Add paginated users/roles, user status, frontend permissions, profile pictures, identifier file storage

- Users page: paginated, searchable, sortable with inline roles (no N+1)
- Roles page: paginated, searchable, sortable + /roles/all for dropdowns
- User is_active field with migration, PATCH toggle, auth check (disabled=401)
- Frontend permission checks: auth store loads permissions, sidebar/buttons conditional
- Profile pictures via file storage for users and members, avatar component
- Identifier images use file storage API instead of base64
- Fix TypeScript errors across admin UI
- 64 API tests passing (10 new)

packages/backend/src/routes/v1/accounts.ts

@@ -124,6 +124,7 @@ export const accountRoutes: FastifyPluginAsync = async (app) => {
       if (!member) return reply.status(404).send({ error: { message: 'Member not found', statusCode: 404 } })
       const account = await AccountService.create(app.db, request.companyId, {
         name: `${member.firstName} ${member.lastName}`,
+        billingMode: 'consolidated',
       })
       targetAccountId = account.id
     }
@@ -148,8 +149,9 @@ export const accountRoutes: FastifyPluginAsync = async (app) => {
 
   app.get('/members/:memberId/identifiers', { preHandler: [app.authenticate, app.requirePermission('accounts.view')] }, async (request, reply) => {
     const { memberId } = request.params as { memberId: string }
-    const identifiers = await MemberIdentifierService.listByMember(app.db, request.companyId, memberId)
-    return reply.send({ data: identifiers })
+    const params = PaginationSchema.parse(request.query)
+    const result = await MemberIdentifierService.listByMember(app.db, request.companyId, memberId, params)
+    return reply.send(result)
   })
 
   app.patch('/identifiers/:id', { preHandler: [app.authenticate, app.requirePermission('accounts.edit')] }, async (request, reply) => {
@@ -191,8 +193,9 @@ export const accountRoutes: FastifyPluginAsync = async (app) => {
 
   app.get('/accounts/:accountId/processor-links', { preHandler: [app.authenticate, app.requirePermission('accounts.view')] }, async (request, reply) => {
     const { accountId } = request.params as { accountId: string }
-    const links = await ProcessorLinkService.listByAccount(app.db, request.companyId, accountId)
-    return reply.send({ data: links })
+    const params = PaginationSchema.parse(request.query)
+    const result = await ProcessorLinkService.listByAccount(app.db, request.companyId, accountId, params)
+    return reply.send(result)
   })
 
   app.patch('/processor-links/:id', { preHandler: [app.authenticate, app.requirePermission('accounts.edit')] }, async (request, reply) => {
@@ -227,8 +230,9 @@ export const accountRoutes: FastifyPluginAsync = async (app) => {
 
   app.get('/accounts/:accountId/payment-methods', { preHandler: [app.authenticate, app.requirePermission('accounts.view')] }, async (request, reply) => {
     const { accountId } = request.params as { accountId: string }
-    const methods = await PaymentMethodService.listByAccount(app.db, request.companyId, accountId)
-    return reply.send({ data: methods })
+    const params = PaginationSchema.parse(request.query)
+    const result = await PaymentMethodService.listByAccount(app.db, request.companyId, accountId, params)
+    return reply.send(result)
   })
 
   app.get('/payment-methods/:id', { preHandler: [app.authenticate, app.requirePermission('accounts.view')] }, async (request, reply) => {
@@ -270,8 +274,9 @@ export const accountRoutes: FastifyPluginAsync = async (app) => {
 
   app.get('/accounts/:accountId/tax-exemptions', { preHandler: [app.authenticate, app.requirePermission('accounts.view')] }, async (request, reply) => {
     const { accountId } = request.params as { accountId: string }
-    const exemptions = await TaxExemptionService.listByAccount(app.db, request.companyId, accountId)
-    return reply.send({ data: exemptions })
+    const params = PaginationSchema.parse(request.query)
+    const result = await TaxExemptionService.listByAccount(app.db, request.companyId, accountId, params)
+    return reply.send(result)
   })
 
   app.get('/tax-exemptions/:id', { preHandler: [app.authenticate, app.requirePermission('accounts.view')] }, async (request, reply) => {

packages/backend/src/routes/v1/auth.ts

@@ -176,7 +176,7 @@ export const authRoutes: FastifyPluginAsync = async (app) => {
     if (!user) return reply.status(404).send({ error: { message: 'User not found', statusCode: 404 } })
 
     // Generate a signed reset token that expires in 1 hour
-    const resetToken = app.jwt.sign({ userId: user.id, purpose: 'password-reset' }, { expiresIn: '1h' })
+    const resetToken = app.jwt.sign({ userId: user.id, purpose: 'password-reset' } as any, { expiresIn: '1h' })
     const resetLink = `${process.env.APP_URL ?? 'http://localhost:5173'}/reset-password?token=${resetToken}`
 
     request.log.info({ userId, generatedBy: request.user.id }, 'Password reset link generated')

packages/backend/src/routes/v1/files.ts

@@ -42,7 +42,7 @@ export const fileRoutes: FastifyPluginAsync = async (app) => {
     }
 
     // Validate entityType is a known type
-    const allowedEntityTypes = ['member', 'member_identifier', 'product', 'rental_agreement', 'repair_ticket']
+    const allowedEntityTypes = ['user', 'member', 'member_identifier', 'product', 'rental_agreement', 'repair_ticket']
     if (!allowedEntityTypes.includes(entityType)) {
       throw new ValidationError(`Invalid entityType: ${entityType}`)
     }

packages/backend/src/routes/v1/rbac.ts

@@ -1,28 +1,110 @@
 import type { FastifyPluginAsync } from 'fastify'
-import { eq, and } from 'drizzle-orm'
+import { eq, and, count, sql, type Column } from 'drizzle-orm'
+import { PaginationSchema } from '@forte/shared/schemas'
 import { RbacService } from '../../services/rbac.service.js'
 import { ValidationError } from '../../lib/errors.js'
 import { users } from '../../db/schema/users.js'
+import { roles, userRoles } from '../../db/schema/rbac.js'
+import { withPagination, withSort, buildSearchCondition, paginatedResponse } from '../../utils/pagination.js'
 
 export const rbacRoutes: FastifyPluginAsync = async (app) => {
   // --- Users list ---
 
   app.get('/users', { preHandler: [app.authenticate, app.requirePermission('users.view')] }, async (request, reply) => {
-    const allUsers = await app.db
+    const params = PaginationSchema.parse(request.query)
+    const baseWhere = eq(users.companyId, request.companyId)
+
+    const searchCondition = params.q
+      ? buildSearchCondition(params.q, [users.firstName, users.lastName, users.email])
+      : undefined
+
+    const where = searchCondition ? and(baseWhere, searchCondition) : baseWhere
+
+    const sortableColumns: Record<string, Column> = {
+      name: users.lastName,
+      email: users.email,
+      created_at: users.createdAt,
+    }
+
+    let query = app.db
       .select({
         id: users.id,
         email: users.email,
         firstName: users.firstName,
         lastName: users.lastName,
         role: users.role,
+        isActive: users.isActive,
         createdAt: users.createdAt,
       })
       .from(users)
-      .where(eq(users.companyId, request.companyId))
-      .orderBy(users.lastName)
+      .where(where)
+      .$dynamic()
 
-    return reply.send({ data: allUsers })
+    query = withSort(query, params.sort, params.order, sortableColumns, users.lastName)
+    query = withPagination(query, params.page, params.limit)
+
+    const [data, [{ total }]] = await Promise.all([
+      query,
+      app.db.select({ total: count() }).from(users).where(where),
+    ])
+
+    // Attach roles to each user
+    const userIds = data.map((u) => u.id)
+    const roleAssignments = userIds.length > 0
+      ? await app.db
+          .select({
+            userId: userRoles.userId,
+            roleId: roles.id,
+            roleName: roles.name,
+            roleSlug: roles.slug,
+            isSystem: roles.isSystem,
+          })
+          .from(userRoles)
+          .innerJoin(roles, eq(userRoles.roleId, roles.id))
+          .where(sql`${userRoles.userId} IN ${userIds}`)
+      : []
+
+    const rolesByUser = new Map<string, { id: string; name: string; slug: string; isSystem: boolean }[]>()
+    for (const ra of roleAssignments) {
+      const list = rolesByUser.get(ra.userId) ?? []
+      list.push({ id: ra.roleId, name: ra.roleName, slug: ra.roleSlug, isSystem: ra.isSystem })
+      rolesByUser.set(ra.userId, list)
+    }
+
+    const usersWithRoles = data.map((u) => ({
+      ...u,
+      roles: rolesByUser.get(u.id) ?? [],
+    }))
+
+    return reply.send(paginatedResponse(usersWithRoles, total, params.page, params.limit))
   })
+  // --- User status ---
+
+  app.patch('/users/:userId/status', { preHandler: [app.authenticate, app.requirePermission('users.admin')] }, async (request, reply) => {
+    const { userId } = request.params as { userId: string }
+    const { isActive } = request.body as { isActive?: boolean }
+
+    if (typeof isActive !== 'boolean') {
+      throw new ValidationError('isActive (boolean) is required')
+    }
+
+    // Prevent disabling yourself
+    if (userId === request.user.id) {
+      throw new ValidationError('Cannot change your own account status')
+    }
+
+    const [updated] = await app.db
+      .update(users)
+      .set({ isActive, updatedAt: new Date() })
+      .where(and(eq(users.id, userId), eq(users.companyId, request.companyId)))
+      .returning({ id: users.id, isActive: users.isActive })
+
+    if (!updated) return reply.status(404).send({ error: { message: 'User not found', statusCode: 404 } })
+
+    request.log.info({ userId, isActive, changedBy: request.user.id }, 'User status changed')
+    return reply.send(updated)
+  })
+
   // --- Permissions ---
 
   app.get('/permissions', { preHandler: [app.authenticate, app.requirePermission('users.view')] }, async (request, reply) => {
@@ -33,7 +115,18 @@ export const rbacRoutes: FastifyPluginAsync = async (app) => {
   // --- Roles ---
 
   app.get('/roles', { preHandler: [app.authenticate, app.requirePermission('users.view')] }, async (request, reply) => {
-    const data = await RbacService.listRoles(app.db, request.companyId)
+    const params = PaginationSchema.parse(request.query)
+    const result = await RbacService.listRoles(app.db, request.companyId, params)
+    return reply.send(result)
+  })
+
+  // Unpaginated list for dropdowns/selectors
+  app.get('/roles/all', { preHandler: [app.authenticate, app.requirePermission('users.view')] }, async (request, reply) => {
+    const data = await app.db
+      .select()
+      .from(roles)
+      .where(and(eq(roles.companyId, request.companyId), eq(roles.isActive, true)))
+      .orderBy(roles.name)
     return reply.send({ data })
   })