Password Policy/App rename/PM Scheduling Improvements
This commit is contained in:
@@ -4,11 +4,15 @@ const { all, audit, now, one, run } = require('../db');
|
||||
const { requireCapability } = require('../middleware/auth');
|
||||
const { CAPABILITIES } = require('../services/accessControl');
|
||||
const { createRole, deleteRole, listRoles, roleExists, updateRole } = require('../services/roles');
|
||||
const passwordPolicy = require('../services/passwordPolicy');
|
||||
const auditTrail = require('../services/auditTrail');
|
||||
|
||||
const router = express.Router();
|
||||
|
||||
const userSelect = `
|
||||
SELECT u.id, u.team_id, t.name AS team_name, u.name, u.email, u.role, u.status, u.created_at, u.updated_at
|
||||
SELECT u.id, u.team_id, t.name AS team_name, u.name, u.email, u.role, u.status,
|
||||
u.last_login_at, u.locked_until, u.must_change_password, u.password_changed_at,
|
||||
u.created_at, u.updated_at
|
||||
FROM users u
|
||||
LEFT JOIN teams t ON t.id = u.team_id
|
||||
`;
|
||||
@@ -47,20 +51,32 @@ router.get('/users', requireCapability('admin.users'), (req, res) => {
|
||||
router.post('/users', requireCapability('admin.users'), (req, res) => {
|
||||
validateRole(req.body.role || 'viewer');
|
||||
if (req.body.status && !['active', 'inactive'].includes(req.body.status)) return res.status(400).json({ error: 'Invalid status' });
|
||||
|
||||
// An admin-supplied password must satisfy the policy. When none is given we issue a temporary
|
||||
// password and force a change at first login (so a throwaway temp isn't policy-checked).
|
||||
const supplied = req.body.password;
|
||||
if (supplied) passwordPolicy.validatePassword(supplied, { name: req.body.name, email: req.body.email });
|
||||
const rawPassword = supplied || 'ChangeMe123!';
|
||||
const mustChange = req.body.must_change_password || !supplied ? 1 : 0;
|
||||
|
||||
const created = now();
|
||||
const hash = bcrypt.hashSync(rawPassword, 12);
|
||||
const result = run(
|
||||
'INSERT INTO users (team_id, name, email, password_hash, role, status, created_at, updated_at) VALUES (?, ?, ?, ?, ?, ?, ?, ?)',
|
||||
'INSERT INTO users (team_id, name, email, password_hash, role, status, password_changed_at, must_change_password, created_at, updated_at) VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?)',
|
||||
[
|
||||
req.body.team_id || one('SELECT id FROM teams ORDER BY id LIMIT 1')?.id,
|
||||
req.body.name,
|
||||
req.body.email,
|
||||
bcrypt.hashSync(req.body.password || 'ChangeMe123!', 12),
|
||||
hash,
|
||||
req.body.role || 'viewer',
|
||||
req.body.status || 'active',
|
||||
created,
|
||||
mustChange,
|
||||
created,
|
||||
created
|
||||
]
|
||||
);
|
||||
passwordPolicy.recordPassword(result.lastInsertRowid, hash);
|
||||
audit(req.user.id, 'create', 'user', result.lastInsertRowid, null, { ...req.body, password: '[redacted]' });
|
||||
res.status(201).json({ user: publicAdminUser(result.lastInsertRowid) });
|
||||
});
|
||||
@@ -79,6 +95,19 @@ router.put('/users/:id', requireCapability('admin.users'), (req, res) => {
|
||||
return res.status(400).json({ error: 'At least one active admin is required' });
|
||||
}
|
||||
|
||||
// Validate before any write so a rejected password leaves the row untouched.
|
||||
if (req.body.password) {
|
||||
passwordPolicy.validatePassword(req.body.password, {
|
||||
id: Number(req.params.id),
|
||||
name: req.body.name || before.name,
|
||||
email: req.body.email || before.email
|
||||
});
|
||||
}
|
||||
|
||||
const nextMustChange = req.body.must_change_password !== undefined
|
||||
? (req.body.must_change_password ? 1 : 0)
|
||||
: before.must_change_password;
|
||||
|
||||
const updated = now();
|
||||
run(
|
||||
`UPDATE users SET
|
||||
@@ -87,6 +116,7 @@ router.put('/users/:id', requireCapability('admin.users'), (req, res) => {
|
||||
email = ?,
|
||||
role = ?,
|
||||
status = ?,
|
||||
must_change_password = ?,
|
||||
updated_at = ?
|
||||
WHERE id = ?`,
|
||||
[
|
||||
@@ -95,17 +125,24 @@ router.put('/users/:id', requireCapability('admin.users'), (req, res) => {
|
||||
req.body.email || before.email,
|
||||
nextRole,
|
||||
nextStatus,
|
||||
nextMustChange,
|
||||
updated,
|
||||
req.params.id
|
||||
]
|
||||
);
|
||||
|
||||
if (req.body.password) {
|
||||
run('UPDATE users SET password_hash = ?, updated_at = ? WHERE id = ?', [
|
||||
bcrypt.hashSync(req.body.password, 12),
|
||||
const hash = bcrypt.hashSync(req.body.password, 12);
|
||||
// Admin-set password forces a change at next login unless explicitly cleared.
|
||||
const forceChange = req.body.must_change_password === false ? 0 : 1;
|
||||
run('UPDATE users SET password_hash = ?, password_changed_at = ?, must_change_password = ?, updated_at = ? WHERE id = ?', [
|
||||
hash,
|
||||
updated,
|
||||
forceChange,
|
||||
updated,
|
||||
req.params.id
|
||||
]);
|
||||
passwordPolicy.recordPassword(req.params.id, hash);
|
||||
}
|
||||
|
||||
const user = publicAdminUser(req.params.id);
|
||||
@@ -181,4 +218,51 @@ router.delete('/roles/:key', requireCapability('admin.roles'), (req, res) => {
|
||||
return res.status(204).end();
|
||||
});
|
||||
|
||||
// ---- Account lockout --------------------------------------------------------
|
||||
|
||||
router.post('/users/:id/unlock', requireCapability('admin.users'), (req, res) => {
|
||||
const user = publicAdminUser(req.params.id);
|
||||
if (!user) return res.status(404).json({ error: 'User not found' });
|
||||
passwordPolicy.unlock(req.params.id, req.user.id);
|
||||
return res.json({ user: publicAdminUser(req.params.id) });
|
||||
});
|
||||
|
||||
// ---- Password & lockout policy ----------------------------------------------
|
||||
|
||||
router.get('/password-policy', requireCapability('admin.security'), (req, res) => {
|
||||
const policy = passwordPolicy.getPolicy();
|
||||
res.json({ policy, rules: passwordPolicy.describe(policy) });
|
||||
});
|
||||
|
||||
router.put('/password-policy', requireCapability('admin.security'), (req, res) => {
|
||||
const policy = passwordPolicy.savePolicy(req.body.policy || req.body, req.user.id);
|
||||
res.json({ policy, rules: passwordPolicy.describe(policy) });
|
||||
});
|
||||
|
||||
// ---- Activity & audit trail -------------------------------------------------
|
||||
|
||||
function auditFilters(query) {
|
||||
return {
|
||||
actor: query.actor || null,
|
||||
action: query.action || null,
|
||||
entity_type: query.entity_type || null,
|
||||
from: query.from || null,
|
||||
to: query.to || null,
|
||||
q: query.q || null
|
||||
};
|
||||
}
|
||||
|
||||
router.get('/audit-logs', requireCapability('admin.audit'), (req, res) => {
|
||||
const result = auditTrail.query(auditFilters(req.query), { page: req.query.page, pageSize: req.query.pageSize });
|
||||
res.json({ ...result, facets: auditTrail.facets() });
|
||||
});
|
||||
|
||||
router.get('/audit-logs/export', requireCapability('admin.audit'), (req, res) => {
|
||||
const rows = auditTrail.queryAll(auditFilters(req.query));
|
||||
audit(req.user.id, 'export', 'audit_logs', 'csv', null, { count: rows.length, filters: auditFilters(req.query) });
|
||||
res.setHeader('Content-Type', 'text/csv; charset=utf-8');
|
||||
res.setHeader('Content-Disposition', `attachment; filename="audit-trail-${now().slice(0, 10)}.csv"`);
|
||||
res.send(auditTrail.toCsv(rows));
|
||||
});
|
||||
|
||||
module.exports = router;
|
||||
|
||||
@@ -3,12 +3,13 @@ const bcrypt = require('bcryptjs');
|
||||
const { audit, one } = require('../db');
|
||||
const { publicUser, tokenFor } = require('../middleware/auth');
|
||||
const { capabilitiesForRole } = require('../services/roles');
|
||||
const { isLocked, registerFailure, registerSuccess, mustChangePassword } = require('../services/passwordPolicy');
|
||||
|
||||
const router = express.Router();
|
||||
|
||||
router.get('/public/bootstrap', (req, res) => {
|
||||
res.json({
|
||||
appName: 'MixedAssets',
|
||||
appName: 'DepreCore',
|
||||
setupComplete: Boolean(one('SELECT id FROM users LIMIT 1')),
|
||||
database: 'sqlite'
|
||||
});
|
||||
@@ -17,11 +18,33 @@ router.get('/public/bootstrap', (req, res) => {
|
||||
router.post('/auth/login', (req, res) => {
|
||||
const { email, password } = req.body;
|
||||
const user = one('SELECT * FROM users WHERE lower(email) = lower(?) AND status = ?', [email || '', 'active']);
|
||||
if (!user || !bcrypt.compareSync(password || '', user.password_hash)) {
|
||||
if (!user) return res.status(401).json({ error: 'Invalid email or password' });
|
||||
|
||||
// Locked accounts are refused before the password is even checked.
|
||||
if (isLocked(user)) {
|
||||
const minutes = Math.max(1, Math.ceil((new Date(user.locked_until).getTime() - Date.now()) / 60000));
|
||||
return res.status(423).json({ error: `Account locked. Try again in ${minutes} minute(s).`, lockedUntil: user.locked_until });
|
||||
}
|
||||
|
||||
if (!bcrypt.compareSync(password || '', user.password_hash)) {
|
||||
const { locked, lockedUntil } = registerFailure(user);
|
||||
audit(user.id, 'login_failed', 'user', user.id, null, { email: user.email });
|
||||
if (locked) {
|
||||
const minutes = Math.max(1, Math.ceil((new Date(lockedUntil).getTime() - Date.now()) / 60000));
|
||||
return res.status(423).json({ error: `Too many failed attempts. Account locked for ${minutes} minute(s).`, lockedUntil });
|
||||
}
|
||||
return res.status(401).json({ error: 'Invalid email or password' });
|
||||
}
|
||||
|
||||
registerSuccess(user);
|
||||
audit(user.id, 'login', 'user', user.id, null, { email: user.email });
|
||||
return res.json({ token: tokenFor(user), user: publicUser(user), capabilities: capabilitiesForRole(user.role) });
|
||||
// Token is still issued so the user can call the self-service change endpoint when forced.
|
||||
return res.json({
|
||||
token: tokenFor(user),
|
||||
user: publicUser(user),
|
||||
capabilities: capabilitiesForRole(user.role),
|
||||
mustChangePassword: mustChangePassword(user)
|
||||
});
|
||||
});
|
||||
|
||||
module.exports = router;
|
||||
|
||||
@@ -39,7 +39,7 @@ router.post('/books/:code/ledger/export', async (req, res) => {
|
||||
const output = await exportReport(report, format);
|
||||
const extension = { csv: 'csv', xlsx: 'xlsx', pdf: 'pdf' }[format] || 'txt';
|
||||
res.setHeader('Content-Type', output.contentType);
|
||||
res.setHeader('Content-Disposition', `attachment; filename="mixedassets-${req.params.code}-ledger-${year}.${extension}"`);
|
||||
res.setHeader('Content-Disposition', `attachment; filename="deprecore-${req.params.code}-ledger-${year}.${extension}"`);
|
||||
return res.send(output.body);
|
||||
});
|
||||
|
||||
|
||||
@@ -12,6 +12,8 @@ const {
|
||||
getSettings,
|
||||
listCompletions,
|
||||
listPlans,
|
||||
logReading,
|
||||
recomputeAllSchedules,
|
||||
saveSettings,
|
||||
updateAssetPm,
|
||||
updatePlan
|
||||
@@ -56,6 +58,11 @@ router.put('/pm-settings', planEditor, (req, res) => {
|
||||
res.json({ settings: saveSettings(req.body, req.user.id) });
|
||||
});
|
||||
|
||||
// Manually run the schedule recompute now ("Run now" in PM settings).
|
||||
router.post('/pm-recompute', planEditor, (req, res) => {
|
||||
res.json({ result: recomputeAllSchedules(req.user.id), settings: getSettings() });
|
||||
});
|
||||
|
||||
// Completed PM forms
|
||||
router.get('/pm-completions', (req, res) => {
|
||||
res.json({ completions: listCompletions(req.query) });
|
||||
@@ -93,4 +100,15 @@ router.post('/assets/:id/pm/:apId/complete', assetPm, (req, res) => {
|
||||
return res.json({ pm });
|
||||
});
|
||||
|
||||
// Log a standalone usage meter reading (quick-log / inspection) and recompute the schedule.
|
||||
router.post('/assets/:id/pm/:apId/readings', assetPm, (req, res, next) => {
|
||||
try {
|
||||
const pm = logReading(req.params.id, req.params.apId, req.body, req.user.id);
|
||||
if (!pm) return res.status(404).json({ error: 'PM schedule not found' });
|
||||
return res.json({ pm });
|
||||
} catch (error) {
|
||||
return next(error);
|
||||
}
|
||||
});
|
||||
|
||||
module.exports = router;
|
||||
|
||||
@@ -1,11 +1,15 @@
|
||||
const express = require('express');
|
||||
const { audit } = require('../db');
|
||||
const bcrypt = require('bcryptjs');
|
||||
const { audit, now, one, run } = require('../db');
|
||||
const { getProfile, savePreferences } = require('../services/profile');
|
||||
const {
|
||||
describe, getPolicy, minAgeRemainingMinutes, recordPassword, validatePassword
|
||||
} = require('../services/passwordPolicy');
|
||||
|
||||
const router = express.Router();
|
||||
|
||||
router.get('/profile', (req, res) => {
|
||||
res.json(getProfile(req.user));
|
||||
res.json({ ...getProfile(req.user), passwordPolicy: { rules: describe() } });
|
||||
});
|
||||
|
||||
router.put('/profile', (req, res) => {
|
||||
@@ -14,4 +18,31 @@ router.put('/profile', (req, res) => {
|
||||
res.json({ user: getProfile(req.user).user, preferences });
|
||||
});
|
||||
|
||||
// Self-service password change. Honors the configured policy (complexity, identifiers, history,
|
||||
// and minimum age), then clears any forced-change flag.
|
||||
router.put('/profile/password', (req, res, next) => {
|
||||
try {
|
||||
const { current_password: current, new_password: next } = req.body || {};
|
||||
const user = one('SELECT * FROM users WHERE id = ?', [req.user.id]);
|
||||
if (!user || !bcrypt.compareSync(current || '', user.password_hash)) {
|
||||
return res.status(400).json({ error: 'Your current password is incorrect' });
|
||||
}
|
||||
// The minimum-age rule never blocks a forced change (expired / admin-required).
|
||||
const remaining = minAgeRemainingMinutes(user, getPolicy());
|
||||
if (remaining > 0 && !user.must_change_password) {
|
||||
return res.status(400).json({ error: `You can change your password again in ${remaining} minute(s)` });
|
||||
}
|
||||
validatePassword(next, { id: user.id, name: user.name, email: user.email });
|
||||
const hash = bcrypt.hashSync(next, 12);
|
||||
run('UPDATE users SET password_hash = ?, password_changed_at = ?, must_change_password = 0, updated_at = ? WHERE id = ?', [
|
||||
hash, now(), now(), user.id
|
||||
]);
|
||||
recordPassword(user.id, hash);
|
||||
audit(user.id, 'password_change', 'user', user.id, null, { self: true });
|
||||
return res.json({ ok: true });
|
||||
} catch (error) {
|
||||
return next(error);
|
||||
}
|
||||
});
|
||||
|
||||
module.exports = router;
|
||||
|
||||
@@ -129,11 +129,18 @@ function categoryRow(row) {
|
||||
const meta = parseJson(row.metadata, {});
|
||||
const templateId = meta.id_template_id || null;
|
||||
const template = templateId ? one('SELECT name, pattern FROM asset_id_templates WHERE id = ?', [templateId]) : null;
|
||||
// Categories link to an asset class by its unique id (class numbers are NOT unique — e.g. 00.12
|
||||
// covers both Computers and Casinos). The number/label are resolved from the linked class so the
|
||||
// right one is always shown; a manually-typed number (no id) falls back to that text.
|
||||
const classId = meta.asset_class_id || null;
|
||||
const cls = classId ? one('SELECT id, class_number, description FROM asset_classes WHERE id = ?', [classId]) : null;
|
||||
return {
|
||||
id: row.id,
|
||||
name: row.name,
|
||||
code: row.code,
|
||||
asset_class_number: meta.asset_class_number || null,
|
||||
asset_class_id: cls ? cls.id : null,
|
||||
asset_class_number: cls ? cls.class_number : (meta.asset_class_number || null),
|
||||
asset_class_label: cls ? `${cls.class_number} — ${cls.description}` : null,
|
||||
id_template_id: template ? templateId : null,
|
||||
id_template_name: template ? template.name : null,
|
||||
id_template_pattern: template ? template.pattern : null,
|
||||
@@ -141,6 +148,20 @@ function categoryRow(row) {
|
||||
};
|
||||
}
|
||||
|
||||
// Resolve the class number a category should carry: the linked class's number wins; otherwise a
|
||||
// manually-entered number. Returns { classId, classNumber }.
|
||||
function resolveCategoryClass(body, prev = {}) {
|
||||
if (body.asset_class_id !== undefined && body.asset_class_id !== null && body.asset_class_id !== '') {
|
||||
const cls = one('SELECT class_number FROM asset_classes WHERE id = ?', [body.asset_class_id]);
|
||||
if (cls) return { classId: Number(body.asset_class_id), classNumber: cls.class_number };
|
||||
}
|
||||
// Explicit null id, or a manual number with no id → manual override (clears the link).
|
||||
if (body.asset_class_id === null || body.asset_class_id === '' || body.asset_class_number !== undefined) {
|
||||
return { classId: null, classNumber: body.asset_class_number || null };
|
||||
}
|
||||
return { classId: prev.asset_class_id || null, classNumber: prev.asset_class_number || null };
|
||||
}
|
||||
|
||||
const categoryEditor = requireCapability('config.manage');
|
||||
|
||||
router.get('/asset-categories', (req, res) => {
|
||||
@@ -154,9 +175,10 @@ router.post('/asset-categories', categoryEditor, (req, res) => {
|
||||
if (one("SELECT id FROM reference_values WHERE type = 'category' AND name = ?", [name])) {
|
||||
return res.status(400).json({ error: 'That category already exists' });
|
||||
}
|
||||
const { classId, classNumber } = resolveCategoryClass(req.body);
|
||||
const result = run(
|
||||
"INSERT INTO reference_values (type, name, code, metadata) VALUES ('category', ?, ?, ?)",
|
||||
[name, req.body.code || null, json({ id_template_id: req.body.id_template_id || null, asset_class_number: req.body.asset_class_number || null })]
|
||||
[name, req.body.code || null, json({ id_template_id: req.body.id_template_id || null, asset_class_id: classId, asset_class_number: classNumber })]
|
||||
);
|
||||
audit(req.user.id, 'create', 'asset_category', result.lastInsertRowid, null, { name });
|
||||
return res.status(201).json({ category: categoryRow(one('SELECT * FROM reference_values WHERE id = ?', [result.lastInsertRowid])) });
|
||||
@@ -172,14 +194,19 @@ router.put('/asset-categories/:id', categoryEditor, (req, res) => {
|
||||
}
|
||||
const meta = parseJson(before.metadata, {});
|
||||
if (req.body.id_template_id !== undefined) meta.id_template_id = req.body.id_template_id || null;
|
||||
if (req.body.asset_class_number !== undefined) meta.asset_class_number = req.body.asset_class_number || null;
|
||||
const classChanged = req.body.asset_class_id !== undefined || req.body.asset_class_number !== undefined;
|
||||
if (classChanged) {
|
||||
const resolved = resolveCategoryClass(req.body, meta);
|
||||
meta.asset_class_id = resolved.classId;
|
||||
meta.asset_class_number = resolved.classNumber;
|
||||
}
|
||||
run('UPDATE reference_values SET name = ?, code = ?, metadata = ? WHERE id = ?', [name, req.body.code ?? before.code, json(meta), req.params.id]);
|
||||
let renamed = 0;
|
||||
if (name !== before.name) {
|
||||
renamed = run('UPDATE assets SET category = ?, updated_at = ? WHERE category = ?', [name, now(), before.name]).changes || 0;
|
||||
}
|
||||
// The class number is shared by every asset in the category — cascade any change.
|
||||
if (req.body.asset_class_number !== undefined) {
|
||||
if (classChanged) {
|
||||
run('UPDATE assets SET asset_class_number = ?, updated_at = ? WHERE category = ?', [meta.asset_class_number, now(), name]);
|
||||
}
|
||||
audit(req.user.id, 'update', 'asset_category', req.params.id, before, { name, renamed_assets: renamed });
|
||||
|
||||
@@ -27,7 +27,7 @@ router.post('/reports/export', async (req, res) => {
|
||||
const output = await exportReport(report, format);
|
||||
const extension = EXPORT_EXTENSIONS[format] || 'txt';
|
||||
res.setHeader('Content-Type', output.contentType);
|
||||
res.setHeader('Content-Disposition', `attachment; filename="mixedassets-${req.body.type}.${extension}"`);
|
||||
res.setHeader('Content-Disposition', `attachment; filename="deprecore-${req.body.type}.${extension}"`);
|
||||
res.send(output.body);
|
||||
});
|
||||
|
||||
|
||||
Reference in New Issue
Block a user