feat(auth): implement role-based access control and user management features

.env

@@ -10,3 +10,9 @@ MARIADB_PASSWORD=Imminent-Umpire-Undertook8-Crunchy
 
 # Använder root för att prisma migrate deploy skall fungera
 DATABASE_URL=mysql://root:Encrust6-Deserve-Stricken-Spectacle@recipe-db:3306/recipe_app
+
+# Bootstrap-användare (skapas/uppdateras vid appstart)
+ADMIN_NADMIN_PASSWORD=Extra-Bra-Konto1
+ADMIN_PADMIN_PASSWORD=Extra-Bra-Konto2
+SEED_USER1_PASSWORD=Test-Anv1-Fbg
+SEED_USER2_PASSWORD=Test-Anv2-FBG

.env.example

@@ -10,3 +10,9 @@ MARIADB_PASSWORD=byt-ut-mig
 # Publik URL (används av frontend)
 NEXT_PUBLIC_APP_URL=https://recept.gynther.se
 NEXT_PUBLIC_API_URL=https://api.recept.gynther.se
+
+# Bootstrap-användare (skapas/uppdateras vid appstart)
+ADMIN_NADMIN_PASSWORD=byt-ut-mig
+ADMIN_PADMIN_PASSWORD=byt-ut-mig
+SEED_USER1_PASSWORD=byt-ut-mig
+SEED_USER2_PASSWORD=byt-ut-mig

backend/prisma/migrations/20260418100000_add_user_role/migration.sql

@@ -0,0 +1,2 @@
+-- Add role field to User
+ALTER TABLE `User` ADD COLUMN `role` VARCHAR(191) NOT NULL DEFAULT 'user';

backend/prisma/schema.prisma

@@ -14,6 +14,7 @@ model User {
   firstName    String?
   lastName     String?
   passwordHash String
+  role         String       @default("user")
   createdAt    DateTime     @default(now())
   updatedAt    DateTime     @updatedAt
 

backend/src/app.module.ts

@@ -15,6 +15,7 @@ import { UsersModule } from './users/users.module';
 import { UserProductsModule } from './user-products/user-products.module';
 import { CategoriesModule } from './categories/categories.module';
 import { JwtAuthGuard } from './auth/jwt-auth.guard';
+import { RolesGuard } from './auth/roles.guard';
 
 
 @Module({
@@ -39,6 +40,10 @@ import { JwtAuthGuard } from './auth/jwt-auth.guard';
       provide: APP_GUARD,
       useClass: JwtAuthGuard,
     },
+    {
+      provide: APP_GUARD,
+      useClass: RolesGuard,
+    },
   ],
 })
 export class AppModule {}

backend/src/auth/auth.service.ts

@@ -27,7 +27,7 @@ export class AuthService {
       passwordHash,
     });
 
-    return this.issueToken(user.id, user.username);
+    return this.issueToken(user.id, user.username, user.role);
   }
 
   async login(dto: LoginDto) {
@@ -37,15 +37,16 @@ export class AuthService {
     const valid = await bcrypt.compare(dto.password, user.passwordHash);
     if (!valid) throw new UnauthorizedException('Felaktigt användarnamn eller lösenord');
 
-    return this.issueToken(user.id, user.username);
+    return this.issueToken(user.id, user.username, user.role);
   }
 
-  private issueToken(userId: number, username: string) {
-    const payload = { sub: userId, username };
+  private issueToken(userId: number, username: string, role: string) {
+    const payload = { sub: userId, username, role };
     return {
       accessToken: this.jwtService.sign(payload),
       userId,
       username,
+      role,
     };
   }
 }

backend/src/auth/decorators/roles.decorator.ts

@@ -0,0 +1,4 @@
+import { SetMetadata } from '@nestjs/common';
+
+export const ROLES_KEY = 'roles';
+export const Roles = (...roles: string[]) => SetMetadata(ROLES_KEY, roles);

backend/src/auth/jwt.strategy.ts

@@ -12,7 +12,7 @@ export class JwtStrategy extends PassportStrategy(Strategy) {
     });
   }
 
-  async validate(payload: { sub: number; username: string }) {
-    return { userId: payload.sub, username: payload.username };
+  async validate(payload: { sub: number; username: string; role: string }) {
+    return { userId: payload.sub, username: payload.username, role: payload.role ?? 'user' };
   }
 }

backend/src/auth/roles.guard.ts

@@ -0,0 +1,24 @@
+import { Injectable, CanActivate, ExecutionContext, ForbiddenException } from '@nestjs/common';
+import { Reflector } from '@nestjs/core';
+import { ROLES_KEY } from './decorators/roles.decorator';
+
+@Injectable()
+export class RolesGuard implements CanActivate {
+  constructor(private reflector: Reflector) {}
+
+  canActivate(context: ExecutionContext): boolean {
+    const requiredRoles = this.reflector.getAllAndOverride<string[]>(ROLES_KEY, [
+      context.getHandler(),
+      context.getClass(),
+    ]);
+
+    // No @Roles() decorator — allow any authenticated user
+    if (!requiredRoles || requiredRoles.length === 0) return true;
+
+    const { user } = context.switchToHttp().getRequest();
+    if (!user?.role || !requiredRoles.includes(user.role)) {
+      throw new ForbiddenException('Åtkomst nekad — admin-behörighet krävs');
+    }
+    return true;
+  }
+}

backend/src/products/products.controller.ts

@@ -19,6 +19,7 @@ import { UpdateCanonicalNameDto } from './dto/update-canonical-name.dto';
 import { SetTagsDto } from './dto/set-tags.dto';
 import { UpsertNutritionDto } from './dto/upsert-nutrition.dto';
 import { BulkUpdateProductsDto } from './dto/bulk-update-products.dto';
+import { Roles } from '../auth/decorators/roles.decorator';
 
 @Controller('products')
 export class ProductsController {
@@ -50,6 +51,7 @@ export class ProductsController {
     return this.productsService.previewMerge(sourceProductId, targetProductId);
   }
 
+  @Roles('admin')
   @Post('backfill-canonical')
   backfillCanonical() {
     return this.productsService.backfillCanonicalNames();
@@ -65,6 +67,7 @@ export class ProductsController {
     return this.productsService.create(body);
   }
 
+  @Roles('admin')
   @Post('merge')
   merge(@Body() body: MergeProductsDto) {
     return this.productsService.merge(body.sourceProductId, body.targetProductId);
@@ -102,22 +105,26 @@ export class ProductsController {
     return this.productsService.update(id, body);
   }
 
+  @Roles('admin')
   @Delete(':id')
   remove(@Param('id', ParseIntPipe) id: number) {
     return this.productsService.remove(id);
   }
 
+  @Roles('admin')
   @Post(':id/restore')
   restore(@Param('id', ParseIntPipe) id: number) {
     return this.productsService.restore(id);
   }
 
+  @Roles('admin')
   @Post('reset-all')
   @HttpCode(200)
   resetAll() {
     return this.productsService.resetAll();
   }
 
+  @Roles('admin')
   @Post('bulk-update')
   @HttpCode(200)
   bulkUpdate(@Body() body: BulkUpdateProductsDto) {

backend/src/users/admin-bootstrap.service.ts

@@ -0,0 +1,54 @@
+import { Injectable, OnApplicationBootstrap, Logger } from '@nestjs/common';
+import * as bcrypt from 'bcryptjs';
+import { PrismaService } from '../prisma/prisma.service';
+
+type SeedUser = {
+  username: string;
+  email: string;
+  passwordEnvKey: string;
+  role: string;
+};
+
+const SEED_USERS: SeedUser[] = [
+  { username: 'Nadmin', email: 'nadmin@localhost', passwordEnvKey: 'ADMIN_NADMIN_PASSWORD', role: 'admin' },
+  { username: 'Padmin', email: 'padmin@localhost', passwordEnvKey: 'ADMIN_PADMIN_PASSWORD', role: 'admin' },
+  { username: 'user1',  email: 'user1@localhost',  passwordEnvKey: 'SEED_USER1_PASSWORD',   role: 'user' },
+  { username: 'user2',  email: 'user2@localhost',  passwordEnvKey: 'SEED_USER2_PASSWORD',   role: 'user' },
+];
+
+@Injectable()
+export class AdminBootstrapService implements OnApplicationBootstrap {
+  private readonly logger = new Logger(AdminBootstrapService.name);
+
+  constructor(private readonly prisma: PrismaService) {}
+
+  async onApplicationBootstrap() {
+    for (const seed of SEED_USERS) {
+      const password = process.env[seed.passwordEnvKey];
+      if (!password) {
+        this.logger.warn(`${seed.passwordEnvKey} not set — skipping ${seed.username}`);
+        continue;
+      }
+
+      const existing = await this.prisma.user.findUnique({ where: { username: seed.username } });
+
+      if (existing) {
+        if (existing.role !== seed.role) {
+          await this.prisma.user.update({ where: { id: existing.id }, data: { role: seed.role } });
+          this.logger.log(`Updated role for ${seed.username} → ${seed.role}`);
+        }
+      } else {
+        const passwordHash = await bcrypt.hash(password, 12);
+        await this.prisma.user.create({
+          data: {
+            username: seed.username,
+            email: seed.email,
+            passwordHash,
+            role: seed.role,
+          },
+        });
+        this.logger.log(`Created ${seed.role} user: ${seed.username}`);
+      }
+    }
+  }
+}

backend/src/users/users.controller.ts

@@ -1,7 +1,13 @@
-import { Controller, Get, Patch, Body } from '@nestjs/common';
-import { IsEmail, IsOptional, IsString, MaxLength } from 'class-validator';
+import { Controller, Get, Patch, Body, Param, ParseIntPipe, BadRequestException } from '@nestjs/common';
+import { IsEmail, IsIn, IsOptional, IsString, MaxLength } from 'class-validator';
 import { UsersService } from './users.service';
 import { CurrentUser } from '../auth/decorators/current-user.decorator';
+import { Roles } from '../auth/decorators/roles.decorator';
+
+class SetRoleDto {
+  @IsIn(['admin', 'user'])
+  role: string;
+}
 
 class UpdateProfileDto {
   @IsOptional()
@@ -32,6 +38,7 @@ export class UsersController {
       email: found?.email,
       firstName: found?.firstName,
       lastName: found?.lastName,
+      role: found?.role,
     };
   }
 
@@ -49,4 +56,22 @@ export class UsersController {
       lastName: updated.lastName,
     };
   }
+
+  @Roles('admin')
+  @Get()
+  listUsers() {
+    return this.usersService.findAll();
+  }
+
+  @Roles('admin')
+  @Patch(':id/role')
+  async setRole(
+    @Param('id', ParseIntPipe) id: number,
+    @CurrentUser() caller: { userId: number; username: string; role: string },
+    @Body() dto: SetRoleDto,
+  ) {
+    if (caller.userId === id) throw new BadRequestException('Du kan inte ändra din egen roll');
+    const updated = await this.usersService.setRole(id, dto.role);
+    return { id: updated.id, username: updated.username, role: updated.role };
+  }
 }

backend/src/users/users.module.ts

@@ -1,11 +1,12 @@
 import { Module } from '@nestjs/common';
 import { UsersService } from './users.service';
 import { UsersController } from './users.controller';
+import { AdminBootstrapService } from './admin-bootstrap.service';
 import { PrismaModule } from '../prisma/prisma.module';
 
 @Module({
   imports: [PrismaModule],
-  providers: [UsersService],
+  providers: [UsersService, AdminBootstrapService],
   controllers: [UsersController],
   exports: [UsersService],
 })

backend/src/users/users.service.ts

@@ -20,4 +20,15 @@ export class UsersService {
   updateProfile(id: number, data: { firstName?: string; lastName?: string; email?: string }) {
     return this.prisma.user.update({ where: { id }, data });
   }
+
+  findAll() {
+    return this.prisma.user.findMany({
+      select: { id: true, username: true, email: true, firstName: true, lastName: true, role: true, createdAt: true },
+      orderBy: { username: 'asc' },
+    });
+  }
+
+  setRole(id: number, role: string) {
+    return this.prisma.user.update({ where: { id }, data: { role } });
+  }
 }

frontend/app/Navigation.tsx

@@ -34,6 +34,9 @@ export default async function Navigation() {
       <Link href="/recipes" style={linkStyle}>📖 Recept</Link>
       <Link href="/baslager" style={linkStyle}>🏪 Baslager</Link>
       <Link href="/admin/products" style={linkStyle}>⚙️ Admin</Link>
+      {(session?.user as any)?.role === 'admin' && (
+        <Link href="/admin/users" style={linkStyle}>👥 Användare</Link>
+      )}
       <Link href="/import" style={linkStyle}>📥 Importera</Link>
       <Link href="/matplan" style={linkStyle}>📅 Matplan</Link>
       <span style={{ flex: 1 }} />

frontend/app/admin/users/UserAdminClient.tsx

@@ -0,0 +1,110 @@
+'use client';
+
+import { useState } from 'react';
+
+type User = {
+  id: number;
+  username: string;
+  email: string;
+  firstName: string | null;
+  lastName: string | null;
+  role: string;
+  createdAt: string;
+};
+
+type Props = {
+  users: User[];
+  currentUserId: string;
+};
+
+export default function UserAdminClient({ users: initial, currentUserId }: Props) {
+  const [users, setUsers] = useState(initial);
+  const [loading, setLoading] = useState<number | null>(null);
+  const [error, setError] = useState<string | null>(null);
+
+  async function toggleRole(user: User) {
+    const newRole = user.role === 'admin' ? 'user' : 'admin';
+    setLoading(user.id);
+    setError(null);
+    try {
+      const res = await fetch(`/api/admin-users/${user.id}`, {
+        method: 'PATCH',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({ role: newRole }),
+      });
+      if (!res.ok) {
+        const body = await res.json().catch(() => ({}));
+        throw new Error(body.message ?? 'Okänt fel');
+      }
+      const updated: User = await res.json();
+      setUsers((prev) => prev.map((u) => (u.id === updated.id ? { ...u, role: updated.role } : u)));
+    } catch (e: any) {
+      setError(e.message);
+    } finally {
+      setLoading(null);
+    }
+  }
+
+  return (
+    <>
+      {error && (
+        <div className="mb-4 p-3 bg-red-100 text-red-800 rounded">{error}</div>
+      )}
+      <table className="w-full border-collapse text-sm">
+        <thead>
+          <tr className="bg-gray-100 text-left">
+            <th className="p-2 border">Användarnamn</th>
+            <th className="p-2 border">E-post</th>
+            <th className="p-2 border">Namn</th>
+            <th className="p-2 border">Roll</th>
+            <th className="p-2 border">Skapad</th>
+            <th className="p-2 border">Åtgärd</th>
+          </tr>
+        </thead>
+        <tbody>
+          {users.map((user) => {
+            const isSelf = String(user.id) === currentUserId;
+            return (
+              <tr key={user.id} className="hover:bg-gray-50">
+                <td className="p-2 border font-medium">{user.username}</td>
+                <td className="p-2 border">{user.email}</td>
+                <td className="p-2 border">
+                  {[user.firstName, user.lastName].filter(Boolean).join(' ') || '—'}
+                </td>
+                <td className="p-2 border">
+                  <span
+                    className={`px-2 py-0.5 rounded text-xs font-semibold ${
+                      user.role === 'admin' ? 'bg-purple-100 text-purple-800' : 'bg-gray-100 text-gray-700'
+                    }`}
+                  >
+                    {user.role}
+                  </span>
+                </td>
+                <td className="p-2 border text-gray-500">
+                  {new Date(user.createdAt).toLocaleDateString('sv-SE')}
+                </td>
+                <td className="p-2 border">
+                  {isSelf ? (
+                    <span className="text-gray-400 text-xs">Du själv</span>
+                  ) : (
+                    <button
+                      onClick={() => toggleRole(user)}
+                      disabled={loading === user.id}
+                      className="px-3 py-1 text-xs rounded bg-blue-600 text-white hover:bg-blue-700 disabled:opacity-50"
+                    >
+                      {loading === user.id
+                        ? 'Sparar…'
+                        : user.role === 'admin'
+                        ? 'Sätt som user'
+                        : 'Sätt som admin'}
+                    </button>
+                  )}
+                </td>
+              </tr>
+            );
+          })}
+        </tbody>
+      </table>
+    </>
+  );
+}

frontend/app/admin/users/page.tsx

@@ -0,0 +1,30 @@
+import { auth } from '../../../../auth';
+import { redirect } from 'next/navigation';
+import { fetchJson } from '../../../lib/api';
+import UserAdminClient from './UserAdminClient';
+
+type User = {
+  id: number;
+  username: string;
+  email: string;
+  firstName: string | null;
+  lastName: string | null;
+  role: string;
+  createdAt: string;
+};
+
+export default async function AdminUsersPage() {
+  const session = await auth();
+  if (!session || (session.user as any)?.role !== 'admin') {
+    redirect('/');
+  }
+
+  const users = await fetchJson<User[]>('/api/users');
+
+  return (
+    <main className="p-6 max-w-4xl mx-auto">
+      <h1 className="text-2xl font-bold mb-6">Användarhantering</h1>
+      <UserAdminClient users={users} currentUserId={session.user.id} />
+    </main>
+  );
+}

frontend/app/api/admin-users/[id]/route.ts

@@ -0,0 +1,27 @@
+import { NextRequest, NextResponse } from 'next/server';
+import { auth } from '../../../../../auth';
+
+const API_BASE =
+  process.env.NEXT_PUBLIC_API_URL_INTERNAL ?? 'http://recipe-api:8080';
+
+export async function PATCH(
+  request: NextRequest,
+  { params }: { params: { id: string } },
+) {
+  const session = await auth();
+  if (!session || (session.user as any)?.role !== 'admin') {
+    return NextResponse.json({ message: 'Förbjuden' }, { status: 403 });
+  }
+
+  const body = await request.json();
+  const res = await fetch(`${API_BASE}/api/users/${params.id}/role`, {
+    method: 'PATCH',
+    headers: {
+      'Content-Type': 'application/json',
+      Authorization: `Bearer ${session.accessToken}`,
+    },
+    body: JSON.stringify(body),
+  });
+  const data = await res.json();
+  return NextResponse.json(data, { status: res.status });
+}

frontend/app/api/admin-users/route.ts

@@ -0,0 +1,19 @@
+import { NextResponse } from 'next/server';
+import { auth } from '../../../../auth';
+
+const API_BASE =
+  process.env.NEXT_PUBLIC_API_URL_INTERNAL ?? 'http://recipe-api:8080';
+
+export async function GET() {
+  const session = await auth();
+  if (!session || (session.user as any)?.role !== 'admin') {
+    return NextResponse.json({ message: 'Förbjuden' }, { status: 403 });
+  }
+
+  const res = await fetch(`${API_BASE}/api/users`, {
+    headers: { Authorization: `Bearer ${session.accessToken}` },
+    cache: 'no-store',
+  });
+  const data = await res.json();
+  return NextResponse.json(data, { status: res.status });
+}

frontend/auth.ts

@@ -22,11 +22,12 @@ export const { handlers, auth, signIn, signOut } = NextAuth({
             }),
           });
           if (!res.ok) return null;
-          const data = await res.json() as { accessToken: string; userId: number; username: string };
+          const data = await res.json() as { accessToken: string; userId: number; username: string; role: string };
           return {
             id: String(data.userId),
             name: data.username,
             accessToken: data.accessToken,
+            role: data.role,
           };
         } catch {
           return null;
@@ -40,6 +41,7 @@ export const { handlers, auth, signIn, signOut } = NextAuth({
         token.accessToken = (user as any).accessToken as string;
         token.userId = Number(user.id);
         token.username = user.name ?? '';
+        token.role = (user as any).role as string;
       }
       return token;
     },
@@ -47,6 +49,7 @@ export const { handlers, auth, signIn, signOut } = NextAuth({
       session.accessToken = token.accessToken as string;
       session.user.id = String(token.userId);
       session.user.name = token.username as string;
+      (session.user as any).role = token.role as string;
       return session;
     },
   },

frontend/middleware.ts

@@ -17,6 +17,14 @@ export default auth((req) => {
     return NextResponse.redirect(loginUrl);
   }
 
+  // Admin-sidor kräver admin-roll
+  if (pathname.startsWith('/admin')) {
+    const role = (req.auth.user as any)?.role;
+    if (role !== 'admin') {
+      return NextResponse.redirect(new URL('/', req.url));
+    }
+  }
+
   return NextResponse.next();
 });
 

frontend/types/next-auth.d.ts

@@ -6,6 +6,7 @@ declare module 'next-auth' {
     user: {
       id: string;
       name: string;
+      role: string;
     } & DefaultSession['user'];
   }
 }