feat: superadmin settings

Signed-off-by: Innei <tukon479@gmail.com>

Author: Innei

be/apps/core/src/cli/index.ts

@@ -0,0 +1,42 @@
+import type { ResetCliOptions } from './reset-superadmin'
+import { handleResetSuperAdminPassword, parseResetCliArgs } from './reset-superadmin'
+
+type CliCommand<TOptions> = {
+  name: string
+  parse: (argv: readonly string[]) => TOptions | null
+  execute: (options: TOptions) => Promise<void>
+  onError?: (error: unknown) => void
+}
+
+const cliCommands: Array<CliCommand<unknown>> = [
+  {
+    name: 'reset-superadmin-password',
+    parse: parseResetCliArgs,
+    execute: (options) => handleResetSuperAdminPassword(options as ResetCliOptions),
+    onError: (error) => {
+      console.error('Superadmin password reset failed', error)
+    },
+  },
+]
+
+export async function runCliPipeline(argv: readonly string[]): Promise<boolean> {
+  for (const command of cliCommands) {
+    const parsedOptions = command.parse(argv)
+    if (!parsedOptions) {
+      continue
+    }
+
+    try {
+      await command.execute(parsedOptions)
+    } catch (error) {
+      command.onError?.(error)
+      // eslint-disable-next-line unicorn/no-process-exit
+      process.exit(1)
+      return true
+    }
+
+    return true
+  }
+
+  return false
+}

be/apps/core/src/cli/reset-superadmin.ts

@@ -0,0 +1,199 @@
+import { randomBytes } from 'node:crypto'
+
+import { authAccounts, authSessions, authUsers, generateId } from '@afilmory/db'
+import { env } from '@afilmory/env'
+import { eq } from 'drizzle-orm'
+
+import { createConfiguredApp } from '../app.factory'
+import { DbAccessor, PgPoolProvider } from '../database/database.provider'
+import { logger } from '../helpers/logger.helper'
+import { AuthProvider } from '../modules/auth/auth.provider'
+import { RedisProvider } from '../redis/redis.provider'
+
+const RESET_FLAG = '--reset-superadmin-password'
+const PASSWORD_FLAG = '--password'
+const EMAIL_FLAG = '--email'
+
+export interface ResetCliOptions {
+  password?: string
+  email?: string
+}
+
+export function parseResetCliArgs(args: readonly string[]): ResetCliOptions | null {
+  const hasResetFlag = args.some((arg) => arg === RESET_FLAG || arg.startsWith(`${RESET_FLAG}=`))
+  if (!hasResetFlag) {
+    return null
+  }
+
+  let password: string | undefined
+  let email: string | undefined
+
+  for (let index = 0; index < args.length; index++) {
+    const arg = args[index]
+    if (!arg || arg === '--') {
+      continue
+    }
+
+    if (arg === RESET_FLAG) {
+      continue
+    }
+
+    if (arg.startsWith(`${RESET_FLAG}=`)) {
+      const inline = arg.slice(RESET_FLAG.length + 1).trim()
+      if (inline.length > 0) {
+        password = inline
+      }
+      continue
+    }
+
+    if (arg === PASSWORD_FLAG) {
+      const value = args[index + 1]
+      if (!value || value.startsWith('--')) {
+        throw new Error('Missing value for --password')
+      }
+      password = value
+      index++
+      continue
+    }
+
+    if (arg.startsWith(`${PASSWORD_FLAG}=`)) {
+      const value = arg.slice(PASSWORD_FLAG.length + 1).trim()
+      if (value.length === 0) {
+        throw new Error('Missing value for --password')
+      }
+      password = value
+      continue
+    }
+
+    if (arg === EMAIL_FLAG) {
+      const value = args[index + 1]
+      if (!value || value.startsWith('--')) {
+        throw new Error('Missing value for --email')
+      }
+      email = value
+      index++
+      continue
+    }
+
+    if (arg.startsWith(`${EMAIL_FLAG}=`)) {
+      const value = arg.slice(EMAIL_FLAG.length + 1).trim()
+      if (value.length === 0) {
+        throw new Error('Missing value for --email')
+      }
+      email = value
+    }
+  }
+
+  return { password, email }
+}
+
+function generateRandomPassword(): string {
+  return randomBytes(16).toString('base64url')
+}
+
+export async function handleResetSuperAdminPassword(options: ResetCliOptions): Promise<void> {
+  const app = await createConfiguredApp({
+    globalPrefix: '/api',
+  })
+
+  const container = app.getContainer()
+  const poolProvider = container.resolve(PgPoolProvider)
+  const redisProvider = container.resolve(RedisProvider)
+  const authProvider = container.resolve(AuthProvider)
+  const dbAccessor = container.resolve(DbAccessor)
+
+  try {
+    const auth = authProvider.getAuth()
+    const context = await auth.$context
+    const rawPassword = options.password ?? generateRandomPassword()
+    const { minPasswordLength, maxPasswordLength } = context.password.config
+
+    if (rawPassword.length < minPasswordLength || rawPassword.length > maxPasswordLength) {
+      throw new Error(`Password must be between ${minPasswordLength} and ${maxPasswordLength} characters.`)
+    }
+
+    const hashedPassword = await context.password.hash(rawPassword)
+    const db = dbAccessor.get()
+
+    const targetEmail = options.email ?? env.DEFAULT_SUPERADMIN_EMAIL
+    const now = new Date().toISOString()
+    let resolvedEmail = targetEmail
+    let revokedSessionsCount = 0
+    let credentialAccountCreated = false
+
+    await db.transaction(async (tx) => {
+      let superAdmin = await tx.query.authUsers.findFirst({
+        where: (users, { eq }) => eq(users.email, targetEmail),
+      })
+
+      if (!superAdmin) {
+        superAdmin = await tx.query.authUsers.findFirst({
+          where: (users, { eq }) => eq(users.role, 'superadmin'),
+        })
+      }
+
+      if (!superAdmin) {
+        const message = options.email
+          ? `No superadmin account found for email "${options.email}"`
+          : 'No superadmin account found'
+        throw new Error(message)
+      }
+
+      resolvedEmail = superAdmin.email
+
+      const credentialAccount = await tx.query.authAccounts.findFirst({
+        where: (accounts, { eq, and }) =>
+          and(eq(accounts.userId, superAdmin.id), eq(accounts.providerId, 'credential')),
+      })
+
+      if (credentialAccount) {
+        await tx
+          .update(authAccounts)
+          .set({ password: hashedPassword, updatedAt: now })
+          .where(eq(authAccounts.id, credentialAccount.id))
+      } else {
+        credentialAccountCreated = true
+        await tx.insert(authAccounts).values({
+          id: generateId(),
+          accountId: superAdmin.id,
+          providerId: 'credential',
+          userId: superAdmin.id,
+          password: hashedPassword,
+          createdAt: now,
+          updatedAt: now,
+        })
+      }
+
+      await tx.update(authUsers).set({ updatedAt: now }).where(eq(authUsers.id, superAdmin.id))
+
+      const deletedSessions = await tx
+        .delete(authSessions)
+        .where(eq(authSessions.userId, superAdmin.id))
+        .returning({ id: authSessions.id })
+
+      revokedSessionsCount = deletedSessions.length
+    })
+
+    logger.info(
+      `Superadmin password reset for ${resolvedEmail}. ${credentialAccountCreated ? 'Credential account created.' : 'Credential account updated.'} Revoked ${revokedSessionsCount} sessions.`,
+    )
+
+    process.stdout.write(`Superadmin credentials reset\n  email: ${resolvedEmail}\n  password: ${rawPassword}\n`)
+  } finally {
+    await app.close('cli')
+
+    try {
+      const pool = poolProvider.getPool()
+      await pool.end()
+    } catch (error) {
+      logger.warn(`Failed to close PostgreSQL pool cleanly: ${String(error)}`)
+    }
+
+    try {
+      const redis = redisProvider.getClient()
+      redis.disconnect()
+    } catch (error) {
+      logger.warn(`Failed to disconnect Redis client cleanly: ${String(error)}`)
+    }
+  }
+}

be/apps/core/src/index.ts

@@ -5,6 +5,7 @@ import { serve } from '@hono/node-server'
 import { green } from 'picocolors'
 
 import { createConfiguredApp } from './app.factory'
+import { runCliPipeline } from './cli'
 import { logger } from './helpers/logger.helper'
 
 process.title = 'Hono HTTP Server'
@@ -31,7 +32,16 @@ async function bootstrap() {
   )
 }
 
-bootstrap().catch((error) => {
+async function main() {
+  const handledByCli = await runCliPipeline(process.argv.slice(2))
+  if (handledByCli) {
+    return
+  }
+
+  await bootstrap()
+}
+
+main().catch((error) => {
   console.error('Application bootstrap failed', error)
   // eslint-disable-next-line unicorn/no-process-exit
   process.exit(1)

be/apps/core/src/modules/auth/auth.controller.ts

@@ -1,12 +1,21 @@
+import { authUsers } from '@afilmory/db'
 import { Body, ContextParam, Controller, Get, Post, UnauthorizedException } from '@afilmory/framework'
+import { BizException, ErrorCode } from 'core/errors'
+import { eq } from 'drizzle-orm'
 import type { Context } from 'hono'
 
+import { DbAccessor } from '../../database/database.provider'
 import { RoleBit, Roles } from '../../guards/roles.decorator'
+import { SuperAdminSettingService } from '../system-setting/super-admin-setting.service'
 import { AuthProvider } from './auth.provider'
 
 @Controller('auth')
 export class AuthController {
-  constructor(private readonly auth: AuthProvider) {}
+  constructor(
+    private readonly auth: AuthProvider,
+    private readonly dbAccessor: DbAccessor,
+    private readonly superAdminSettings: SuperAdminSettingService,
+  ) {}
 
   @Get('/session')
   async getSession(@ContextParam() context: Context) {
@@ -27,6 +36,27 @@ export class AuthController {
 
   @Post('/sign-in/email')
   async signInEmail(@ContextParam() context: Context, @Body() body: { email: string; password: string }) {
+    const email = body.email.trim()
+    if (email.length === 0) {
+      throw new BizException(ErrorCode.COMMON_BAD_REQUEST, { message: '邮箱不能为空' })
+    }
+    const settings = await this.superAdminSettings.getSettings()
+    if (!settings.localProviderEnabled) {
+      const db = this.dbAccessor.get()
+      const [record] = await db
+        .select({ role: authUsers.role })
+        .from(authUsers)
+        .where(eq(authUsers.email, email))
+        .limit(1)
+
+      const isSuperAdmin = record?.role === 'superadmin'
+      if (!isSuperAdmin) {
+        throw new BizException(ErrorCode.AUTH_FORBIDDEN, {
+          message: '邮箱密码登录已禁用，请联系管理员开启本地登录。',
+        })
+      }
+    }
+
     const auth = this.auth.getAuth()
     const headers = new Headers(context.req.raw.headers)
     const tenant = (context as any).var?.tenant
@@ -36,7 +66,7 @@ export class AuthController {
     }
     const response = await auth.api.signInEmail({
       body: {
-        email: body.email,
+        email,
         password: body.password,
       },
       asResponse: true,

be/apps/core/src/modules/auth/auth.module.ts

@@ -1,12 +1,13 @@
 import { Module } from '@afilmory/framework'
 import { DatabaseModule } from 'core/database/database.module'
 
+import { SystemSettingModule } from '../system-setting/system-setting.module'
 import { AuthConfig } from './auth.config'
 import { AuthController } from './auth.controller'
 import { AuthProvider } from './auth.provider'
 
 @Module({
-  imports: [DatabaseModule],
+  imports: [DatabaseModule, SystemSettingModule],
   controllers: [AuthController],
   providers: [AuthProvider, AuthConfig],
 })

be/apps/core/src/modules/index.module.ts

@@ -12,24 +12,30 @@ import { DataSyncModule } from './data-sync/data-sync.module'
 import { OnboardingModule } from './onboarding/onboarding.module'
 import { PhotoModule } from './photo/photo.module'
 import { SettingModule } from './setting/setting.module'
+import { SuperAdminModule } from './super-admin/super-admin.module'
+import { SystemSettingModule } from './system-setting/system-setting.module'
 import { TenantModule } from './tenant/tenant.module'
 
+function createEventModuleOptions(redis: RedisAccessor) {
+  return {
+    redisClient: redis.get(),
+  }
+}
+
 @Module({
   imports: [
     DatabaseModule,
     RedisModule,
     AuthModule,
     SettingModule,
+    SystemSettingModule,
+    SuperAdminModule,
     OnboardingModule,
     PhotoModule,
     TenantModule,
     DataSyncModule,
     EventModule.forRootAsync({
-      useFactory: async (redis: RedisAccessor) => {
-        return {
-          redisClient: redis.get(),
-        }
-      },
+      useFactory: createEventModuleOptions,
       inject: [RedisAccessor],
     }),
   ],