Merge pull request #37 from GitAddRemote/feature/system-user

feat: introduce system user for automated changes

Author: GitAddRemote

backend/src/migrations/1764791773398-AddIsSystemUserColumn.ts

@@ -0,0 +1,23 @@
+import { MigrationInterface, QueryRunner } from 'typeorm';
+
+export class AddIsSystemUserColumn1764791773398 implements MigrationInterface {
+  public async up(queryRunner: QueryRunner): Promise<void> {
+    // Add is_system_user column to users table
+    await queryRunner.query(
+      `ALTER TABLE "user" ADD COLUMN "isSystemUser" boolean NOT NULL DEFAULT false`,
+    );
+
+    // Create index for system user queries
+    await queryRunner.query(
+      `CREATE INDEX "IDX_user_is_system_user" ON "user" ("isSystemUser")`,
+    );
+  }
+
+  public async down(queryRunner: QueryRunner): Promise<void> {
+    // Drop index
+    await queryRunner.query(`DROP INDEX "IDX_user_is_system_user"`);
+
+    // Drop column
+    await queryRunner.query(`ALTER TABLE "user" DROP COLUMN "isSystemUser"`);
+  }
+}

backend/src/migrations/1764791795973-SeedSystemUser.ts

@@ -0,0 +1,45 @@
+import { MigrationInterface, QueryRunner } from 'typeorm';
+import * as bcrypt from 'bcrypt';
+
+export class SeedSystemUser1764791795973 implements MigrationInterface {
+  public async up(queryRunner: QueryRunner): Promise<void> {
+    // Generate an unusable password hash (system user should never authenticate)
+    const unusablePassword = await bcrypt.hash(
+      'SYSTEM_USER_NO_LOGIN_' + Math.random(),
+      10,
+    );
+
+    // Insert system user with ID = 1 (reserved)
+    await queryRunner.query(
+      `
+      INSERT INTO "user" (
+        "id",
+        "username",
+        "email",
+        "password",
+        "isActive",
+        "isSystemUser"
+      ) VALUES (
+        1,
+        'station-system',
+        'system@station.internal',
+        $1,
+        true,
+        true
+      )
+      ON CONFLICT (id) DO NOTHING
+    `,
+      [unusablePassword],
+    );
+
+    // Reset the sequence to start from 2 for normal users
+    await queryRunner.query(
+      `SELECT setval(pg_get_serial_sequence('user', 'id'), (SELECT MAX(id) FROM "user"), true)`,
+    );
+  }
+
+  public async down(queryRunner: QueryRunner): Promise<void> {
+    // Remove system user
+    await queryRunner.query(`DELETE FROM "user" WHERE "id" = 1`);
+  }
+}

backend/src/modules/auth/auth.service.spec.ts

@@ -1,6 +1,7 @@
 import { Test, TestingModule } from '@nestjs/testing';
 import { AuthService } from './auth.service';
 import { UsersService } from '../users/users.service';
+import { SystemUserService } from '../users/system-user.service';
 import { JwtService } from '@nestjs/jwt';
 import { ConfigService } from '@nestjs/config';
 import { getRepositoryToken } from '@nestjs/typeorm';
@@ -17,6 +18,7 @@ describe('AuthService - Password Reset', () => {
     username: 'testuser',
     email: 'test@example.com',
     password: '$2b$10$hashedpassword',
+    isSystemUser: false,
   };
 
   const mockUsersService = {
@@ -25,6 +27,11 @@ describe('AuthService - Password Reset', () => {
     updatePassword: jest.fn(),
   };
 
+  const mockSystemUserService = {
+    getSystemUserId: jest.fn(),
+    isSystemUser: jest.fn(),
+  };
+
   const mockPasswordResetRepository = {
     save: jest.fn(),
     findOne: jest.fn(),
@@ -57,6 +64,10 @@ describe('AuthService - Password Reset', () => {
           provide: UsersService,
           useValue: mockUsersService,
         },
+        {
+          provide: SystemUserService,
+          useValue: mockSystemUserService,
+        },
         {
           provide: JwtService,
           useValue: mockJwtService,

backend/src/modules/auth/auth.service.ts

@@ -8,6 +8,7 @@ import { JwtService } from '@nestjs/jwt';
 import { InjectRepository } from '@nestjs/typeorm';
 import { Repository } from 'typeorm';
 import { UsersService } from '../users/users.service';
+import { SystemUserService } from '../users/system-user.service';
 import * as bcrypt from 'bcrypt';
 import * as crypto from 'crypto';
 import { User } from '../users/user.entity';
@@ -25,6 +26,7 @@ export class AuthService {
 
   constructor(
     private usersService: UsersService,
+    private systemUserService: SystemUserService,
     private jwtService: JwtService,
     private configService: ConfigService,
     @InjectRepository(RefreshToken)
@@ -37,6 +39,14 @@ export class AuthService {
     const user = await this.usersService.findOne(username);
     const trimmedPass = pass.trim();
 
+    // Block system user from authentication
+    if (user && user.isSystemUser) {
+      this.logger.warn(
+        `System user attempted to authenticate: ${username}. This is not allowed.`,
+      );
+      return null;
+    }
+
     const hashToCompare = user?.password ?? this.dummyHash;
     const isMatch = await bcrypt.compare(trimmedPass, hashToCompare);
 

backend/src/modules/users/system-user.service.spec.ts

@@ -0,0 +1,133 @@
+import { Test, TestingModule } from '@nestjs/testing';
+import { getRepositoryToken } from '@nestjs/typeorm';
+import { SystemUserService } from './system-user.service';
+import { User } from './user.entity';
+
+describe('SystemUserService', () => {
+  let service: SystemUserService;
+
+  const mockSystemUser = {
+    id: 1,
+    username: 'station-system',
+    email: 'system@station.internal',
+    isSystemUser: true,
+    isActive: true,
+  };
+
+  const mockRepository = {
+    findOne: jest.fn(),
+    create: jest.fn(),
+    save: jest.fn(),
+  };
+
+  beforeEach(async () => {
+    const module: TestingModule = await Test.createTestingModule({
+      providers: [
+        SystemUserService,
+        {
+          provide: getRepositoryToken(User),
+          useValue: mockRepository,
+        },
+      ],
+    }).compile();
+
+    service = module.get<SystemUserService>(SystemUserService);
+    jest.clearAllMocks();
+  });
+
+  it('should be defined', () => {
+    expect(service).toBeDefined();
+  });
+
+  describe('onModuleInit', () => {
+    it('should cache system user ID at startup', async () => {
+      mockRepository.findOne.mockResolvedValue(mockSystemUser);
+
+      await service.onModuleInit();
+
+      expect(mockRepository.findOne).toHaveBeenCalledWith({
+        where: { id: 1, isSystemUser: true },
+        select: ['id'],
+      });
+      expect(service.getSystemUserId()).toBe(1);
+    });
+
+    it('should throw error if system user is missing', async () => {
+      // Store original NODE_ENV
+      const originalNodeEnv = process.env.NODE_ENV;
+
+      // Set NODE_ENV to non-test value to prevent auto-creation
+      process.env.NODE_ENV = 'production';
+
+      mockRepository.findOne.mockResolvedValue(null);
+
+      await expect(service.onModuleInit()).rejects.toThrow(
+        'System user not found! Run migrations to seed system user: pnpm migration:run',
+      );
+
+      // Restore original NODE_ENV
+      process.env.NODE_ENV = originalNodeEnv;
+    });
+
+    it('should auto-create system user in test environment', async () => {
+      // Store original NODE_ENV
+      const originalNodeEnv = process.env.NODE_ENV;
+
+      // Ensure we're in test environment
+      process.env.NODE_ENV = 'test';
+
+      mockRepository.findOne.mockResolvedValue(null);
+      mockRepository.create.mockReturnValue(mockSystemUser);
+      mockRepository.save.mockResolvedValue(mockSystemUser);
+
+      await service.onModuleInit();
+
+      expect(mockRepository.create).toHaveBeenCalledWith(
+        expect.objectContaining({
+          id: 1,
+          username: 'station-system',
+          email: 'system@station.internal',
+          isActive: true,
+          isSystemUser: true,
+        }),
+      );
+      expect(mockRepository.save).toHaveBeenCalled();
+      expect(service.getSystemUserId()).toBe(1);
+
+      // Restore original NODE_ENV
+      process.env.NODE_ENV = originalNodeEnv;
+    });
+  });
+
+  describe('getSystemUserId', () => {
+    it('should return cached system user ID', async () => {
+      mockRepository.findOne.mockResolvedValue(mockSystemUser);
+      await service.onModuleInit();
+
+      expect(service.getSystemUserId()).toBe(1);
+    });
+
+    it('should throw error if not initialized', () => {
+      expect(() => service.getSystemUserId()).toThrow(
+        'System user not initialized. Ensure SystemUserService.onModuleInit() has been called.',
+      );
+    });
+  });
+
+  describe('isSystemUser', () => {
+    it('should return true for system user ID', async () => {
+      mockRepository.findOne.mockResolvedValue(mockSystemUser);
+      await service.onModuleInit();
+
+      expect(service.isSystemUser(1)).toBe(true);
+    });
+
+    it('should return false for non-system user ID', async () => {
+      mockRepository.findOne.mockResolvedValue(mockSystemUser);
+      await service.onModuleInit();
+
+      expect(service.isSystemUser(2)).toBe(false);
+      expect(service.isSystemUser(100)).toBe(false);
+    });
+  });
+});

backend/src/modules/users/system-user.service.ts

@@ -0,0 +1,75 @@
+import { Injectable, OnModuleInit, Logger } from '@nestjs/common';
+import { InjectRepository } from '@nestjs/typeorm';
+import { Repository } from 'typeorm';
+import { User } from './user.entity';
+import * as bcrypt from 'bcrypt';
+
+@Injectable()
+export class SystemUserService implements OnModuleInit {
+  private readonly logger = new Logger(SystemUserService.name);
+  private systemUserId: number | null = null;
+  private readonly SYSTEM_USER_ID = 1; // Reserved ID for system user
+
+  constructor(
+    @InjectRepository(User)
+    private usersRepository: Repository<User>,
+  ) {}
+
+  async onModuleInit(): Promise<void> {
+    // Cache system user ID at startup
+    this.logger.log('Initializing system user service...');
+
+    let systemUser = await this.usersRepository.findOne({
+      where: { id: this.SYSTEM_USER_ID, isSystemUser: true },
+      select: ['id'],
+    });
+
+    // In test environment, auto-create system user if missing
+    if (!systemUser && process.env.NODE_ENV === 'test') {
+      this.logger.warn(
+        'System user not found in test environment - creating automatically',
+      );
+      systemUser = await this.createSystemUser();
+    }
+
+    if (!systemUser) {
+      throw new Error(
+        'System user not found! Run migrations to seed system user: pnpm migration:run',
+      );
+    }
+
+    this.systemUserId = systemUser.id;
+    this.logger.log(`System user initialized with ID: ${this.systemUserId}`);
+  }
+
+  private async createSystemUser(): Promise<User> {
+    const unusablePassword = await bcrypt.hash(
+      'SYSTEM_USER_NO_LOGIN_' + Math.random(),
+      10,
+    );
+
+    const systemUser = this.usersRepository.create({
+      id: this.SYSTEM_USER_ID,
+      username: 'station-system',
+      email: 'system@station.internal',
+      password: unusablePassword,
+      isActive: true,
+      isSystemUser: true,
+    });
+
+    return await this.usersRepository.save(systemUser);
+  }
+
+  getSystemUserId(): number {
+    if (!this.systemUserId) {
+      throw new Error(
+        'System user not initialized. Ensure SystemUserService.onModuleInit() has been called.',
+      );
+    }
+    return this.systemUserId;
+  }
+
+  isSystemUser(userId: number): boolean {
+    return userId === this.SYSTEM_USER_ID;
+  }
+}

backend/src/modules/users/user.entity.ts

@@ -1,4 +1,10 @@
-import { Entity, Column, PrimaryGeneratedColumn, OneToMany } from 'typeorm';
+import {
+  Entity,
+  Column,
+  PrimaryGeneratedColumn,
+  OneToMany,
+  Index,
+} from 'typeorm';
 import { UserOrganizationRole } from '../user-organization-roles/user-organization-role.entity';
 
 @Entity()
@@ -18,6 +24,10 @@ export class User {
   @Column({ default: true })
   isActive!: boolean;
 
+  @Column({ default: false })
+  @Index()
+  isSystemUser!: boolean;
+
   @Column({ length: 100, nullable: true })
   firstName?: string;
 

backend/src/modules/users/users.module.ts

@@ -3,11 +3,12 @@ import { TypeOrmModule } from '@nestjs/typeorm';
 import { UsersService } from './users.service';
 import { UsersController } from './users.controller';
 import { User } from './user.entity';
+import { SystemUserService } from './system-user.service';
 
 @Module({
   imports: [TypeOrmModule.forFeature([User])],
-  providers: [UsersService],
+  providers: [UsersService, SystemUserService],
   controllers: [UsersController],
-  exports: [UsersService],
+  exports: [UsersService, SystemUserService],
 })
 export class UsersModule {}