Record project continuation changes

backend/internal/modules/auth/service.go

@@ -13,11 +13,13 @@ import (
 
 	"github.com/example/remote-access-platform/backend/internal/platform/authority"
 	"github.com/example/remote-access-platform/backend/internal/platform/module"
+	postgresplatform "github.com/example/remote-access-platform/backend/internal/platform/postgres"
 )
 
 type Service struct {
 	cfg          module.Config
 	store        Store
+	db           postgresplatform.DBTX
 	transactor   Transactor
 	tokenManager *TokenManager
 	authority    *authority.Verifier
@@ -31,7 +33,7 @@ func NewService(deps module.Dependencies, store Store, transactor Transactor, ve
 	} else if verifier, err := authority.NewVerifier(deps.Config.Installation); err == nil {
 		authorityVerifier = verifier
 	}
-	return &Service{
+	service := &Service{
 		cfg:        deps.Config,
 		store:      store,
 		transactor: transactor,
@@ -45,6 +47,10 @@ func NewService(deps module.Dependencies, store Store, transactor Transactor, ve
 		authority: authorityVerifier,
 		now:       time.Now,
 	}
+	if postgresStore, ok := store.(*postgresStore); ok {
+		service.db = postgresStore.db
+	}
+	return service
 }
 
 func (s *Service) Login(ctx context.Context, cmd LoginCommand) (*AuthResult, error) {
@@ -120,6 +126,44 @@ func (s *Service) Login(ctx context.Context, cmd LoginCommand) (*AuthResult, err
 	return &result, nil
 }
 
+func (s *Service) ListUsers(ctx context.Context, actorUserID string) ([]User, error) {
+	if err := s.ensurePlatformAdmin(ctx, actorUserID); err != nil {
+		return nil, err
+	}
+	return s.store.Users().List(ctx)
+}
+
+func (s *Service) CreateUser(ctx context.Context, cmd CreateUserCommand) (*User, error) {
+	if err := s.ensurePlatformAdmin(ctx, cmd.ActorUserID); err != nil {
+		return nil, err
+	}
+	email := strings.ToLower(strings.TrimSpace(cmd.Email))
+	password := strings.TrimSpace(cmd.Password)
+	role := strings.TrimSpace(cmd.PlatformRole)
+	if role == "" {
+		role = "user"
+	}
+	if email == "" || !strings.Contains(email, "@") || len(password) < 8 {
+		return nil, ErrInvalidBootstrapOwner
+	}
+	if role != "user" && role != authority.PlatformRoleAdmin && role != authority.PlatformRoleRecoveryAdmin {
+		return nil, ErrInvalidBootstrapOwner
+	}
+	passwordHash, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
+	if err != nil {
+		return nil, fmt.Errorf("hash user password: %w", err)
+	}
+	now := s.now().UTC()
+	return s.store.Users().Create(ctx, User{
+		Email:        email,
+		PasswordHash: string(passwordHash),
+		MFAEnabled:   false,
+		PlatformRole: role,
+		CreatedAt:    now,
+		UpdatedAt:    now,
+	})
+}
+
 func (s *Service) Refresh(ctx context.Context, cmd RefreshCommand) (*AuthResult, error) {
 	authSessionID, err := s.tokenManager.ParseRefreshToken(cmd.RefreshToken)
 	if err != nil {
@@ -438,3 +482,25 @@ func (s *Service) installationStatusFromRecord(record *InstallationAuthorityStat
 func (s *Service) strictAuthority() bool {
 	return s.authority != nil && s.authority.Strict()
 }
+
+func (s *Service) ensurePlatformAdmin(ctx context.Context, actorUserID string) error {
+	if actorUserID == "" {
+		return ErrInvalidCredentials
+	}
+	role := authority.PlatformRoleUser
+	if s.db != nil {
+		effectiveRole, err := authority.EffectivePlatformRole(ctx, s.db, s.authority, actorUserID)
+		if err != nil {
+			return err
+		}
+		role = effectiveRole
+	} else if user, err := s.store.Users().GetByID(ctx, actorUserID); err != nil {
+		return err
+	} else if user != nil && user.PlatformRole != "" {
+		role = user.PlatformRole
+	}
+	if role != authority.PlatformRoleAdmin && role != authority.PlatformRoleRecoveryAdmin {
+		return ErrDeviceRevoked
+	}
+	return nil
+}