144 lines
4.9 KiB
JavaScript
144 lines
4.9 KiB
JavaScript
#!/usr/bin/env node
|
|
import { randomBytes, randomUUID, scryptSync } from "node:crypto";
|
|
import { Pool } from "pg";
|
|
import "dotenv/config";
|
|
|
|
const args = process.argv.slice(2);
|
|
const validRoles = new Set(["owner", "finance", "ops", "viewer"]);
|
|
|
|
function getArg(name) {
|
|
const index = args.indexOf(name);
|
|
return index >= 0 ? args[index + 1] : undefined;
|
|
}
|
|
|
|
function hasFlag(name) {
|
|
return args.includes(name);
|
|
}
|
|
|
|
function usage() {
|
|
console.log(`Usage:
|
|
npm run merchant:create-user -- --merchant <merchant-id-or-code> --email <email> --name <name> --role <owner|finance|ops|viewer> --password <password> [--inactive] [--rotate-password]
|
|
|
|
Examples:
|
|
npm run merchant:create-user -- --merchant m_abc123 --email owner@merchant.com --name "Merchant Owner" --role owner --password "change-this"
|
|
npm run merchant:create-user -- --merchant <merchant-id> --email finance@merchant.com --name "Merchant Finance" --role finance --password "change-this" --rotate-password
|
|
|
|
Environment:
|
|
DATABASE_URL or PGHOST/PGPORT/PGUSER/PGPASSWORD/PGDATABASE
|
|
`);
|
|
}
|
|
|
|
function validatePasswordPolicy(value) {
|
|
const failures = [];
|
|
if (value.length < 14) failures.push("at least 14 characters");
|
|
if (!/[a-z]/.test(value)) failures.push("a lowercase letter");
|
|
if (!/[A-Z]/.test(value)) failures.push("an uppercase letter");
|
|
if (!/[0-9]/.test(value)) failures.push("a number");
|
|
if (!/[^A-Za-z0-9]/.test(value)) failures.push("a symbol");
|
|
if (/password|merchant|qris|soundbox|change-this/i.test(value)) failures.push("no obvious product/default words");
|
|
return failures;
|
|
}
|
|
|
|
const merchantRef = (getArg("--merchant") || "").trim();
|
|
const email = (getArg("--email") || "").trim().toLowerCase();
|
|
const name = (getArg("--name") || "").trim();
|
|
const roleName = (getArg("--role") || "owner").trim().toLowerCase();
|
|
const password = getArg("--password") || "";
|
|
const status = hasFlag("--inactive") ? "inactive" : "active";
|
|
const rotatePassword = hasFlag("--rotate-password");
|
|
|
|
if (hasFlag("--help") || hasFlag("-h")) {
|
|
usage();
|
|
process.exit(0);
|
|
}
|
|
|
|
const errors = [];
|
|
if (!merchantRef) {
|
|
errors.push("--merchant is required");
|
|
}
|
|
if (!email || !/^[^@\s]+@[^@\s]+\.[^@\s]+$/.test(email)) {
|
|
errors.push("--email must be a valid email address");
|
|
}
|
|
if (!name) {
|
|
errors.push("--name is required");
|
|
}
|
|
if (!validRoles.has(roleName)) {
|
|
errors.push("--role must be one of owner, finance, ops, viewer");
|
|
}
|
|
const passwordFailures = validatePasswordPolicy(password);
|
|
if (passwordFailures.length) {
|
|
errors.push(`--password must include ${passwordFailures.join(", ")}`);
|
|
}
|
|
if (errors.length) {
|
|
usage();
|
|
for (const error of errors) {
|
|
console.error(`ERROR ${error}`);
|
|
}
|
|
process.exit(1);
|
|
}
|
|
|
|
function makePool() {
|
|
if (process.env.DATABASE_URL) {
|
|
return new Pool({ connectionString: process.env.DATABASE_URL });
|
|
}
|
|
return new Pool({
|
|
host: process.env.PGHOST || "127.0.0.1",
|
|
port: Number(process.env.PGPORT || 5432),
|
|
user: process.env.PGUSER || "postgres",
|
|
password: process.env.PGPASSWORD || "postgres",
|
|
database: process.env.PGDATABASE || "qris_soundbox_platform"
|
|
});
|
|
}
|
|
|
|
function hashPassword(value) {
|
|
const salt = randomBytes(16).toString("hex");
|
|
const keyLength = 64;
|
|
const derived = scryptSync(value, salt, keyLength).toString("hex");
|
|
return `scrypt$${salt}$${keyLength}$${derived}`;
|
|
}
|
|
|
|
const pool = makePool();
|
|
|
|
try {
|
|
const merchant = await pool.query(
|
|
"SELECT * FROM merchants WHERE id = $1 OR merchant_code = $1 LIMIT 1",
|
|
[merchantRef]
|
|
);
|
|
if (!merchant.rows.length) {
|
|
throw new Error(`merchant '${merchantRef}' not found`);
|
|
}
|
|
|
|
const merchantId = merchant.rows[0].id;
|
|
const existing = await pool.query("SELECT id, email FROM merchant_users WHERE LOWER(email) = LOWER($1)", [email]);
|
|
const passwordHash = hashPassword(password);
|
|
const now = new Date().toISOString();
|
|
|
|
if (existing.rows.length) {
|
|
const updatePasswordSql = rotatePassword ? ", password_hash = $7" : "";
|
|
const params = rotatePassword
|
|
? [merchantId, name, roleName, status, now, email, passwordHash]
|
|
: [merchantId, name, roleName, status, now, email];
|
|
await pool.query(
|
|
`UPDATE merchant_users
|
|
SET merchant_id = $1,
|
|
name = $2,
|
|
role_name = $3,
|
|
status = $4,
|
|
updated_at = $5
|
|
${updatePasswordSql}
|
|
WHERE LOWER(email) = LOWER($6)`,
|
|
params
|
|
);
|
|
console.log(`Updated merchant user ${email} merchant=${merchantId} role=${roleName} status=${status} password_rotated=${rotatePassword}`);
|
|
} else {
|
|
await pool.query(
|
|
`INSERT INTO merchant_users (id, merchant_id, name, email, password_hash, role_name, status, created_at, updated_at)
|
|
VALUES ($1,$2,$3,$4,$5,$6,$7,$8,$9)`,
|
|
[`merchant_user_${randomUUID()}`, merchantId, name, email, passwordHash, roleName, status, now, now]
|
|
);
|
|
console.log(`Created merchant user ${email} merchant=${merchantId} role=${roleName} status=${status}`);
|
|
}
|
|
} finally {
|
|
await pool.end();
|
|
}
|