src/lib/db/schema/portal.ts

import { pgTable, text, boolean, timestamp, index, uniqueIndex } from 'drizzle-orm/pg-core';

import { ports } from './ports';
import { clients } from './clients';

/**
 * Portal users - one per client account that's been invited to the client
 * portal. Separate from the CRM `users` table (managed by better-auth) so the
 * authentication realms stay isolated.
 *
 * Created by an admin from the client detail page; the admin's invite mails
 * an activation token that lets the client set their own password.
 */
export const portalUsers = pgTable(
  'portal_users',
  {
    id: text('id')
      .primaryKey()
      .$defaultFn(() => crypto.randomUUID()),
    portId: text('port_id')
      .notNull()
      .references(() => ports.id),
    clientId: text('client_id')
      .notNull()
      .references(() => clients.id, { onDelete: 'cascade' }),
    email: text('email').notNull(),
    /**
     * scrypt-hashed password. Format: `salt:keyHex` (both base64url). Null
     * until the user activates their account.
     */
    passwordHash: text('password_hash'),
    name: text('name'),
    isActive: boolean('is_active').notNull().default(true),
    lastLoginAt: timestamp('last_login_at', { withTimezone: true }),
    createdBy: text('created_by').notNull(),
    createdAt: timestamp('created_at', { withTimezone: true }).notNull().defaultNow(),
    updatedAt: timestamp('updated_at', { withTimezone: true }).notNull().defaultNow(),
  },
  (table) => [
    uniqueIndex('idx_portal_users_email_unique').on(table.email),
    index('idx_portal_users_client').on(table.clientId),
    index('idx_portal_users_port').on(table.portId),
  ],
);

/**
 * Single-use tokens for portal-account activation and password reset.
 *
 * `tokenHash` is a SHA-256 hash of the raw token sent in the email. Lookups
 * happen by hash so a DB compromise never leaks active tokens.
 */
export const portalAuthTokens = pgTable(
  'portal_auth_tokens',
  {
    id: text('id')
      .primaryKey()
      .$defaultFn(() => crypto.randomUUID()),
    portalUserId: text('portal_user_id')
      .notNull()
      .references(() => portalUsers.id, { onDelete: 'cascade' }),
    tokenHash: text('token_hash').notNull(),
    type: text('type').notNull(), // 'activation' | 'reset'
    expiresAt: timestamp('expires_at', { withTimezone: true }).notNull(),
    usedAt: timestamp('used_at', { withTimezone: true }),
    createdAt: timestamp('created_at', { withTimezone: true }).notNull().defaultNow(),
  },
  (table) => [
    uniqueIndex('idx_portal_tokens_hash_unique').on(table.tokenHash),
    index('idx_portal_tokens_user').on(table.portalUserId),
  ],
);

export type PortalUser = typeof portalUsers.$inferSelect;
export type NewPortalUser = typeof portalUsers.$inferInsert;
export type PortalAuthToken = typeof portalAuthTokens.$inferSelect;
export type NewPortalAuthToken = typeof portalAuthTokens.$inferInsert;
feat(portal): replace magic-link with email/password + admin-initiated activation The client portal no longer uses passwordless / magic-link sign-in. Each client now has a `portal_users` row with a scrypt-hashed password, created by an admin from the client detail page; the admin's invite mails an activation link that the client uses to set their own password. Forgot-password is wired through the same token mechanism. Schema (migration `0009_outgoing_rumiko_fujikawa.sql`): - `portal_users` — one per client account, separate from the CRM `users` table (better-auth) so the auth realms stay isolated. Email is globally unique, password is null until activation. - `portal_auth_tokens` — single-use activation / reset tokens. Stores only the SHA-256 hash so a DB compromise never leaks live tokens. Services: - `src/lib/portal/passwords.ts` — scrypt hash/verify (no new deps; uses node:crypto), token mint+hash helpers. - `src/lib/services/portal-auth.service.ts` — createPortalUser, resendActivation, activateAccount, signIn (timing-safe), requestPasswordReset, resetPassword. Auth failures throw the new UnauthorizedError (401); enumeration-safe behaviour everywhere. Routes: - POST /api/portal/auth/sign-in — sets the existing portal JWT cookie. - POST /api/portal/auth/forgot-password — always 200. - POST /api/portal/auth/reset-password — token + new password. - POST /api/portal/auth/activate — token + initial password. - POST /api/v1/clients/:id/portal-user — admin invite (and `?action=resend`). - Removed: /api/portal/auth/request, /api/portal/auth/verify (magic link). UI: - /portal/login — replaced email-only magic-link form with email + password + "forgot password" link. - /portal/forgot-password, /portal/reset-password, /portal/activate — new. - New shared `PasswordSetForm` component used by activate + reset. - New `PortalInviteButton` rendered on the client detail header. Email send: - `createTransporter` now wires SMTP auth when SMTP_USER+SMTP_PASS are set (gmail app-password or marina-server creds, configured via env). - `SMTP_FROM` env var lets the sender address be overridden without pinning it to `noreply@${SMTP_HOST}`. Tests: - Smoke spec 17 (client-portal) updated to the new flow: 7/7 green. - Smoke specs 02-crud-spine, 05-invoices, 20-critical-path updated to match the post-refactor client + invoice forms (drop companyName, use OwnerPicker + billingEmail). - Vitest 652/652 still green; type-check clean. Drops the dead `requestMagicLink` from portal.service.ts. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-04-26 15:34:02 +02:00			`import { pgTable, text, boolean, timestamp, index, uniqueIndex } from 'drizzle-orm/pg-core';`

			`import { ports } from './ports';`
			`import { clients } from './clients';`

			`/**`
chore(style): codebase em-dash sweep + minor layout polish Replaces every em-dash and en-dash with regular ASCII hyphens across comments, JSX strings, and dev-facing logs. Mostly cosmetic but stops the inconsistent mix that crept in over the last few months (some files used em-dashes in comments, others didn't, some used both). Bundles two small dashboard-layout tweaks that touch a couple of already-modified files: - (dashboard)/layout.tsx main padding goes from p-6 to pt-3 px-6 pb-6 so page content sits closer to the topbar. - Sidebar now receives the ports list it needs for the footer port switcher. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-05-04 22:57:01 +02:00			`* Portal users - one per client account that's been invited to the client`
feat(portal): replace magic-link with email/password + admin-initiated activation The client portal no longer uses passwordless / magic-link sign-in. Each client now has a `portal_users` row with a scrypt-hashed password, created by an admin from the client detail page; the admin's invite mails an activation link that the client uses to set their own password. Forgot-password is wired through the same token mechanism. Schema (migration `0009_outgoing_rumiko_fujikawa.sql`): - `portal_users` — one per client account, separate from the CRM `users` table (better-auth) so the auth realms stay isolated. Email is globally unique, password is null until activation. - `portal_auth_tokens` — single-use activation / reset tokens. Stores only the SHA-256 hash so a DB compromise never leaks live tokens. Services: - `src/lib/portal/passwords.ts` — scrypt hash/verify (no new deps; uses node:crypto), token mint+hash helpers. - `src/lib/services/portal-auth.service.ts` — createPortalUser, resendActivation, activateAccount, signIn (timing-safe), requestPasswordReset, resetPassword. Auth failures throw the new UnauthorizedError (401); enumeration-safe behaviour everywhere. Routes: - POST /api/portal/auth/sign-in — sets the existing portal JWT cookie. - POST /api/portal/auth/forgot-password — always 200. - POST /api/portal/auth/reset-password — token + new password. - POST /api/portal/auth/activate — token + initial password. - POST /api/v1/clients/:id/portal-user — admin invite (and `?action=resend`). - Removed: /api/portal/auth/request, /api/portal/auth/verify (magic link). UI: - /portal/login — replaced email-only magic-link form with email + password + "forgot password" link. - /portal/forgot-password, /portal/reset-password, /portal/activate — new. - New shared `PasswordSetForm` component used by activate + reset. - New `PortalInviteButton` rendered on the client detail header. Email send: - `createTransporter` now wires SMTP auth when SMTP_USER+SMTP_PASS are set (gmail app-password or marina-server creds, configured via env). - `SMTP_FROM` env var lets the sender address be overridden without pinning it to `noreply@${SMTP_HOST}`. Tests: - Smoke spec 17 (client-portal) updated to the new flow: 7/7 green. - Smoke specs 02-crud-spine, 05-invoices, 20-critical-path updated to match the post-refactor client + invoice forms (drop companyName, use OwnerPicker + billingEmail). - Vitest 652/652 still green; type-check clean. Drops the dead `requestMagicLink` from portal.service.ts. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> 2026-04-26 15:34:02 +02:00			* portal. Separate from the CRM `users` table (managed by better-auth) so the
			`* authentication realms stay isolated.`
			`*`
			`* Created by an admin from the client detail page; the admin's invite mails`
			`* an activation token that lets the client set their own password.`
			`*/`
			`export const portalUsers = pgTable(`
			`'portal_users',`
			`{`
			`id: text('id')`
			`.primaryKey()`
			`.$defaultFn(() => crypto.randomUUID()),`
			`portId: text('port_id')`
			`.notNull()`
			`.references(() => ports.id),`
			`clientId: text('client_id')`
			`.notNull()`
			`.references(() => clients.id, { onDelete: 'cascade' }),`
			`email: text('email').notNull(),`
			`/**`
			* scrypt-hashed password. Format: `salt:keyHex` (both base64url). Null
			`* until the user activates their account.`
			`*/`
			`passwordHash: text('password_hash'),`
			`name: text('name'),`
			`isActive: boolean('is_active').notNull().default(true),`
			`lastLoginAt: timestamp('last_login_at', { withTimezone: true }),`
			`createdBy: text('created_by').notNull(),`
			`createdAt: timestamp('created_at', { withTimezone: true }).notNull().defaultNow(),`
			`updatedAt: timestamp('updated_at', { withTimezone: true }).notNull().defaultNow(),`
			`},`
			`(table) => [`
			`uniqueIndex('idx_portal_users_email_unique').on(table.email),`
			`index('idx_portal_users_client').on(table.clientId),`
			`index('idx_portal_users_port').on(table.portId),`
			`],`
			`);`

			`/**`
			`* Single-use tokens for portal-account activation and password reset.`
			`*`
			* `tokenHash` is a SHA-256 hash of the raw token sent in the email. Lookups
			`* happen by hash so a DB compromise never leaks active tokens.`
			`*/`
			`export const portalAuthTokens = pgTable(`
			`'portal_auth_tokens',`
			`{`
			`id: text('id')`
			`.primaryKey()`
			`.$defaultFn(() => crypto.randomUUID()),`
			`portalUserId: text('portal_user_id')`
			`.notNull()`
			`.references(() => portalUsers.id, { onDelete: 'cascade' }),`
			`tokenHash: text('token_hash').notNull(),`
			`type: text('type').notNull(), // 'activation' \| 'reset'`
			`expiresAt: timestamp('expires_at', { withTimezone: true }).notNull(),`
			`usedAt: timestamp('used_at', { withTimezone: true }),`
			`createdAt: timestamp('created_at', { withTimezone: true }).notNull().defaultNow(),`
			`},`
			`(table) => [`
			`uniqueIndex('idx_portal_tokens_hash_unique').on(table.tokenHash),`
			`index('idx_portal_tokens_user').on(table.portalUserId),`
			`],`
			`);`

			`export type PortalUser = typeof portalUsers.$inferSelect;`
			`export type NewPortalUser = typeof portalUsers.$inferInsert;`
			`export type PortalAuthToken = typeof portalAuthTokens.$inferSelect;`
			`export type NewPortalAuthToken = typeof portalAuthTokens.$inferInsert;`