Users

Internal system users who log in and interact with Renewa One. Every user is backed by a contact record for personal information. Users authenticate via Authentication and are authorized via RBAC Authorization.

Source Files

Layer	Path
Schema	backend/src/db/schema.ts (line ~496)
Routes	backend/src/routes/users.ts
Auth Service	backend/src/services/auth-service.ts
Profile Page	frontend/src/pages/Profile.tsx
Profile Sections	frontend/src/pages/ProfilePersonalInfoSection.tsx, ProfilePasswordSection.tsx, ProfileTwoFactorSection.tsx, ProfileResponsibilitySection.tsx, ProfileDeleteAccountSection.tsx
Admin	frontend/src/pages/admin/UsersAdmin.tsx
Auth Store	frontend/src/store/auth.ts (Zustand)

Database Tables

Table	Purpose
users	Main entity — email, type, role, auth fields, contact link
sessions	JWT session tokens with rotation and expiry
user_skills	M2M linking users to skills with levels
user_departments	M2M linking users to Departments (with isPrimary flag)

Key Fields

Field	Type	Notes
email	varchar(255)	Login email (unique, required)
passwordHash	text	Argon2id hash via Bun.password.hash()
userType	enum	internal or external
internalRole	enum	admin or employee (only for internal users)
contactId	uuid FK	Mandatory link to Contacts for personal info
avatarUrl	varchar	Profile picture URL
language	varchar(2)	UI language preference (de/en)
isActive	boolean	Account active flag
entraId	varchar	Microsoft Entra ID for SSO
authProvider	enum	local or Entra ID
twoFactorSecret	text	TOTP secret (encrypted)
twoFactorEnabled	boolean	Whether 2FA is active

User Types

Type	Internal Role	Description
internal	admin	Full system access, user management
internal	employee	Standard internal user
external	—	Craftsmen, partners, external collaborators

Relationships

User *──1 Contact (personal info source of truth)
User *──* Departments (via user_departments)
User *──* Skills (via user_skills)
User 1──* Sessions
User 1──* Buildings (creator)
User 1──* Projects (creator)

Authentication Flow

1. Login with email/password (argon2id verification via Bun.password)
2. Optional 2FA via TOTP (twoFactorSecret + authenticator app)
3. JWT access token + refresh token stored in sessions table
4. Session rotation with previous-token grace period
5. SSO option via Microsoft Entra ID (authProvider: 'entra')

See Authentication for full details.

Frontend State

• Zustand store at frontend/src/store/auth.ts manages current user, token, and auth state
• Profile page with five sections: personal info, password, 2FA, responsibility areas, account deletion
• Admin panel at UsersAdmin.tsx for user management (restricted to admins and team leads)

Features

• Hybrid RBAC — user type + internal role + per-resource roles (RBAC Authorization)
• 2FA support — TOTP-based two-factor authentication
• Department membership — users belong to Departments with primary department flag
• Skill tracking — user competencies via skills and levels
• Session management — JWT with refresh rotation and grace periods

Related Pages

Authentication | RBAC Authorization | Contacts | Departments | Admin Dashboard | Database Architecture | Service Layer Pattern