diff --git a/server/db.test.ts b/server/db.test.ts index b78bba8..b7accf5 100644 --- a/server/db.test.ts +++ b/server/db.test.ts @@ -1,6 +1,10 @@ import { afterEach, describe, expect, it, setSystemTime } from 'bun:test' import { createEmptyBook, createEmptyTeachingDesign } from '../src/domain/teachingDesign' -import { createBook, deleteBook, getBook, listBooks, openDb, renameBook, saveBookData } from './db' +import { + createBook, deleteBook, getBook, listBooks, openDb, renameBook, saveBookData, + createUser, findUserByUsername, findUserById, listUsers, deleteUser, + createRefreshToken, findRefreshTokenByHash, deleteRefreshTokenByHash, +} from './db' afterEach(() => { setSystemTime() @@ -93,3 +97,66 @@ describe('db', () => { expect(deleteBook(db, 'missing')).toBe(false) }) }) + +describe('users and refresh tokens', () => { + it('creates a user and finds them by username', () => { + const db = openDb(':memory:') + const user = createUser(db, { username: 'alice', passwordHash: 'hash1', role: 'user' }) + + expect(user.username).toBe('alice') + expect(user.role).toBe('user') + expect(findUserByUsername(db, 'alice')).toEqual(user) + }) + + it('returns null for unknown username', () => { + const db = openDb(':memory:') + expect(findUserByUsername(db, 'nobody')).toBeNull() + }) + + it('finds user by id', () => { + const db = openDb(':memory:') + const user = createUser(db, { username: 'bob', passwordHash: 'hash2', role: 'admin' }) + expect(findUserById(db, user.id)).toEqual(user) + }) + + it('lists users ordered by creation time', () => { + const db = openDb(':memory:') + const a = createUser(db, { username: 'alice', passwordHash: 'h', role: 'user' }) + const b = createUser(db, { username: 'bob', passwordHash: 'h', role: 'admin' }) + const list = listUsers(db) + expect(list.map((u) => u.id)).toEqual([a.id, b.id]) + expect(list[0]).not.toHaveProperty('passwordHash') + }) + + it('deletes a user and cascades to refresh tokens', () => { + const db = openDb(':memory:') + const user = createUser(db, { username: 'carol', passwordHash: 'h', role: 'user' }) + createRefreshToken(db, { userId: user.id, tokenHash: 'hash123', expiresAt: '2099-01-01T00:00:00.000Z' }) + + expect(deleteUser(db, user.id)).toBe(true) + expect(findUserByUsername(db, 'carol')).toBeNull() + expect(findRefreshTokenByHash(db, 'hash123')).toBeNull() + }) + + it('returns false when deleting missing user', () => { + const db = openDb(':memory:') + expect(deleteUser(db, 'missing')).toBe(false) + }) + + it('creates and finds a refresh token by hash', () => { + const db = openDb(':memory:') + const user = createUser(db, { username: 'dave', passwordHash: 'h', role: 'user' }) + const token = createRefreshToken(db, { userId: user.id, tokenHash: 'abc123', expiresAt: '2099-01-01T00:00:00.000Z' }) + + expect(findRefreshTokenByHash(db, 'abc123')).toEqual(token) + }) + + it('deletes a refresh token by hash', () => { + const db = openDb(':memory:') + const user = createUser(db, { username: 'eve', passwordHash: 'h', role: 'user' }) + createRefreshToken(db, { userId: user.id, tokenHash: 'xyz', expiresAt: '2099-01-01T00:00:00.000Z' }) + + expect(deleteRefreshTokenByHash(db, 'xyz')).toBe(true) + expect(findRefreshTokenByHash(db, 'xyz')).toBeNull() + }) +}) diff --git a/server/db.ts b/server/db.ts index ff22733..4b3b070 100644 --- a/server/db.ts +++ b/server/db.ts @@ -28,6 +28,29 @@ interface BookRow { updated_at: string } +export interface UserRecord { + id: string + username: string + passwordHash: string + role: 'admin' | 'user' + createdAt: string +} + +export interface UserSummary { + id: string + username: string + role: 'admin' | 'user' + createdAt: string +} + +export interface RefreshTokenRecord { + id: string + userId: string + tokenHash: string + expiresAt: string + createdAt: string +} + const SCHEMA = ` CREATE TABLE IF NOT EXISTS books ( id TEXT PRIMARY KEY, @@ -35,11 +58,28 @@ const SCHEMA = ` data TEXT NOT NULL, created_at TEXT NOT NULL, updated_at TEXT NOT NULL + ); + + CREATE TABLE IF NOT EXISTS users ( + id TEXT PRIMARY KEY, + username TEXT NOT NULL UNIQUE, + password_hash TEXT NOT NULL, + role TEXT NOT NULL DEFAULT 'user', + created_at TEXT NOT NULL + ); + + CREATE TABLE IF NOT EXISTS refresh_tokens ( + id TEXT PRIMARY KEY, + user_id TEXT NOT NULL REFERENCES users(id) ON DELETE CASCADE, + token_hash TEXT NOT NULL, + expires_at TEXT NOT NULL, + created_at TEXT NOT NULL ) ` export function openDb(path: string): Database { const db = new Database(path) + db.run('PRAGMA foreign_keys = ON') db.run(SCHEMA) return db } @@ -115,3 +155,81 @@ export function deleteBook(db: Database, id: string): boolean { const result = db.run('DELETE FROM books WHERE id = ?', [id]) return result.changes > 0 } + +export function createUser( + db: Database, + params: { username: string; passwordHash: string; role: 'admin' | 'user' }, +): UserRecord { + const id = crypto.randomUUID() + const now = new Date().toISOString() + db.run('INSERT INTO users (id, username, password_hash, role, created_at) VALUES (?, ?, ?, ?, ?)', [ + id, + params.username, + params.passwordHash, + params.role, + now, + ]) + return { id, username: params.username, passwordHash: params.passwordHash, role: params.role, createdAt: now } +} + +export function findUserByUsername(db: Database, username: string): UserRecord | null { + const row = db + .query<{ id: string; username: string; password_hash: string; role: string; created_at: string }, [string]>( + 'SELECT id, username, password_hash, role, created_at FROM users WHERE username = ?', + ) + .get(username) + if (!row) return null + return { id: row.id, username: row.username, passwordHash: row.password_hash, role: row.role as 'admin' | 'user', createdAt: row.created_at } +} + +export function findUserById(db: Database, id: string): UserRecord | null { + const row = db + .query<{ id: string; username: string; password_hash: string; role: string; created_at: string }, [string]>( + 'SELECT id, username, password_hash, role, created_at FROM users WHERE id = ?', + ) + .get(id) + if (!row) return null + return { id: row.id, username: row.username, passwordHash: row.password_hash, role: row.role as 'admin' | 'user', createdAt: row.created_at } +} + +export function listUsers(db: Database): UserSummary[] { + return db + .query<{ id: string; username: string; role: string; created_at: string }, []>( + 'SELECT id, username, role, created_at FROM users ORDER BY created_at ASC', + ) + .all() + .map((row) => ({ id: row.id, username: row.username, role: row.role as 'admin' | 'user', createdAt: row.created_at })) +} + +export function deleteUser(db: Database, id: string): boolean { + const result = db.run('DELETE FROM users WHERE id = ?', [id]) + return result.changes > 0 +} + +export function createRefreshToken( + db: Database, + params: { userId: string; tokenHash: string; expiresAt: string }, +): RefreshTokenRecord { + const id = crypto.randomUUID() + const now = new Date().toISOString() + db.run( + 'INSERT INTO refresh_tokens (id, user_id, token_hash, expires_at, created_at) VALUES (?, ?, ?, ?, ?)', + [id, params.userId, params.tokenHash, params.expiresAt, now], + ) + return { id, userId: params.userId, tokenHash: params.tokenHash, expiresAt: params.expiresAt, createdAt: now } +} + +export function findRefreshTokenByHash(db: Database, tokenHash: string): RefreshTokenRecord | null { + const row = db + .query<{ id: string; user_id: string; token_hash: string; expires_at: string; created_at: string }, [string]>( + 'SELECT id, user_id, token_hash, expires_at, created_at FROM refresh_tokens WHERE token_hash = ?', + ) + .get(tokenHash) + if (!row) return null + return { id: row.id, userId: row.user_id, tokenHash: row.token_hash, expiresAt: row.expires_at, createdAt: row.created_at } +} + +export function deleteRefreshTokenByHash(db: Database, tokenHash: string): boolean { + const result = db.run('DELETE FROM refresh_tokens WHERE token_hash = ?', [tokenHash]) + return result.changes > 0 +}