added password hashing and validation to createUser + fix service bugs

[snehagopalappa]

Summary:

Improved the POST /users endpoint by adding password hashing and validation to createUser, and fixed several bugs identified during review.

Changes:

1. src/modules/user-management/userManagement.service.ts

• Added optional password field to CreateUserInput type
• Added password complexity validation (min 8, max 72 chars, uppercase, number, special character)
• Added email length validation (max 300 chars)
• Added hashPassword from lib/bcrypt to hash password before saving
• Fixed updateUser - stripped projectIds from update payload before passing to Prisma (field doesn't exist on users table)

2. prisma/schema.prisma

Added prismaSchemaFolder so Prisma correctly picks up all model files from prisma/models/

3. tests/unit/userManagement.test.ts

• Added 4 tests for deleteUser - success case, not found, invalid ID, blocked by linked scan
• Added 2 RBAC tests for getUsers - INSPECTOR and FARMER correctly blocked
• Added 7 password validation tests for createUser

4. tests/integration/userManagement.test.ts

• Rewrote integration tests: 32 tests covering all 5 endpoints with full RBAC, validation, and error case coverage

5. tsconfig.test.json + jest.config.js

• Fixed outdated Jest config (deprecated globals syntax)
• Added tsconfig.test.json to fix IDE TypeScript errors on test files

Test Results

17 unit tests - all passing
32 integration tests - all passing
(GET /users - 7 tests
GET /users/:id - 6 tests
POST /users - 8 tests
PUT /users/:id - 5 tests
DELETE /users/:id - 6 tests )

Notes

updateUser password hashing is a known gap - flagged for follow-up PR

Unit test:

Integration test:

[AKV2703]

Approving this for now due to time constraints. The overall structure and implementation are solid, and the password hashing/validation improvements are a good addition. One important concern is the Prisma configuration change introducing previewFeatures = ["prismaSchemaFolder"], since this affects the global Prisma client generation setup and should only remain if the project is intentionally moving toward split Prisma schema management. A few other areas should also be documented for future hardening work, including consistent email normalization during duplicate checks, handling password updates safely within updateUser(), and reviewing whether deleteUser() should validate additional relational dependencies beyond treeScan references. These are not blockers for now, but they should be tracked and revisited later.

[sandaliSS]

approved