Add Milestones 1 & 2: full-stack POS foundation with admin UI

- Node/Express/TypeScript API under /api/v1 with JWT auth (login, refresh, logout, /me) - Prisma schema: vendors, users, roles, products, categories, taxes, transactions - SQLite for local dev; Postgres via docker-compose for production - Full CRUD routes for vendors, users, categories, taxes, products with Zod validation and RBAC - Paginated list endpoints scoped per vendor; refresh token rotation - React/TypeScript admin SPA (Vite): login, protected routing, sidebar layout - Pages: Dashboard, Catalog (tabbed Products/Categories/Taxes), Users, Vendor Settings - Shared UI: Table, Modal, FormField, Btn, PageHeader components - Multi-stage Dockerfile; docker-compose with Postgres healthcheck - Seed script with demo vendor and owner account - INSTRUCTIONS.md, ROADMAP.md, .claude/launch.json for dev server config Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-20 23:18:04 -05:00
parent fb62439eab
commit d53c772dd6
4594 changed files with 1876068 additions and 0 deletions
--- a/server/src/routes/users.ts
+++ b/server/src/routes/users.ts
@@ -0,0 +1,172 @@
+import { Router, Request, Response, NextFunction } from "express";
+import { z } from "zod";
+import bcrypt from "bcryptjs";
+import { prisma } from "../lib/prisma.js";
+import { requireAuth, requireRole } from "../middleware/auth.js";
+import { AppError } from "../middleware/errorHandler.js";
+import { parsePage, paginatedResponse } from "../lib/pagination.js";
+import { AuthenticatedRequest } from "../types/index.js";
+
+const router = Router();
+const auth = requireAuth as unknown as (r: Request, s: Response, n: NextFunction) => void;
+const managerUp = requireRole("owner", "manager") as unknown as (r: Request, s: Response, n: NextFunction) => void;
+
+// Strip passwordHash from any user object before sending
+function safe<T extends { passwordHash?: string }>(u: T): Omit<T, "passwordHash"> {
+  const { passwordHash: _, ...rest } = u;
+  return rest;
+}
+
+const CreateUserSchema = z.object({
+  email: z.string().email(),
+  password: z.string().min(8),
+  name: z.string().min(1).max(100),
+  roleId: z.string().min(1),
+});
+
+const UpdateUserSchema = z.object({
+  name: z.string().min(1).max(100).optional(),
+  roleId: z.string().min(1).optional(),
+  password: z.string().min(8).optional(),
+});
+
+// GET /api/v1/users
+router.get("/", auth, managerUp, async (req: Request, res: Response, next: NextFunction) => {
+  try {
+    const authReq = req as AuthenticatedRequest;
+    const { page, limit, skip } = parsePage(req.query as Record<string, unknown>);
+
+    const where = { vendorId: authReq.auth.vendorId };
+    const [users, total] = await Promise.all([
+      prisma.user.findMany({
+        where,
+        skip,
+        take: limit,
+        orderBy: { createdAt: "desc" },
+        include: { role: true },
+      }),
+      prisma.user.count({ where }),
+    ]);
+
+    res.json(paginatedResponse(users.map(safe), total, { page, limit, skip }));
+  } catch (err) {
+    next(err);
+  }
+});
+
+// GET /api/v1/users/roles/list — must be before /:id
+router.get("/roles/list", auth, async (_req: Request, res: Response, next: NextFunction) => {
+  try {
+    const roles = await prisma.role.findMany({ orderBy: { name: "asc" } });
+    res.json(roles);
+  } catch (err) {
+    next(err);
+  }
+});
+
+// GET /api/v1/users/:id
+router.get("/:id", auth, managerUp, async (req: Request, res: Response, next: NextFunction) => {
+  try {
+    const authReq = req as AuthenticatedRequest;
+    const user = await prisma.user.findFirst({
+      where: { id: req.params.id, vendorId: authReq.auth.vendorId },
+      include: { role: true },
+    });
+    if (!user) throw new AppError(404, "NOT_FOUND", "User not found");
+    res.json(safe(user));
+  } catch (err) {
+    next(err);
+  }
+});
+
+// POST /api/v1/users
+router.post("/", auth, managerUp, async (req: Request, res: Response, next: NextFunction) => {
+  try {
+    const authReq = req as AuthenticatedRequest;
+    const body = CreateUserSchema.parse(req.body);
+
+    const existing = await prisma.user.findUnique({ where: { email: body.email } });
+    if (existing) throw new AppError(409, "CONFLICT", "Email already in use");
+
+    const role = await prisma.role.findUnique({ where: { id: body.roleId } });
+    if (!role) throw new AppError(400, "BAD_REQUEST", "Invalid role");
+
+    // Managers cannot create owners
+    if (authReq.auth.roleName === "manager" && role.name === "owner") {
+      throw new AppError(403, "FORBIDDEN", "Managers cannot create owner accounts");
+    }
+
+    const user = await prisma.user.create({
+      data: {
+        email: body.email,
+        passwordHash: await bcrypt.hash(body.password, 10),
+        name: body.name,
+        vendorId: authReq.auth.vendorId,
+        roleId: body.roleId,
+      },
+      include: { role: true },
+    });
+
+    res.status(201).json(safe(user));
+  } catch (err) {
+    next(err);
+  }
+});
+
+// PUT /api/v1/users/:id
+router.put("/:id", auth, managerUp, async (req: Request, res: Response, next: NextFunction) => {
+  try {
+    const authReq = req as AuthenticatedRequest;
+    const body = UpdateUserSchema.parse(req.body);
+
+    const existing = await prisma.user.findFirst({
+      where: { id: req.params.id, vendorId: authReq.auth.vendorId },
+      include: { role: true },
+    });
+    if (!existing) throw new AppError(404, "NOT_FOUND", "User not found");
+
+    if (body.roleId) {
+      const role = await prisma.role.findUnique({ where: { id: body.roleId } });
+      if (!role) throw new AppError(400, "BAD_REQUEST", "Invalid role");
+      if (authReq.auth.roleName === "manager" && role.name === "owner") {
+        throw new AppError(403, "FORBIDDEN", "Managers cannot assign owner role");
+      }
+    }
+
+    const updateData: Record<string, unknown> = {};
+    if (body.name) updateData.name = body.name;
+    if (body.roleId) updateData.roleId = body.roleId;
+    if (body.password) updateData.passwordHash = await bcrypt.hash(body.password, 10);
+
+    const user = await prisma.user.update({
+      where: { id: req.params.id },
+      data: updateData,
+      include: { role: true },
+    });
+
+    res.json(safe(user));
+  } catch (err) {
+    next(err);
+  }
+});
+
+// DELETE /api/v1/users/:id
+router.delete("/:id", auth, managerUp, async (req: Request, res: Response, next: NextFunction) => {
+  try {
+    const authReq = req as AuthenticatedRequest;
+    if (req.params.id === authReq.auth.userId) {
+      throw new AppError(400, "BAD_REQUEST", "Cannot delete your own account");
+    }
+    const existing = await prisma.user.findFirst({
+      where: { id: req.params.id, vendorId: authReq.auth.vendorId },
+    });
+    if (!existing) throw new AppError(404, "NOT_FOUND", "User not found");
+
+    await prisma.user.delete({ where: { id: req.params.id } });
+    res.status(204).send();
+  } catch (err) {
+    next(err);
+  }
+});
+
+export default router;