dezky/services/provisioning/src/schemas/user.schema.ts

import { Prop, Schema, SchemaFactory } from '@nestjs/mongoose'
import { HydratedDocument, Types } from 'mongoose'

export type UserDocument = HydratedDocument<User>

export type UserRole = 'owner' | 'admin' | 'member'

@Schema({ collection: 'users', timestamps: true })
export class User {
  // Authentik subject claim — stable identity across login sessions.
  @Prop({ required: true, unique: true, index: true })
  authentikSubjectId!: string

  // Tenants this user belongs to. A user can belong to multiple tenants (e.g. partner staff).
  @Prop({ type: [Types.ObjectId], ref: 'Tenant', default: [], index: true })
  tenantIds!: Types.ObjectId[]

  @Prop({ required: true, lowercase: true, trim: true, index: true })
  email!: string

  @Prop({ required: true, trim: true })
  name!: string

  // Role is per-user globally for the MVP. Refine to per-tenant later if needed.
  @Prop({ enum: ['owner', 'admin', 'member'], default: 'member' })
  role!: UserRole

  @Prop({ default: true })
  active!: boolean

  // Cross-tenant admin flag — independent of per-tenant role above.
  // Set at upsert time based on Authentik group membership; once set, the DB is the
  // source of truth and a future revocation requires explicit setUserAdmin().
  @Prop({ default: false, index: true })
  platformAdmin!: boolean

  @Prop()
  lastLoginAt?: Date
}

export const UserSchema = SchemaFactory.createForClass(User)