actor must be allowed to manage the target's current role (and the
// new role if it is being reassigned).
assertSameTenant(currentUser, users);
assertCanUpdateUserWithRole(currentUser, users.app_role?.name ?? null);
const newRole = data.app_role
? await db.roles.findByPk(data.app_role, { transaction })
: null;
if (data.app_role !== undefined) {
assertCanAssignUserRole(
currentUser,
users.app_role?.name ?? null,
newRole?.name ?? null,
);
}
await normalizeTenantAssignment(data, transaction);
await assertClassScopedUserUpdate(
currentUser,
users,
data.app_role !== undefined ? newRole?.name ?? null : users.app_role?.name ?? null,
data,
transaction,
);
normalizeAvatarInput(data);
await hashIncomingPassword(data);
const updatedUser = await UsersDBApi.update(id, data, globalAccess, {
currentUser,
transaction,
});
await transaction.commit();
return updatedUser;
} catch (error) {
await transaction.rollback();
throw error;
}
}
static async remove(id: string, currentUser?: CurrentUser) {
const transaction = await db.sequelize.transaction();
try {
if (currentUser?.id === id) {
throw new ValidationError('iam.errors.deletingHimself');
}
const target = await UsersDBApi.findBy({ id }, { transaction });
if (!target) {
throw new ValidationError('iam.errors.userNotFound');
}
// Tenant + relational policy: the target must be in the actor's org, and
// the actor must be allowed to delete the target's role (e.g. a
// superintendent cannot delete an owner or another superintendent).
assertSameTenant(currentUser, target);
assertCanDeleteUserWithRole(currentUser, target.app_role?.name ?? null);
await UsersDBApi.remove(id, { currentUser, transaction });
await transaction.commit();
} catch (error) {
await transaction.rollback();
throw error;
}
}
static async deleteByIds(ids: string[], currentUser?: CurrentUser) {
const transaction = await db.sequelize.transaction();
try {
if (currentUser?.id && ids.includes(currentUser.id)) {
throw new ValidationError('iam.errors.deletingHimself');
}
for (const id of ids) {
const target = await UsersDBApi.findBy({ id }, { transaction });
if (target) {
assertSameTenant(currentUser, target);
assertCanDeleteUserWithRole(
currentUser,
target.app_role?.name ?? null,
);
}
}
await UsersDBApi.deleteByIds(ids, { currentUser, transaction });
await transaction.commit();
} catch (error) {
await transaction.rollback();
throw error;
}
}
static list(
filter: ListFilter,
globalAccess: boolean,
currentUser?: CurrentUser,
) {
return UsersDBApi.findAll(filter, globalAccess, { currentUser });
}
static count(
filter: ListFilter,
globalAccess: boolean,
currentUser?: CurrentUser,
) {
return UsersDBApi.findAll(filter, globalAccess, {
countOnly: true,
currentUser,
});
}
static autocomplete(
query: string | undefined,
limit: number | undefined,
offset: number | undefined,
globalAccess: boolean,
organizationId?: string,
) {
return UsersDBApi.findAllAutocomplete(
query,
limit,
offset,
globalAccess,
organizationId,
);
}
static findById(id: string) {
return UsersDBApi.findBy({ id });
}
}
export default UsersService;
Reference in New Issue View Git Blame Copy Permalink