8e969fe015
Adds a Postgres-backed user store with bcrypt + JWT cookie sessions,
login screen, role-gated UI, and Microsoft SSO scaffolding ready to
fill in.
Backend
- New `db` service (Postgres 16-alpine) in compose, healthcheck-gated
app startup, free-port autodetect (5435-5499) like other apps.
- `server/db.js` runs versioned `.sql` migrations on boot.
- `server/auth.js`: bcrypt + JWT cookie (httpOnly, sameSite=strict,
path-scoped to /adeo-maturity), rate-limited login (10/15min),
dummy bcrypt-compare on missing users to defeat timing oracles.
- `requireAdmin` on all writes (POST/import/sync); `authenticate`
on all reads. /api/health stays public.
- Microsoft SSO endpoints stubbed at /api/auth/msft/{login,callback}
(return 501); DB has azure_oid column ready; comments document
exactly how to wire @azure/msal-node.
Frontend
- Login screen with email/password + greyed-out "Sign in with
Microsoft" button; init() checks /api/auth/me first.
- Logout button + user badge in header.
- body.role-user CSS hides .admin-only elements (Update tab, New
Client cards). Server enforces regardless.
Deploy
- deploy.sh generates DB_PASSWORD and AUTH_SECRET on first run and
persists to .env, then runs `seed-users.js seed-defaults` to
create admin@oliver.agency + user@oliver.agency with random
passwords printed once. Subsequent deploys skip seeding unless
--reseed is passed.
- node server/seed-users.js set-password <email> <pw> for ad-hoc
resets later.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
45 lines
1.3 KiB
JavaScript
45 lines
1.3 KiB
JavaScript
'use strict';
|
|
const { Pool } = require('pg');
|
|
const fs = require('fs');
|
|
const path = require('path');
|
|
|
|
if (!process.env.DATABASE_URL) {
|
|
console.error('[db] DATABASE_URL is not set — refusing to start');
|
|
process.exit(1);
|
|
}
|
|
|
|
const pool = new Pool({ connectionString: process.env.DATABASE_URL });
|
|
|
|
async function runMigrations() {
|
|
await pool.query(`
|
|
CREATE TABLE IF NOT EXISTS _migrations (
|
|
filename TEXT PRIMARY KEY,
|
|
applied_at TIMESTAMPTZ NOT NULL DEFAULT now()
|
|
)
|
|
`);
|
|
|
|
const dir = path.join(__dirname, 'migrations');
|
|
if (!fs.existsSync(dir)) return;
|
|
|
|
const files = fs.readdirSync(dir).filter(f => f.endsWith('.sql')).sort();
|
|
for (const f of files) {
|
|
const { rowCount } = await pool.query('SELECT 1 FROM _migrations WHERE filename = $1', [f]);
|
|
if (rowCount > 0) continue;
|
|
const sql = fs.readFileSync(path.join(dir, f), 'utf8');
|
|
const client = await pool.connect();
|
|
try {
|
|
await client.query('BEGIN');
|
|
await client.query(sql);
|
|
await client.query('INSERT INTO _migrations (filename) VALUES ($1)', [f]);
|
|
await client.query('COMMIT');
|
|
console.log(`[db] applied migration ${f}`);
|
|
} catch (e) {
|
|
await client.query('ROLLBACK');
|
|
throw e;
|
|
} finally {
|
|
client.release();
|
|
}
|
|
}
|
|
}
|
|
|
|
module.exports = { pool, runMigrations };
|