feat(auth): add permission support to user creation

kevinduncke · kevinduncke · commit afabe728c856 · 2026-02-09T19:09:49.000-03:00
- Added permissions handling to user registration flow.

- Updated controller and service to accept and store Permission[] in Prisma.

- New users (doctor, receptionist, etc.) persist their assigned permissions correctly.
diff --git a/prisma/migrations/20260209160558_init/migration.sql b/prisma/migrations/20260209160558_init/migration.sql
@@ -0,0 +1,5 @@
+-- CreateEnum
+CREATE TYPE "Permission" AS ENUM ('MANAGE_USERS', 'MANAGE_ROLES', 'VIEW_PATIENTS', 'EDIT_PATIENTS', 'VIEW_APPOINTMENTS', 'EDIT_APPOINTMENTS', 'VIEW_DASHBOARD');
+
+-- AlterTable
+ALTER TABLE "Patient" ADD COLUMN     "permissions" "Permission"[];
diff --git a/prisma/migrations/20260209160641_init/migration.sql b/prisma/migrations/20260209160641_init/migration.sql
@@ -0,0 +1,11 @@
+/*
+  Warnings:
+
+  - You are about to drop the column `permissions` on the `Patient` table. All the data in the column will be lost.
+
+*/
+-- AlterTable
+ALTER TABLE "Patient" DROP COLUMN "permissions";
+
+-- AlterTable
+ALTER TABLE "User" ADD COLUMN     "permissions" "Permission"[];
diff --git a/prisma/schema.prisma b/prisma/schema.prisma
@@ -14,6 +14,7 @@ model User {
   role      String
   createdAt DateTime @default(now())
   updatedAt DateTime @updatedAt
+  permissions Permission[] 
 }
 
 enum Role {
@@ -22,13 +23,23 @@ enum Role {
   RECEPTIONIST
 }
 
+enum Permission {
+  MANAGE_USERS
+  MANAGE_ROLES
+  VIEW_PATIENTS
+  EDIT_PATIENTS
+  VIEW_APPOINTMENTS
+  EDIT_APPOINTMENTS
+  VIEW_DASHBOARD
+}
+
 model Patient {
-  id        String  @id @default(cuid())
-  firstName String
-  lastName  String
-  email     String? @unique
-  phone     String?
-  birthDate DateTime?
-  createdAt DateTime @default(now())
-  updatedAt DateTime @updatedAt
+  id          String  @id @default(cuid())
+  firstName   String
+  lastName    String
+  email       String? @unique
+  phone       String?
+  birthDate   DateTime?
+  createdAt   DateTime @default(now())
+  updatedAt   DateTime @updatedAt
 }
diff --git a/prisma/seed.ts b/prisma/seed.ts
@@ -31,6 +31,15 @@ async function main() {
             email,
             password: hash,
             role: Role.ADMIN,
+            permissions: [
+                "MANAGE_USERS",
+                "MANAGE_ROLES",
+                "VIEW_PATIENTS",
+                "EDIT_PATIENTS",
+                "VIEW_APPOINTMENTS",
+                "EDIT_APPOINTMENTS",
+                "VIEW_DASHBOARD"
+            ]
         },
     });
 
diff --git a/src/controllers/auth.controller.ts b/src/controllers/auth.controller.ts
@@ -25,11 +25,14 @@ export const login = async (req: Request, res: Response) => {
         }
 
         // Sign JWT Token 'Ring'.
-        const token = signToken({
-            sub: user.id,
-            email: user.email,
-            role: user.role,
-        });
+        const token = signToken(
+            {
+                sub: user.id,
+                email: user.email,
+                role: user.role,
+                permissions: user.permissions,
+            }
+        );
 
         // Returned token and user info.
         return res.json({
@@ -49,7 +52,7 @@ export const login = async (req: Request, res: Response) => {
 // Register Controller.
 export const register = async (req: Request, res: Response) => {
     try {
-        const { email, password, role } = req.body;
+        const { email, password, role, permissions } = req.body;
 
         // Check if email and password are provided.
         if (!email || !password) {
@@ -60,22 +63,23 @@ export const register = async (req: Request, res: Response) => {
         const existing = await findUserByEmail(email);
         if (existing) {
             return res.status(409).json({ message: 'Email already exists.' });
-        }        
+        }
 
         // Calling to hash the password
         const hashed = await hashPassword(password);
 
         // Calling to create a new user with default role as RECEPTIONIST 
         // if not provided in the body.
         // Later restrict this router to admin ONLY!!.
-        const user = await createUser(email, hashed, role);
+        const user = await createUser(email, hashed, role, permissions);
 
         return res.status(201).json({
             message: 'User Created Successfully',
             user: {
                 id: user.id,
                 email: user.email,
-                role: user.role
+                role: user.role,
+                permissions: user.permissions
             }
         });
     } catch (error) {
diff --git a/src/middleware/permission.middleware.ts b/src/middleware/permission.middleware.ts
@@ -0,0 +1,13 @@
+export const requirePermission = (...required: string[]) => {
+    return (req: any, res: any, next: any) => {
+        const userPermissions = req.user.permissions || [];
+
+        const hasAll = required.every(p => userPermissions.includes(p));
+
+        if(!hasAll){
+            return res.status(403).json({ message: "Forbidden: Insufficient Permissions." });
+        }
+
+        next();
+    };
+};
diff --git a/src/routes/auth.ts b/src/routes/auth.ts
@@ -11,4 +11,23 @@ router.post('/login', login);
 // User must be logged in & have role ADMIN.
 router.post('/register', authenticate, authorize('ADMIN'), register);
 
+/*
+
+// PATIENTS
+router.post(
+    '/patients', 
+    authenticate, 
+    requirePermission('EDIT_PATIENTS'), 
+    createPatient
+);
+
+// USERS
+router.get(
+    '/patients',
+    authenticate,
+    requirePermission('EDIT_PATIENTS'),
+    createPatient
+);
+*/
+
 export default router;
diff --git a/src/services/auth.service.ts b/src/services/auth.service.ts
@@ -1,6 +1,7 @@
 import bcrypt from 'bcrypt';
 import { prisma } from '../config/prisma';
 import { Role } from '../config/generated/enums'; // Imported generated type for Role
+import { Permission } from '../config/generated/enums';
 
 const SALT_ROUNDS = 10;
 
@@ -15,12 +16,13 @@ export const comparePassword = async (password: string, hash: string) => {
 };
 
 // Create a new User.
-export const createUser = async (email: string, password: string, role: Role) => {
+export const createUser = async (email: string, password: string, role: Role, permissions: Permission[]) => {
     return prisma.user.create({
         data: {
             email,
             password,
             role,
+            permissions
         },
     });
 };
diff --git a/src/services/jwt.service.ts b/src/services/jwt.service.ts
@@ -9,6 +9,7 @@ export interface JWTPayload {
     sub: string;
     email: string;
     role: string;
+    permissions: string[];
 };
 
 // Sign a new JWT Token.
