jason/qms
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
qms/lib/auth.ts
T
jason ad499f6782
Build and Push Docker Image / build (push) Successful in 1m12s
Details
Assemble QMS app + SQLite refactor + Unraid single-container deploy 
Reconstruct the full app from init-source overlays (base + fix-1..6 +
update-1..3, last-wins) at the repo root, complete the missing pieces so it
builds and runs, and stage the Unraid deployment.

App completion:
- types/index.ts: former Prisma enums as string-literal unions + AppUser
- pages/_app.tsx + styles/globals.css (mount AppProvider/ToastProvider)
- API routes: auth/login, auth/me, users, submissions (+REVIEW_READY notify),
  forms (list/create), notifications
- scripts/create-admin.js: idempotent first-admin bootstrap
- 14 unbuilt nav targets stubbed via ComingSoon placeholder

SQLite refactor (single-container, no external DB):
- schema provider -> sqlite; enums -> String; Json -> String;
  FormField.options String[] -> JSON-encoded String
- lib/forms.ts (de)serialises options at the DB boundary
- drop mode:"insensitive" (unsupported on SQLite)
- enum imports repointed from @prisma/client to @/types

Deploy:
- multi-stage Dockerfile (next build -> prod runner), docker-entrypoint.sh
  (prisma db push -> create-admin -> next start), .dockerignore
- docker-compose.yml: br0 10.2.0.x, /mnt/user/appdata/qms -> /data volume
- README rewritten for the Unraid/Gitea Actions flow; .env scrubbed of the
  live Supabase credential; vercel.json removed

Verified: next build clean (41 routes); live SQLite round-trip of
login/session, form options array, and submission -> REVIEW_READY.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-15 16:58:47 -05:00

109 lines
3.0 KiB
TypeScript
Raw Permalink Blame History

import { NextApiRequest, NextApiResponse } from 'next'
import { prisma } from './prisma'
import { Role } from '@/types'
import bcrypt from 'bcryptjs'
import { v4 as uuid } from 'uuid'
export const SESSION_COOKIE = 'qms_session'
export const SESSION_EXPIRY_DAYS = 7
export async function hashPassword(password: string) {
return bcrypt.hash(password, 12)
}
export async function verifyPassword(password: string, hash: string) {
return bcrypt.compare(password, hash)
}
export async function createSession(userId: string) {
const token = uuid()
const expiresAt = new Date()
expiresAt.setDate(expiresAt.getDate() + SESSION_EXPIRY_DAYS)
await prisma.session.create({
data: { userId, token, expiresAt },
})
return token
}
export async function getSessionUser(req: NextApiRequest) {
const token = req.cookies[SESSION_COOKIE]
if (!token) return null
const session = await prisma.session.findUnique({
where: { token },
include: { user: true },
})
if (!session || session.expiresAt < new Date()) {
if (session) await prisma.session.delete({ where: { token } })
return null
}
return session.user
}
export async function requireAuth(
req: NextApiRequest,
res: NextApiResponse,
allowedRoles?: Role[]
) {
const user = await getSessionUser(req)
if (!user || !user.active) {
res.status(401).json({ error: 'Unauthorised' })
return null
}
if (allowedRoles && !allowedRoles.includes(user.role as Role)) {
res.status(403).json({ error: 'Forbidden' })
return null
}
return user
}
export async function logAction(
userId: string,
action: string,
entity: string,
entityId: string,
before?: unknown,
after?: unknown
) {
await prisma.auditLog.create({
data: {
userId,
action,
entity,
entityId,
before: before === undefined ? null : JSON.stringify(before),
after: after === undefined ? null : JSON.stringify(after),
},
})
}
export function generateRef(prefix: string, count: number) {
return `${prefix}-${String(count + 1).padStart(3, '0')}`
}
// Role permission helpers
export const ROLE_PERMISSIONS = {
ADMIN: ['*'],
QC: ['capa', 'audits', 'ncr', 'resolutions', 'documents', 'risk', 'suppliers', 'standards', 'shipping-standard', 'dashboard', 'reports', 'export'],
PRODUCTION: ['fill', 'my-submissions', 'report-issue'],
PRODUCTION_LEAD: ['fill', 'my-submissions', 'report-issue', 'shipments', 'escapes', 'shipping-standard', 'ncr', 'dashboard'],
LOGISTICS_LEAD: ['shipments', 'escapes', 'shipping-standard', 'ncr', 'dashboard'],
MANAGEMENT: ['dashboard', 'reports', 'export'],
} as const
// Only these roles may batch-email a client release package
export const SHIPMENT_SEND_ROLES: Role[] = ['ADMIN', 'PRODUCTION_LEAD', 'LOGISTICS_LEAD']
export function canAccess(role: string, module: string): boolean {
const perms = ROLE_PERMISSIONS[role as Role] as readonly string[] | undefined
if (!perms) return false
return perms.includes('*') || perms.includes(module)
}
Reference in New Issue View Git Blame Copy Permalink