[SSF-211] promote volunteer to admin

apps/backend/src/auth/auth.service.ts

@@ -8,6 +8,11 @@ import {
   AdminCreateUserCommand,
 } from '@aws-sdk/client-cognito-identity-provider';
 
+import {
+  AdminAddUserToGroupCommand,
+  AdminRemoveUserFromGroupCommand,
+} from '@aws-sdk/client-cognito-identity-provider';
+
 import CognitoAuthConfig from './aws-exports';
 import { SignUpDto } from './dtos/sign-up.dto';
 import { createHmac } from 'crypto';
@@ -70,4 +75,39 @@ export class AuthService {
       }
     }
   }
+
+  async addUserToGroup(username: string, groupName: string): Promise<void> {
+    const command = new AdminAddUserToGroupCommand({
+      UserPoolId: CognitoAuthConfig.userPoolId,
+      Username: username,
+      GroupName: groupName,
+    });
+
+    try {
+      await this.providerClient.send(command);
+    } catch (error) {
+      throw new InternalServerErrorException(
+        `Failed to add user to group ${groupName}`,
+      );
+    }
+  }
+
+  async removeUserFromGroup(
+    username: string,
+    groupName: string,
+  ): Promise<void> {
+    const command = new AdminRemoveUserFromGroupCommand({
+      UserPoolId: CognitoAuthConfig.userPoolId,
+      Username: username,
+      GroupName: groupName,
+    });
+
+    try {
+      await this.providerClient.send(command);
+    } catch (error) {
+      throw new InternalServerErrorException(
+        `Failed to remove user from group ${groupName}`,
+      );
+    }
+  }
 }

apps/backend/src/pantries/pantries.service.spec.ts

@@ -1,7 +1,7 @@
 import { Test, TestingModule } from '@nestjs/testing';
 import { PantriesService } from './pantries.service';
 import { getRepositoryToken } from '@nestjs/typeorm';
-import { In } from 'typeorm';
+import { DataSource, In } from 'typeorm';
 import { Pantry } from './pantries.entity';
 import {
   BadRequestException,
@@ -145,6 +145,10 @@ describe('PantriesService', () => {
           provide: getRepositoryToken(FoodManufacturer),
           useValue: testDataSource.getRepository(FoodManufacturer),
         },
+        {
+          provide: DataSource,
+          useValue: testDataSource,
+        },
       ],
     }).compile();
 

apps/backend/src/users/dtos/update-user-role.dto.ts

@@ -0,0 +1,8 @@
+import { IsEnum, IsNotEmpty } from 'class-validator';
+import { Role } from '../types';
+
+export class UpdateUserRoleDto {
+  @IsEnum(Role)
+  @IsNotEmpty()
+  role!: Role;
+}

apps/backend/src/users/users.controller.spec.ts

@@ -6,7 +6,8 @@ import { userSchemaDto } from './dtos/userSchema.dto';
 import { Test, TestingModule } from '@nestjs/testing';
 import { mock } from 'jest-mock-extended';
 import { UpdateUserInfoDto } from './dtos/update-user-info.dto';
-import { BadRequestException } from '@nestjs/common';
+import { UpdateUserRoleDto } from './dtos/update-user-role.dto';
+import { BadRequestException, NotFoundException } from '@nestjs/common';
 import { AuthenticatedRequest } from '../auth/authenticated-request';
 
 const mockUserService = mock<UsersService>();
@@ -31,6 +32,7 @@ describe('UsersController', () => {
     mockUserService.create.mockReset();
     mockUserService.getUserDashboardStats.mockReset();
     mockUserService.getRecentPendingApplications.mockReset();
+    mockUserService.promoteVolunteerToAdmin.mockReset();
 
     const module: TestingModule = await Test.createTestingModule({
       controllers: [UsersController],
@@ -211,4 +213,71 @@ describe('UsersController', () => {
       expect(result).toEqual([]);
     });
   });
+
+  describe('PATCH /:id/role', () => {
+    it('should promote volunteer to admin successfully', async () => {
+      const promotedUser: Partial<User> = {
+        ...mockUser1,
+        role: Role.ADMIN,
+      };
+
+      const dto: UpdateUserRoleDto = { role: Role.ADMIN };
+
+      mockUserService.promoteVolunteerToAdmin.mockResolvedValueOnce(
+        promotedUser as User,
+      );
+
+      const result = await controller.promoteToAdmin(1, dto);
+
+      expect(result).toEqual(promotedUser);
+      expect(result.role).toBe(Role.ADMIN);
+      expect(mockUserService.promoteVolunteerToAdmin).toHaveBeenCalledWith(1);
+    });
+
+    it('should throw BadRequestException when role is not admin', async () => {
+      const dto: UpdateUserRoleDto = { role: Role.VOLUNTEER };
+
+      await expect(controller.promoteToAdmin(1, dto)).rejects.toThrow(
+        new BadRequestException('Only promotion to admin is supported'),
+      );
+
+      expect(mockUserService.promoteVolunteerToAdmin).not.toHaveBeenCalled();
+    });
+
+    it('should throw BadRequestException when role is pantry', async () => {
+      const dto: UpdateUserRoleDto = { role: Role.PANTRY };
+
+      await expect(controller.promoteToAdmin(1, dto)).rejects.toThrow(
+        new BadRequestException('Only promotion to admin is supported'),
+      );
+
+      expect(mockUserService.promoteVolunteerToAdmin).not.toHaveBeenCalled();
+    });
+
+    it('should throw NotFoundException from service when user not found', async () => {
+      const dto: UpdateUserRoleDto = { role: Role.ADMIN };
+
+      mockUserService.promoteVolunteerToAdmin.mockRejectedValueOnce(
+        new NotFoundException('User 999 not found'),
+      );
+
+      await expect(controller.promoteToAdmin(999, dto)).rejects.toThrow(
+        new NotFoundException('User 999 not found'),
+      );
+    });
+
+    it('should throw BadRequestException from service when user is not a volunteer', async () => {
+      const dto: UpdateUserRoleDto = { role: Role.ADMIN };
+
+      mockUserService.promoteVolunteerToAdmin.mockRejectedValueOnce(
+        new BadRequestException(
+          'User 1 is not a volunteer. Current role: admin',
+        ),
+      );
+
+      await expect(controller.promoteToAdmin(1, dto)).rejects.toThrow(
+        BadRequestException,
+      );
+    });
+  });
 });

apps/backend/src/users/users.controller.ts

@@ -1,4 +1,5 @@
 import {
+  BadRequestException,
   Controller,
   Delete,
   Get,
@@ -14,6 +15,7 @@ import { UsersService } from './users.service';
 import { User } from './users.entity';
 import { userSchemaDto } from './dtos/userSchema.dto';
 import { UpdateUserInfoDto } from './dtos/update-user-info.dto';
+import { UpdateUserRoleDto } from './dtos/update-user-role.dto';
 import { PendingApplication, Role } from './types';
 import { AuthenticatedRequest } from '../auth/authenticated-request';
 import { JwtAuthGuard } from '../auth/jwt-auth.guard';
@@ -53,6 +55,18 @@ export class UsersController {
     return this.usersService.update(id, dto);
   }
 
+  @Patch('/:id/role')
+  @Roles(Role.ADMIN)
+  async promoteToAdmin(
+    @Param('id', ParseIntPipe) id: number,
+    @Body() dto: UpdateUserRoleDto,
+  ): Promise<User> {
+    if (dto.role !== Role.ADMIN) {
+      throw new BadRequestException('Only promotion to admin is supported');
+    }
+    return this.usersService.promoteVolunteerToAdmin(id);
+  }
+
   // Keeping these two as functionality seems useful
   @Post('/')
   async createUser(@Body() createUserDto: userSchemaDto): Promise<User> {

apps/backend/src/users/users.service.spec.ts

@@ -37,6 +37,8 @@ jest.setTimeout(60000);
 
 const mockAuthService = {
   adminCreateUser: jest.fn().mockResolvedValue('mock-sub'),
+  addUserToGroup: jest.fn().mockResolvedValue(undefined),
+  removeUserFromGroup: jest.fn().mockResolvedValue(undefined),
 };
 const mockEmailsService = mock<EmailsService>();
 
@@ -125,6 +127,8 @@ describe('UsersService', () => {
 
   beforeEach(async () => {
     mockAuthService.adminCreateUser.mockClear();
+    mockAuthService.addUserToGroup.mockClear();
+    mockAuthService.removeUserFromGroup.mockClear();
     mockEmailsService.sendEmails.mockClear();
     await testDataSource.runMigrations();
   });
@@ -730,4 +734,119 @@ describe('UsersService', () => {
       expect(types).toContain('food_manufacturer');
     });
   });
+
+  describe('promoteVolunteerToAdmin', () => {
+    it('should promote volunteer to admin successfully', async () => {
+      const volunteers = await testDataSource.getRepository(User).find({
+        where: { role: Role.VOLUNTEER },
+      });
+      expect(volunteers.length).toBeGreaterThan(0);
+      const volunteer = volunteers[0];
+
+      const result = await service.promoteVolunteerToAdmin(volunteer.id);
+
+      expect(result.role).toBe(Role.ADMIN);
+      expect(result.id).toBe(volunteer.id);
+    });
+
+    it('should clear volunteer pantry assignments after promotion', async () => {
+      const volunteer = await testDataSource.getRepository(User).findOne({
+        where: { role: Role.VOLUNTEER },
+        relations: ['pantries'],
+      });
+      expect(volunteer).toBeDefined();
+
+      await service.promoteVolunteerToAdmin(volunteer!.id);
+
+      const assignments = await testDataSource.query(
+        `SELECT * FROM volunteer_assignments WHERE volunteer_id = $1`,
+        [volunteer!.id],
+      );
+      expect(assignments).toHaveLength(0);
+    });
+
+    it('should call Cognito addUserToGroup and removeUserFromGroup', async () => {
+      const volunteer = await testDataSource.getRepository(User).findOne({
+        where: { role: Role.VOLUNTEER },
+      });
+      expect(volunteer).toBeDefined();
+
+      await service.promoteVolunteerToAdmin(volunteer!.id);
+
+      if (volunteer!.userCognitoSub) {
+        expect(mockAuthService.addUserToGroup).toHaveBeenCalledWith(
+          volunteer!.email,
+          'admin',
+        );
+        expect(mockAuthService.removeUserFromGroup).toHaveBeenCalledWith(
+          volunteer!.email,
+          'volunteer',
+        );
+      }
+    });
+
+    it('should throw NotFoundException when user does not exist', async () => {
+      await expect(service.promoteVolunteerToAdmin(99999)).rejects.toThrow(
+        NotFoundException,
+      );
+    });
+
+    it('should throw BadRequestException when user is already admin', async () => {
+      const admin = await testDataSource.getRepository(User).findOne({
+        where: { role: Role.ADMIN },
+      });
+      expect(admin).toBeDefined();
+
+      await expect(service.promoteVolunteerToAdmin(admin!.id)).rejects.toThrow(
+        BadRequestException,
+      );
+    });
+
+    it('should throw BadRequestException when user is pantry', async () => {
+      const pantryUser = await testDataSource.getRepository(User).findOne({
+        where: { role: Role.PANTRY },
+      });
+      expect(pantryUser).toBeDefined();
+
+      await expect(
+        service.promoteVolunteerToAdmin(pantryUser!.id),
+      ).rejects.toThrow(BadRequestException);
+    });
+
+    it('should throw BadRequestException when user is food manufacturer', async () => {
+      const fmUser = await testDataSource.getRepository(User).findOne({
+        where: { role: Role.FOODMANUFACTURER },
+      });
+      expect(fmUser).toBeDefined();
+
+      await expect(service.promoteVolunteerToAdmin(fmUser!.id)).rejects.toThrow(
+        BadRequestException,
+      );
+    });
+
+    it('should rollback if Cognito fails', async () => {
+      const userRepo = testDataSource.getRepository(User);
+      const volunteer = await userRepo.findOne({
+        where: { role: Role.VOLUNTEER },
+      });
+      expect(volunteer).toBeDefined();
+
+      // Set userCognitoSub so the Cognito code path is triggered
+      volunteer!.userCognitoSub = 'test-cognito-sub';
+      await userRepo.save(volunteer!);
+
+      mockAuthService.addUserToGroup.mockRejectedValueOnce(
+        new Error('Cognito error'),
+      );
+
+      await expect(
+        service.promoteVolunteerToAdmin(volunteer!.id),
+      ).rejects.toThrow(InternalServerErrorException);
+
+      const userAfter = await userRepo.findOne({
+        where: { id: volunteer!.id },
+      });
+      expect(userAfter!.role).toBe(Role.VOLUNTEER);
+    });
+  });
 });