From 5634518cd377cac6e95850a1e54ba243ffa9cde2 Mon Sep 17 00:00:00 2001
From: Kevin Puig <119972216+k-puig@users.noreply.github.com>
Date: Sat, 27 Sep 2025 15:31:49 -0400
Subject: [PATCH] Add admin auth verification to user creation ; Force
 credentials for a new user

---
 .../migration.sql                             | 131 ++++++++++++++++++
 concord-server/migrations/migration_lock.toml |   3 +
 concord-server/src/services/userService.ts    |  83 ++++++++++-
 .../src/validators/userValidator.ts           |   3 +
 4 files changed, 218 insertions(+), 2 deletions(-)
 create mode 100644 concord-server/migrations/20250927190915_init2finalfinal/migration.sql
 create mode 100644 concord-server/migrations/migration_lock.toml

diff --git a/concord-server/migrations/20250927190915_init2finalfinal/migration.sql b/concord-server/migrations/20250927190915_init2finalfinal/migration.sql
new file mode 100644
index 0000000..6defc25
--- /dev/null
+++ b/concord-server/migrations/20250927190915_init2finalfinal/migration.sql
@@ -0,0 +1,131 @@
+-- CreateTable
+CREATE TABLE "public"."Instance" (
+    "id" TEXT NOT NULL,
+    "name" TEXT NOT NULL,
+    "icon" TEXT,
+
+    CONSTRAINT "Instance_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateTable
+CREATE TABLE "public"."User" (
+    "id" TEXT NOT NULL,
+    "username" TEXT NOT NULL,
+    "nickname" TEXT,
+    "bio" TEXT,
+    "picture" TEXT,
+    "banner" TEXT,
+    "admin" BOOLEAN NOT NULL,
+    "status" TEXT NOT NULL,
+
+    CONSTRAINT "User_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateTable
+CREATE TABLE "public"."Role" (
+    "userId" TEXT NOT NULL,
+    "instanceId" TEXT NOT NULL,
+    "type" TEXT NOT NULL
+);
+
+-- CreateTable
+CREATE TABLE "public"."UserAuth" (
+    "userId" TEXT NOT NULL,
+    "password" TEXT NOT NULL,
+    "token" TEXT
+);
+
+-- CreateTable
+CREATE TABLE "public"."Category" (
+    "id" TEXT NOT NULL,
+    "instanceId" TEXT,
+    "name" TEXT NOT NULL,
+    "position" INTEGER NOT NULL,
+
+    CONSTRAINT "Category_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateTable
+CREATE TABLE "public"."Channel" (
+    "id" TEXT NOT NULL,
+    "type" TEXT NOT NULL,
+    "categoryId" TEXT,
+    "name" TEXT NOT NULL,
+    "description" TEXT NOT NULL,
+
+    CONSTRAINT "Channel_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateTable
+CREATE TABLE "public"."Message" (
+    "id" TEXT NOT NULL,
+    "channelId" TEXT NOT NULL,
+    "userId" TEXT NOT NULL,
+    "deleted" BOOLEAN NOT NULL,
+    "text" TEXT NOT NULL,
+
+    CONSTRAINT "Message_pkey" PRIMARY KEY ("id")
+);
+
+-- CreateTable
+CREATE TABLE "public"."Reply" (
+    "messageId" TEXT NOT NULL,
+    "repliesToId" TEXT NOT NULL
+);
+
+-- CreateTable
+CREATE TABLE "public"."MessagePing" (
+    "messageId" TEXT NOT NULL,
+    "pingsUserId" TEXT NOT NULL
+);
+
+-- CreateIndex
+CREATE UNIQUE INDEX "Role_userId_instanceId_key" ON "public"."Role"("userId", "instanceId");
+
+-- CreateIndex
+CREATE UNIQUE INDEX "UserAuth_userId_key" ON "public"."UserAuth"("userId");
+
+-- CreateIndex
+CREATE UNIQUE INDEX "Reply_messageId_key" ON "public"."Reply"("messageId");
+
+-- CreateIndex
+CREATE UNIQUE INDEX "Reply_repliesToId_key" ON "public"."Reply"("repliesToId");
+
+-- CreateIndex
+CREATE UNIQUE INDEX "Reply_messageId_repliesToId_key" ON "public"."Reply"("messageId", "repliesToId");
+
+-- CreateIndex
+CREATE UNIQUE INDEX "MessagePing_messageId_pingsUserId_key" ON "public"."MessagePing"("messageId", "pingsUserId");
+
+-- AddForeignKey
+ALTER TABLE "public"."Role" ADD CONSTRAINT "Role_userId_fkey" FOREIGN KEY ("userId") REFERENCES "public"."User"("id") ON DELETE RESTRICT ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "public"."Role" ADD CONSTRAINT "Role_instanceId_fkey" FOREIGN KEY ("instanceId") REFERENCES "public"."Instance"("id") ON DELETE RESTRICT ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "public"."UserAuth" ADD CONSTRAINT "UserAuth_userId_fkey" FOREIGN KEY ("userId") REFERENCES "public"."User"("id") ON DELETE RESTRICT ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "public"."Category" ADD CONSTRAINT "Category_instanceId_fkey" FOREIGN KEY ("instanceId") REFERENCES "public"."Instance"("id") ON DELETE SET NULL ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "public"."Channel" ADD CONSTRAINT "Channel_categoryId_fkey" FOREIGN KEY ("categoryId") REFERENCES "public"."Category"("id") ON DELETE SET NULL ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "public"."Message" ADD CONSTRAINT "Message_channelId_fkey" FOREIGN KEY ("channelId") REFERENCES "public"."Channel"("id") ON DELETE RESTRICT ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "public"."Message" ADD CONSTRAINT "Message_userId_fkey" FOREIGN KEY ("userId") REFERENCES "public"."User"("id") ON DELETE RESTRICT ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "public"."Reply" ADD CONSTRAINT "Reply_messageId_fkey" FOREIGN KEY ("messageId") REFERENCES "public"."Message"("id") ON DELETE RESTRICT ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "public"."Reply" ADD CONSTRAINT "Reply_repliesToId_fkey" FOREIGN KEY ("repliesToId") REFERENCES "public"."Message"("id") ON DELETE RESTRICT ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "public"."MessagePing" ADD CONSTRAINT "MessagePing_messageId_fkey" FOREIGN KEY ("messageId") REFERENCES "public"."Message"("id") ON DELETE RESTRICT ON UPDATE CASCADE;
+
+-- AddForeignKey
+ALTER TABLE "public"."MessagePing" ADD CONSTRAINT "MessagePing_pingsUserId_fkey" FOREIGN KEY ("pingsUserId") REFERENCES "public"."User"("id") ON DELETE RESTRICT ON UPDATE CASCADE;
diff --git a/concord-server/migrations/migration_lock.toml b/concord-server/migrations/migration_lock.toml
new file mode 100644
index 0000000..044d57c
--- /dev/null
+++ b/concord-server/migrations/migration_lock.toml
@@ -0,0 +1,3 @@
+# Please do not edit this file manually
+# It should be added in your version-control system (e.g., Git)
+provider = "postgresql"
diff --git a/concord-server/src/services/userService.ts b/concord-server/src/services/userService.ts
index 4228b66..13e96d9 100644
--- a/concord-server/src/services/userService.ts
+++ b/concord-server/src/services/userService.ts
@@ -6,15 +6,34 @@ import {
   UserAuth,
 } from "@prisma/client";
 import { CreateUserInput } from '../validators/userValidator';
+import shaHash from "../helper/hashing";
 
 const prisma = new PrismaClient();
 
-export async function createUser(data: CreateUserInput) {
+export async function createUser(data: CreateUserInput): Promise<{
+  username: string,
+  nickname: string | null,
+  bio: string | null,
+  picture: string | null,
+  banner: string | null,
+  status: string,
+  admin: boolean
+} | null> {
+  const requestingUser = await getUserInformation(data.requestingUserId);
+  const requestingUserCredentials = await getUserCredentials(data.requestingUserId)
+  if (!requestingUser
+    || !requestingUserCredentials 
+    || !requestingUser.admin
+    || requestingUserCredentials.token == null 
+    || data.requestingUserToken != requestingUserCredentials.token) {
+    return null;
+  }
+
   if (await prisma.user.count({ where: { username: data.username }}) >= 1) {
     return null;
   }
 
-  return await prisma.user.create({
+  const userData = await prisma.user.create({
     data: {
       username: data.username,
       nickname: data.nickname,
@@ -25,8 +44,68 @@ export async function createUser(data: CreateUserInput) {
       admin: data.admin,
     },
   });
+
+  if (!(await prisma.userAuth.create({
+    data: {
+      userId: userData.id,
+      password: shaHash(data.passwordhash, userData.id),
+      token: null,
+    }
+  }))) {
+    return null;
+  }
+
+  return userData;
 }
 
+export async function getUserCredentials(userId: string): Promise<{
+    userId: string,
+    password: string,
+    token: string | null
+  } | null> {
+    try {
+      if (!userId) {
+        throw new Error("missing userId");
+      }
+
+      const userAuth = await prisma.userAuth.findUnique({
+        where: {
+          userId: userId,
+        },
+      });
+
+      if (!userAuth) {
+        throw new Error("could not find user credentials");
+      }
+
+      return {
+        userId: userAuth.userId,
+        password: userAuth.password,
+        token: userAuth.token,
+      };
+    } catch (err) {
+      const errMessage = err as Error;
+
+      if (errMessage.message === "missing userId") {
+        console.log("services::actions::getUserCredentials - missing userId");
+        return null;
+      }
+
+      if (errMessage.message === "could not find user credentials") {
+        console.log(
+          "services::actions::getUserCredentials - unable to find user credentials",
+        );
+        return null;
+      }
+
+      console.log(
+        "services::actions::getUserCredentials - unknown error",
+        errMessage,
+      );
+      return null;
+    }
+  }
+
 export async function getUserInformation(userId: string): Promise<{
   id: string;
   userName: string;
diff --git a/concord-server/src/validators/userValidator.ts b/concord-server/src/validators/userValidator.ts
index 6837dd2..463957a 100644
--- a/concord-server/src/validators/userValidator.ts
+++ b/concord-server/src/validators/userValidator.ts
@@ -16,6 +16,9 @@ export const createUserSchema = z.object({
   banner: z.url().optional(),
   status: z.enum(['online', 'offline', 'dnd', 'idle', 'invis']).default('online'),
   admin: z.boolean().default(false),
+  requestingUserId: z.uuidv7(),
+  requestingUserToken: z.uuidv4(),
+  passwordhash: z.string(),
 })
 
 export type QueryUserByIdInput = z.infer<typeof queryUserByIdSchema>