feat: stable user roles

Author: Khumeren

READMEs/API/UAM-API-SPECS-FOR-FRONTEND.md

@@ -1,9 +1,11 @@
 # TASK-003: User Account Management (UAM) - Complete Implementation
 
-**Status:** 📋 PLANNED  
+**Status:** 🚧 IN PROGRESS  
 **Priority:** HIGH  
 **Created:** 2025-12-04  
+**Updated:** 2025-12-04  
 **Estimated Effort:** 4-6 hours  
+**Actual Effort:** ~2 hours (Phases 1-3 complete)
 
 ---
 
@@ -429,36 +431,36 @@ Rgt.Space.Infrastructure/
 
 ## ✅ Implementation Checklist
 
-### Phase 1: User CRUD
-- [ ] Create `CreateUser` command + handler
-- [ ] Create `CreateUser` endpoint
-- [ ] Add password hashing utility (HMAC-SHA512)
-- [ ] Create `DeleteUser` command + handler  
-- [ ] Create `DeleteUser` endpoint
-- [ ] Update `IUserWriteDac` interface
-- [ ] Update `UserWriteDac` implementation
+### Phase 1: User CRUD ✅ COMPLETE
+- [x] Create `CreateUser` command + handler
+- [x] Create `CreateUser` endpoint
+- [x] Add password hashing utility (HMAC-SHA512)
+- [x] Create `DeleteUser` command + handler  
+- [x] Create `DeleteUser` endpoint
+- [x] Update `IUserWriteDac` interface
+- [x] Update `UserWriteDac` implementation
 - [ ] Test Create User endpoint
 - [ ] Test Delete User endpoint (with cascade)
 
-### Phase 2: Role Management
-- [ ] Create `IRoleReadDac` interface
-- [ ] Create `IRoleWriteDac` interface
-- [ ] Create `RoleReadDac` implementation
-- [ ] Create `RoleWriteDac` implementation
-- [ ] Create `RoleReadModel`
-- [ ] Create `RoleResponse` DTO
-- [ ] Create `GetAllRoles` query + endpoint
-- [ ] Create `GetRoleById` query + endpoint
-- [ ] Create `CreateRole` command + endpoint
-- [ ] Create `UpdateRole` command + endpoint
-- [ ] Create `DeleteRole` command + endpoint
-- [ ] Register DACs in DI container
-
-### Phase 3: User-Role Assignment
-- [ ] Create `UserRoleReadModel`
-- [ ] Create `GetUserRoles` query + endpoint
-- [ ] Create `AssignRole` command + endpoint
-- [ ] Create `UnassignRole` command + endpoint
+### Phase 2: Role Management ✅ COMPLETE
+- [x] Create `IRoleReadDac` interface
+- [x] Create `IRoleWriteDac` interface
+- [x] Create `RoleReadDac` implementation
+- [x] Create `RoleWriteDac` implementation
+- [x] Create `RoleReadModel`
+- [x] Create Role DTOs (CreateRoleRequest, UpdateRoleRequest)
+- [x] Create `GetAllRoles` query + endpoint
+- [x] Create `GetRoleById` query + endpoint
+- [x] Create `CreateRole` command + endpoint
+- [x] Create `UpdateRole` command + endpoint
+- [x] Create `DeleteRole` command + endpoint
+- [x] Register DACs in DI container
+
+### Phase 3: User-Role Assignment ✅ COMPLETE
+- [x] Create `UserRoleReadModel`
+- [x] Create `GetUserRoles` query + endpoint
+- [x] Create `AssignRoleToUser` command + endpoint
+- [x] Create `UnassignRoleFromUser` command + endpoint
 
 ### Phase 4: Seed Data & Testing
 - [ ] Create migration for additional roles

READMEs/Tasks/TASK-003-UAM-Complete-Implementation.md

@@ -0,0 +1,58 @@
+using FastEndpoints;
+using MediatR;
+using Rgt.Space.API.ProblemDetails;
+using Rgt.Space.Core.Abstractions.Identity;
+using Rgt.Space.Core.Domain.Contracts.Identity;
+using AssignRoleCommand = Rgt.Space.Infrastructure.Commands.Identity.AssignRoleToUser.Command;
+
+namespace Rgt.Space.API.Endpoints.Identity.AssignRole;
+
+public sealed class Endpoint(IMediator mediator, ICurrentUser currentUser) : Endpoint<AssignRoleRequest>
+{
+    public override void Configure()
+    {
+        Post("/api/v1/users/{userId}/roles");
+        Summary(s =>
+        {
+            s.Summary = "Assign role to user";
+            s.Description = "Assigns a role to a user. Idempotent - if already assigned, returns 200.";
+            s.Response(201, "Role assigned successfully");
+            s.Response(200, "Role was already assigned");
+            s.Response(404, "User or role not found");
+        });
+        Tags("User Management");
+    }
+
+    public override async Task HandleAsync(AssignRoleRequest req, CancellationToken ct)
+    {
+        var userId = Route<Guid>("userId");
+        
+        var command = new AssignRoleCommand(
+            userId,
+            req.RoleId,
+            currentUser.Id);
+
+        var result = await mediator.Send(command, ct);
+
+        if (result.IsFailed)
+        {
+            var problemDetails = result.ToProblemDetails(HttpContext);
+            await HttpContext.Response.SendAsync(problemDetails, problemDetails.Status ?? 500, cancellation: ct);
+            return;
+        }
+
+        if (result.Value.WasCreated)
+        {
+            // New assignment created
+            await HttpContext.Response.SendAsync(
+                new { id = result.Value.UserRoleId, userId, roleId = req.RoleId, assignedAt = DateTime.UtcNow },
+                201,
+                cancellation: ct);
+        }
+        else
+        {
+            // Already assigned
+            await Send.OkAsync(new { message = "Role was already assigned" }, ct);
+        }
+    }
+}

Rgt.Space.API/Endpoints/Identity/AssignRole/Endpoint.cs

@@ -0,0 +1,63 @@
+using FastEndpoints;
+using MediatR;
+using Rgt.Space.API.ProblemDetails;
+using Rgt.Space.Core.Abstractions.Identity;
+using Rgt.Space.Core.Domain.Contracts.Identity;
+using CreateUserCommand = Rgt.Space.Infrastructure.Commands.Identity.CreateUser.Command;
+
+namespace Rgt.Space.API.Endpoints.Identity.CreateUser;
+
+public sealed class Endpoint(IMediator mediator, ICurrentUser currentUser) : Endpoint<CreateUserRequest>
+{
+    public override void Configure()
+    {
+        Post("/api/v1/users");
+        Summary(s =>
+        {
+            s.Summary = "Create a new user";
+            s.Description = "Creates a new user with optional local login credentials. If localLoginEnabled is true, password is required.";
+            s.Response<CreateUserResponse>(201, "User created successfully");
+            s.Response(400, "Validation failure or password required");
+            s.Response(409, "Email already exists");
+        });
+        Tags("User Management");
+    }
+
+    public override async Task HandleAsync(CreateUserRequest req, CancellationToken ct)
+    {
+        var command = new CreateUserCommand(
+            req.DisplayName,
+            req.Email,
+            req.ContactNumber,
+            req.LocalLoginEnabled,
+            req.Password,
+            req.RoleIds,
+            currentUser.Id);
+
+        var result = await mediator.Send(command, ct);
+
+        if (result.IsFailed)
+        {
+            var problemDetails = result.ToProblemDetails(HttpContext);
+            await HttpContext.Response.SendAsync(problemDetails, problemDetails.Status ?? 500, cancellation: ct);
+            return;
+        }
+
+        // Build response
+        var response = new CreateUserResponse(
+            Id: result.Value,
+            DisplayName: req.DisplayName,
+            Email: req.Email,
+            ContactNumber: req.ContactNumber,
+            IsActive: true,
+            LocalLoginEnabled: req.LocalLoginEnabled,
+            SsoLoginEnabled: false,
+            Roles: null, // Role assignment is Phase 3
+            CreatedAt: DateTime.UtcNow);
+
+        await HttpContext.Response.SendCreatedAtAsync<GetUser.Endpoint>(
+            new { userId = result.Value },
+            response,
+            cancellation: ct);
+    }
+}

Rgt.Space.API/Endpoints/Identity/CreateUser/Endpoint.cs

@@ -0,0 +1,45 @@
+using FastEndpoints;
+using MediatR;
+using Rgt.Space.API.ProblemDetails;
+using Rgt.Space.Core.Abstractions.Identity;
+using Rgt.Space.Core.Domain.Contracts.Identity;
+using DeleteUserCommand = Rgt.Space.Infrastructure.Commands.Identity.DeleteUser.Command;
+
+namespace Rgt.Space.API.Endpoints.Identity.DeleteUser;
+
+public sealed class Endpoint(IMediator mediator, ICurrentUser currentUser) : EndpointWithoutRequest
+{
+    public override void Configure()
+    {
+        Delete("/api/v1/users/{userId}");
+        Summary(s =>
+        {
+            s.Summary = "Delete a user";
+            s.Description = "Soft deletes a user and cascade deletes all their project assignments. Returns count of deleted assignments for frontend warning display.";
+            s.Response<DeleteUserResponse>(200, "User deleted successfully");
+            s.Response(404, "User not found");
+        });
+        Tags("User Management");
+    }
+
+    public override async Task HandleAsync(CancellationToken ct)
+    {
+        var userId = Route<Guid>("userId");
+        
+        var command = new DeleteUserCommand(userId, currentUser.Id);
+        var result = await mediator.Send(command, ct);
+
+        if (result.IsFailed)
+        {
+            var problemDetails = result.ToProblemDetails(HttpContext);
+            await HttpContext.Response.SendAsync(problemDetails, problemDetails.Status ?? 500, cancellation: ct);
+            return;
+        }
+
+        var response = new DeleteUserResponse(
+            result.Value.Deleted,
+            result.Value.AssignmentsRemoved);
+
+        await Send.OkAsync(response, ct);
+    }
+}

Rgt.Space.API/Endpoints/Identity/DeleteUser/Endpoint.cs

@@ -0,0 +1,39 @@
+using FastEndpoints;
+using MediatR;
+using Rgt.Space.API.ProblemDetails;
+using Rgt.Space.Core.ReadModels;
+using GetUserRolesQuery = Rgt.Space.Infrastructure.Queries.Identity.GetUserRoles;
+
+namespace Rgt.Space.API.Endpoints.Identity.GetUserRoles;
+
+public sealed class Endpoint(IMediator mediator) : EndpointWithoutRequest
+{
+    public override void Configure()
+    {
+        Get("/api/v1/users/{userId}/roles");
+        Summary(s =>
+        {
+            s.Summary = "Get user's assigned roles";
+            s.Description = "Returns a list of roles assigned to a user.";
+            s.Response<IReadOnlyList<UserRoleReadModel>>(200, "List of assigned roles");
+            s.Response(404, "User not found");
+        });
+        Tags("User Management");
+    }
+
+    public override async Task HandleAsync(CancellationToken ct)
+    {
+        var userId = Route<Guid>("userId");
+        var result = await mediator.Send(new GetUserRolesQuery.Query(userId), ct);
+
+        if (result.IsFailed)
+        {
+            var problemDetails = result.ToProblemDetails(HttpContext);
+            await Send.ResponseAsync(problemDetails, problemDetails.Status ?? 500, ct);
+            return;
+        }
+
+        await Send.OkAsync(result.Value, ct);
+    }
+}
+

Rgt.Space.API/Endpoints/Identity/GetUserRoles/Endpoint.cs

@@ -0,0 +1,40 @@
+using FastEndpoints;
+using MediatR;
+using Rgt.Space.API.ProblemDetails;
+using UnassignRoleCommand = Rgt.Space.Infrastructure.Commands.Identity.UnassignRoleFromUser.Command;
+
+namespace Rgt.Space.API.Endpoints.Identity.UnassignRole;
+
+public sealed class Endpoint(IMediator mediator) : EndpointWithoutRequest
+{
+    public override void Configure()
+    {
+        Delete("/api/v1/users/{userId}/roles/{roleId}");
+        Summary(s =>
+        {
+            s.Summary = "Unassign role from user";
+            s.Description = "Removes a role assignment from a user. Idempotent - if not found, still returns 200.";
+            s.Response(200, "Role unassigned successfully");
+            s.Response(404, "User not found");
+        });
+        Tags("User Management");
+    }
+
+    public override async Task HandleAsync(CancellationToken ct)
+    {
+        var userId = Route<Guid>("userId");
+        var roleId = Route<Guid>("roleId");
+        
+        var command = new UnassignRoleCommand(userId, roleId);
+        var result = await mediator.Send(command, ct);
+
+        if (result.IsFailed)
+        {
+            var problemDetails = result.ToProblemDetails(HttpContext);
+            await HttpContext.Response.SendAsync(problemDetails, problemDetails.Status ?? 500, cancellation: ct);
+            return;
+        }
+
+        await Send.OkAsync(new { deleted = true }, ct);
+    }
+}

Rgt.Space.API/Endpoints/Identity/UnassignRole/Endpoint.cs

@@ -0,0 +1,64 @@
+using FastEndpoints;
+using MediatR;
+using Rgt.Space.API.ProblemDetails;
+using Rgt.Space.Core.Abstractions.Identity;
+using Rgt.Space.Core.Domain.Contracts.Identity;
+using Rgt.Space.Core.ReadModels;
+using CreateRoleCommand = Rgt.Space.Infrastructure.Commands.Identity.CreateRole.Command;
+
+namespace Rgt.Space.API.Endpoints.Roles.CreateRole;
+
+public sealed class Endpoint(IMediator mediator, ICurrentUser currentUser) : Endpoint<CreateRoleRequest>
+{
+    public override void Configure()
+    {
+        Post("/api/v1/roles");
+        Summary(s =>
+        {
+            s.Summary = "Create a new role";
+            s.Description = "Creates a new role. Code must be unique and uppercase.";
+            s.Response<RoleReadModel>(201, "Role created successfully");
+            s.Response(400, "Validation failure");
+            s.Response(409, "Role code already exists");
+        });
+        Tags("Role Management");
+    }
+
+    public override async Task HandleAsync(CreateRoleRequest req, CancellationToken ct)
+    {
+        var command = new CreateRoleCommand(
+            req.Name,
+            req.Code,
+            req.Description,
+            req.IsActive,
+            currentUser.Id);
+
+        var result = await mediator.Send(command, ct);
+
+        if (result.IsFailed)
+        {
+            var problemDetails = result.ToProblemDetails(HttpContext);
+            await HttpContext.Response.SendAsync(problemDetails, problemDetails.Status ?? 500, cancellation: ct);
+            return;
+        }
+
+        // Build response (simplified - just return the ID and basic info)
+        var response = new RoleReadModel(
+            result.Value,
+            req.Name,
+            req.Code,
+            req.Description,
+            false, // isSystem - user-created roles are never system
+            req.IsActive,
+            0, // userCount - new role has no users
+            DateTime.UtcNow,
+            currentUser.Id,
+            DateTime.UtcNow,
+            currentUser.Id);
+
+        await HttpContext.Response.SendCreatedAtAsync<GetRole.Endpoint>(
+            new { roleId = result.Value },
+            response,
+            cancellation: ct);
+    }
+}