academia/src/backend/Domain/Entities/User.cs

namespace Domain.Entities;

/// <summary>
/// Represents a system user for authentication and authorization.
/// </summary>
public class User
{
    public int Id { get; private set; }
    public string Username { get; private set; } = string.Empty;
    public string PasswordHash { get; private set; } = string.Empty;
    public string RecoveryCodeHash { get; private set; } = string.Empty;
    public string Role { get; private set; } = UserRoles.Student;
    public int? StudentId { get; private set; }
    public DateTime CreatedAt { get; private set; }
    public DateTime? LastLoginAt { get; private set; }

    // Navigation property
    public Student? Student { get; private set; }

    private User() { }

    public static User Create(string username, string passwordHash, string recoveryCodeHash, string role, int? studentId = null)
    {
        if (string.IsNullOrWhiteSpace(username))
            throw new ArgumentException("Username cannot be empty", nameof(username));

        if (string.IsNullOrWhiteSpace(passwordHash))
            throw new ArgumentException("Password hash cannot be empty", nameof(passwordHash));

        if (!UserRoles.IsValid(role))
            throw new ArgumentException($"Invalid role: {role}", nameof(role));

        return new User
        {
            Username = username.ToLowerInvariant(),
            PasswordHash = passwordHash,
            RecoveryCodeHash = recoveryCodeHash,
            Role = role,
            StudentId = studentId,
            CreatedAt = DateTime.UtcNow
        };
    }

    public void UpdatePassword(string newPasswordHash)
    {
        if (string.IsNullOrWhiteSpace(newPasswordHash))
            throw new ArgumentException("Password hash cannot be empty", nameof(newPasswordHash));
        PasswordHash = newPasswordHash;
    }

    public void UpdateLastLogin()
    {
        LastLoginAt = DateTime.UtcNow;
    }

    public bool IsAdmin => Role == UserRoles.Admin;
    public bool IsStudent => Role == UserRoles.Student;
}

/// <summary>
/// Constants for user roles.
/// </summary>
public static class UserRoles
{
    public const string Admin = "Admin";
    public const string Student = "Student";

    public static bool IsValid(string role) =>
        role == Admin || role == Student;
}
feat(backend): implement JWT authentication and authorization - Add User entity with roles (Admin, Student) - Create JWT service for token generation/validation - Create password service using PBKDF2 - Add login and register GraphQL mutations - Apply [Authorize] attributes to protected mutations - DeleteStudent requires Admin role - UpdateStudent/Enroll/Unenroll require owner or admin - Add admin user creation on startup Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-08 14:14:42 +00:00			`namespace Domain.Entities;`

			`/// <summary>`
			`/// Represents a system user for authentication and authorization.`
			`/// </summary>`
			`public class User`
			`{`
			`public int Id { get; private set; }`
			`public string Username { get; private set; } = string.Empty;`
			`public string PasswordHash { get; private set; } = string.Empty;`
feat: add CI/CD pipeline, password recovery, and QA improvements - Add Gitea Actions workflow for automated k3s deployment - Implement password recovery with recovery codes (no email needed) - Fix unenroll mutation (missing studentId parameter) - Fix dashboard handling for expired sessions - Add optimized Docker builds with caching - Add k3s all-in-one deployment manifest - Add QA test report and recommendations Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-08 15:49:32 +00:00			`public string RecoveryCodeHash { get; private set; } = string.Empty;`
feat(backend): implement JWT authentication and authorization - Add User entity with roles (Admin, Student) - Create JWT service for token generation/validation - Create password service using PBKDF2 - Add login and register GraphQL mutations - Apply [Authorize] attributes to protected mutations - DeleteStudent requires Admin role - UpdateStudent/Enroll/Unenroll require owner or admin - Add admin user creation on startup Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-08 14:14:42 +00:00			`public string Role { get; private set; } = UserRoles.Student;`
			`public int? StudentId { get; private set; }`
			`public DateTime CreatedAt { get; private set; }`
			`public DateTime? LastLoginAt { get; private set; }`

			`// Navigation property`
			`public Student? Student { get; private set; }`

			`private User() { }`

feat: add CI/CD pipeline, password recovery, and QA improvements - Add Gitea Actions workflow for automated k3s deployment - Implement password recovery with recovery codes (no email needed) - Fix unenroll mutation (missing studentId parameter) - Fix dashboard handling for expired sessions - Add optimized Docker builds with caching - Add k3s all-in-one deployment manifest - Add QA test report and recommendations Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-08 15:49:32 +00:00			`public static User Create(string username, string passwordHash, string recoveryCodeHash, string role, int? studentId = null)`
feat(backend): implement JWT authentication and authorization - Add User entity with roles (Admin, Student) - Create JWT service for token generation/validation - Create password service using PBKDF2 - Add login and register GraphQL mutations - Apply [Authorize] attributes to protected mutations - DeleteStudent requires Admin role - UpdateStudent/Enroll/Unenroll require owner or admin - Add admin user creation on startup Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-08 14:14:42 +00:00			`{`
			`if (string.IsNullOrWhiteSpace(username))`
			`throw new ArgumentException("Username cannot be empty", nameof(username));`

			`if (string.IsNullOrWhiteSpace(passwordHash))`
			`throw new ArgumentException("Password hash cannot be empty", nameof(passwordHash));`

			`if (!UserRoles.IsValid(role))`
			`throw new ArgumentException($"Invalid role: {role}", nameof(role));`

			`return new User`
			`{`
			`Username = username.ToLowerInvariant(),`
			`PasswordHash = passwordHash,`
feat: add CI/CD pipeline, password recovery, and QA improvements - Add Gitea Actions workflow for automated k3s deployment - Implement password recovery with recovery codes (no email needed) - Fix unenroll mutation (missing studentId parameter) - Fix dashboard handling for expired sessions - Add optimized Docker builds with caching - Add k3s all-in-one deployment manifest - Add QA test report and recommendations Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-08 15:49:32 +00:00			`RecoveryCodeHash = recoveryCodeHash,`
feat(backend): implement JWT authentication and authorization - Add User entity with roles (Admin, Student) - Create JWT service for token generation/validation - Create password service using PBKDF2 - Add login and register GraphQL mutations - Apply [Authorize] attributes to protected mutations - DeleteStudent requires Admin role - UpdateStudent/Enroll/Unenroll require owner or admin - Add admin user creation on startup Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-08 14:14:42 +00:00			`Role = role,`
			`StudentId = studentId,`
			`CreatedAt = DateTime.UtcNow`
			`};`
			`}`

feat: add CI/CD pipeline, password recovery, and QA improvements - Add Gitea Actions workflow for automated k3s deployment - Implement password recovery with recovery codes (no email needed) - Fix unenroll mutation (missing studentId parameter) - Fix dashboard handling for expired sessions - Add optimized Docker builds with caching - Add k3s all-in-one deployment manifest - Add QA test report and recommendations Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-08 15:49:32 +00:00			`public void UpdatePassword(string newPasswordHash)`
			`{`
			`if (string.IsNullOrWhiteSpace(newPasswordHash))`
			`throw new ArgumentException("Password hash cannot be empty", nameof(newPasswordHash));`
			`PasswordHash = newPasswordHash;`
			`}`

feat(backend): implement JWT authentication and authorization - Add User entity with roles (Admin, Student) - Create JWT service for token generation/validation - Create password service using PBKDF2 - Add login and register GraphQL mutations - Apply [Authorize] attributes to protected mutations - DeleteStudent requires Admin role - UpdateStudent/Enroll/Unenroll require owner or admin - Add admin user creation on startup Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> 2026-01-08 14:14:42 +00:00			`public void UpdateLastLogin()`
			`{`
			`LastLoginAt = DateTime.UtcNow;`
			`}`

			`public bool IsAdmin => Role == UserRoles.Admin;`
			`public bool IsStudent => Role == UserRoles.Student;`
			`}`

			`/// <summary>`
			`/// Constants for user roles.`
			`/// </summary>`
			`public static class UserRoles`
			`{`
			`public const string Admin = "Admin";`
			`public const string Student = "Student";`

			`public static bool IsValid(string role) =>`
			`role == Admin \|\| role == Student;`
			`}`