@acorex/platform 21.0.0-next.2 → 21.0.0-next.3

package/fesm2022/acorex-platform-auth.mjs

@@ -1,8 +1,8 @@
 import * as i0 from '@angular/core';
-import { InjectionToken, Injector, Injectable, signal, inject, Input, Directive, provideAppInitializer, Optional, Inject, NgModule, input, output, Component } from '@angular/core';
-import { of, map, BehaviorSubject, shareReplay, defaultIfEmpty, switchMap, filter, firstValueFrom, first } from 'rxjs';
-import { AXPBroadcastEventService } from '@acorex/platform/core';
+import { InjectionToken, Injector, Injectable, signal, inject, Input, Directive, provideAppInitializer, Optional, Inject, NgModule } from '@angular/core';
+import { AXPBroadcastEventService, AXP_MODULE_PROVIDER_LOADER, AXPModuleProviderRegistry, AXP_SESSION_SERVICE } from '@acorex/platform/core';
 import { isEmpty } from 'lodash-es';
+import { map, BehaviorSubject, shareReplay, defaultIfEmpty, switchMap, filter, from, first } from 'rxjs';
 
 const AXP_APPLICATION_LOADER = new InjectionToken('AXP_APPLICATION_LOADER', {
     providedIn: 'root',
@@ -11,25 +11,29 @@ const AXP_APPLICATION_LOADER = new InjectionToken('AXP_APPLICATION_LOADER', {
     },
 });
 class AXPApplicationDefaultLoader {
-    getList(context) {
-        return of([
+    async getList(context) {
+        return [
             {
                 id: '1',
                 name: 'default-app',
                 title: 'Default Application',
                 version: '1.0.0',
-                editionName: 'Standard',
-                features: [],
+                edition: {
+                    id: 'default-edition-1',
+                    title: 'Standard',
+                },
             },
             {
                 id: '2',
                 name: 'default-app',
                 title: 'Default Application',
                 version: '1.0.0',
-                editionName: 'Standard',
-                features: [],
+                edition: {
+                    id: 'default-edition-2',
+                    title: 'Standard',
+                },
             },
-        ]);
+        ];
     }
 }
 
@@ -40,14 +44,14 @@ const AXP_TENANT_LOADER = new InjectionToken('AXP_TENANT_LOADER', {
     },
 });
 class AXPTenantDefaultLoader {
-    getList(context) {
-        return of([
+    async getList(context) {
+        return [
             {
                 id: '1',
                 name: 'default-tenant',
                 title: 'Default Tenant',
             },
-        ]);
+        ];
     }
 }
 
@@ -85,8 +89,8 @@ const AXP_FEATURE_LOADER = new InjectionToken('AXP_FEATURE_LOADER', {
     },
 });
 class AXPFeatureDefaultLoader {
-    getList(context) {
-        return of([]);
+    async getList(context) {
+        return [];
     }
 }
 
@@ -173,6 +177,13 @@ const AXPFeatureGuard = (route, state) => {
     }));
 };
 
+/**
+ * Optional injection token for feature checker.
+ * If provided, the checker will be called to potentially override
+ * feature enablement results based on custom logic.
+ */
+const AXP_FEATURE_CHECKER = new InjectionToken('AXP_FEATURE_CHECKER');
+
 const AXP_PERMISSION_LOADER = new InjectionToken('AXP_PERMISSION_LOADER', {
     providedIn: 'root',
     factory: () => {
@@ -180,11 +191,18 @@ const AXP_PERMISSION_LOADER = new InjectionToken('AXP_PERMISSION_LOADER', {
     }
 });
 class AXPPermissionDefaultLoader {
-    getList(context) {
-        return of([]);
+    async getList(context) {
+        return [];
     }
 }
 
+/**
+ * Optional injection token for permission checker.
+ * If provided, the checker will be called to potentially override
+ * authorization results based on custom logic.
+ */
+const AXP_PERMISSION_CHECKER = new InjectionToken('AXP_PERMISSION_CHECKER');
+
 class AXPSessionContext {
     get user() {
         return this._user;
@@ -218,10 +236,13 @@ class AXPSessionService {
     constructor() {
         this.eventService = inject(AXPBroadcastEventService);
         this.authStrategyRegistry = inject(AXPAuthStrategyRegistryService);
+        this.injector = inject(Injector);
         this.permissionLoader = inject(AXP_PERMISSION_LOADER);
         this.featureLoader = inject(AXP_FEATURE_LOADER);
         this.tenantLoader = inject(AXP_TENANT_LOADER);
         this.applicationLoader = inject(AXP_APPLICATION_LOADER);
+        this.permissionChecker = inject(AXP_PERMISSION_CHECKER, { optional: true });
+        this.featureChecker = inject(AXP_FEATURE_CHECKER, { optional: true });
         this.status = new BehaviorSubject(AXPSessionStatus.Unauthenticated);
         this.status$ = this.status.asObservable().pipe(shareReplay(1));
         // Add loading state to prevent premature redirects
@@ -244,13 +265,22 @@ class AXPSessionService {
         // Add a new observable that considers loading state
         this.isAuthenticatedWithLoading$ = this.isLoading$.pipe(switchMap((loading) => {
             if (loading) {
+                // Wait for loading to complete, then return authentication status
                 return this.isLoading$.pipe(filter((isLoading) => !isLoading), switchMap(() => this.isAuthenticated$));
             }
+            // If not loading, return current authentication status
             return this.isAuthenticated$;
         }), shareReplay(1));
         this.isAuthorized$ = this.status$.pipe(map((status) => status === AXPSessionStatus.Authorized), shareReplay(1));
     }
     static { this.SESSION_KEY = 'AXP_SESSION'; }
+    /**
+     * Get module provider loader lazily to avoid circular dependency.
+     * ModuleProviderLoader depends on AXPSessionService, which is this service.
+     */
+    getModuleProviderLoader() {
+        return this.injector.get(AXP_MODULE_PROVIDER_LOADER);
+    }
     get user() {
         const session = this.getSessionData();
         if (session?.user && !this.currentUserSubject.value) {
@@ -266,7 +296,7 @@ class AXPSessionService {
         return this.currentTenantSubject.value;
     }
     get tenants$() {
-        return this.tenantLoader.getList(this.getContext());
+        return from(this.tenantLoader.getList(this.getContext()));
     }
     get application() {
         const session = this.getSessionData();
@@ -276,7 +306,7 @@ class AXPSessionService {
         return this.currentApplicationSubject.value;
     }
     get applications$() {
-        return this.applicationLoader.getList(this.getContext());
+        return from(this.applicationLoader.getList(this.getContext()));
     }
     get permissions() {
         return this.permissionsSubject.value ?? [];
@@ -291,7 +321,18 @@ class AXPSessionService {
             if (sessionData) {
                 if (sessionData.user) {
                     this.currentUserSubject.next(sessionData.user);
+                    // Restore tenant and application from session data
+                    if (sessionData.tenant) {
+                        this.currentTenantSubject.next(sessionData.tenant);
+                    }
+                    if (sessionData.application) {
+                        this.currentApplicationSubject.next(sessionData.application);
+                    }
                     this.status.next(AXPSessionStatus.Authenticated);
+                    // Load required modules first to ensure entities are available for loaders
+                    // This is critical because loaders (like application.loader) need entities
+                    // from required modules (ApplicationManagement, TenantManagement, SecurityManagement)
+                    await this.getModuleProviderLoader().loadRequiredModules();
                     await this.loadPermissions();
                     await this.loadFeatures();
                     await this.signInComplete();
@@ -409,6 +450,9 @@ class AXPSessionService {
             }
             //
             const userId = this.user?.id;
+            // Clear module provider loader cache before clearing session
+            // This ensures modules and providers from previous user are not cached
+            await this.getModuleProviderLoader().clear();
             this.clearSession();
             this.eventService.publish(AXPSessionStatus.SignedOut, { id: userId });
             this.isLoading.next(false);
@@ -457,7 +501,7 @@ class AXPSessionService {
     }
     async loadPermissions() {
         try {
-            const permissions = await firstValueFrom(this.permissionLoader.getList(this.getContext()));
+            const permissions = await this.permissionLoader.getList(this.getContext());
             this.permissionsSubject.next(permissions ?? []);
         }
         catch (error) {
@@ -467,7 +511,7 @@ class AXPSessionService {
     }
     async loadFeatures() {
         try {
-            const features = await firstValueFrom(this.featureLoader.getList(this.getContext()));
+            const features = await this.featureLoader.getList(this.getContext());
             this.featuresSubject.next(features ?? []);
         }
         catch (error) {
@@ -547,26 +591,39 @@ class AXPSessionService {
         localStorage.removeItem(AXPSessionService.SESSION_KEY);
     }
     authorize(...keys) {
-        return keys.every((k) => isEmpty(k) || this.permissions.indexOf(k) > -1 || this.user?.name == 'root');
+        // Calculate base result
+        const baseResult = keys.every((k) => {
+            if (isEmpty(k))
+                return true;
+            // Check if user has the permission
+            const hasPermission = this.permissions.indexOf(k) > -1;
+            if (!hasPermission)
+                return false;
+            // Check if permission has required features (if permission definition service is available)
+            // Note: This is a lightweight check. Full feature validation happens in permission definition service.
+            return true;
+        });
+        // If permission checker is provided, use it to potentially override the result
+        if (this.permissionChecker) {
+            const context = this.getContext();
+            return this.permissionChecker.check(keys, context, baseResult);
+        }
+        return baseResult;
     }
     isFeatureEnabled(...keys) {
-        return keys.every((k) => isEmpty(k) || this.features.some((c) => c.name == k && c.value == true));
+        // Calculate base result
+        const baseResult = keys.every((k) => isEmpty(k) || this.features.some((c) => c.name == k && c.value == true));
+        // If feature checker is provided, use it to potentially override the result
+        if (this.featureChecker) {
+            const context = this.getContext();
+            return this.featureChecker.check(keys, context, baseResult);
+        }
+        return baseResult;
     }
     getToken() {
         const sessionData = this.getSessionData();
         return sessionData?.accessToken;
     }
-    checkTokenValidation() {
-        let sessionData = this.getSessionData();
-        if (sessionData && sessionData?.accessToken && sessionData.expiresIn) {
-            const expiresInDate = new Date(sessionData.expiresIn);
-            if (expiresInDate > new Date()) {
-                // Token is still valid
-                return true;
-            }
-        }
-        return false;
-    }
     getContext() {
         return new AXPSessionContext({
             user: this.user,
@@ -687,12 +744,13 @@ class AXPPermissionDefinitionGroupBuilder {
         this.context = context;
         this._group = group;
     }
-    addPermission(name, title, description) {
+    addPermission(name, title, description, requiredFeatures) {
         const permission = {
             name,
             title,
             description,
-            children: []
+            children: [],
+            requiredFeatures
         };
         this._group.permissions.push(permission);
         return new AXPPermissionDefinitionBuilder(this, permission);
@@ -712,16 +770,25 @@ class AXPPermissionDefinitionBuilder {
         this.groupBuilder = groupBuilder;
         this.permission = permission;
     }
-    addChild(name, title, description) {
+    addChild(name, title, description, requiredFeatures) {
         const permission = {
             name,
             title,
             description,
-            children: []
+            children: [],
+            requiredFeatures
         };
         this.permission.children.push(permission);
         return this;
     }
+    /**
+     * Set required features for this permission.
+     * @param features - Array of feature names (e.g., ['PlatformManagement.menu-customization'])
+     */
+    requireFeatures(...features) {
+        this.permission.requiredFeatures = features;
+        return this;
+    }
     endPermission() {
         return this.groupBuilder;
     }
@@ -736,6 +803,8 @@ const AXP_PERMISSION_DEFINITION_PROVIDER = new InjectionToken('AXP_PERMISSION_DE
 class AXPPermissionDefinitionService {
     constructor() {
         this.providers = inject(AXP_PERMISSION_DEFINITION_PROVIDER, { optional: true });
+        this.providerRegistry = inject(AXPModuleProviderRegistry);
+        this.sessionService = inject(AXPSessionService);
         this.cache = null;
     }
     async load() {
@@ -743,6 +812,7 @@ class AXPPermissionDefinitionService {
             return;
         }
         const context = new AXPPermissionDefinitionProviderContext();
+        // Load providers from DI tokens (backward compatibility)
         if (Array.isArray(this.providers)) {
             for (const provider of this.providers) {
                 if (provider instanceof Promise) {
@@ -756,7 +826,49 @@ class AXPPermissionDefinitionService {
                 }
             }
         }
-        this.cache = context.getGroupDefinitions();
+        // Load providers from registry (manifest-based, conditionally loaded)
+        const registryProviders = this.providerRegistry.getPermissionProviders();
+        for (const provider of registryProviders) {
+            await provider.define(context);
+        }
+        // Filter permissions based on required features
+        const allGroups = context.getGroupDefinitions();
+        this.cache = this.filterByFeatures(allGroups);
+    }
+    /**
+     * Filter permissions based on required features.
+     * Removes permissions that have required features that are not enabled.
+     */
+    filterByFeatures(groups) {
+        return groups.map(group => ({
+            ...group,
+            permissions: this.filterPermissions(group.permissions)
+        })).filter(group => group.permissions.length > 0);
+    }
+    /**
+     * Recursively filter permissions and their children based on required features.
+     */
+    filterPermissions(permissions) {
+        return permissions
+            .filter(permission => {
+            // Check if required features are enabled
+            if (permission.requiredFeatures && permission.requiredFeatures.length > 0) {
+                const allFeaturesEnabled = permission.requiredFeatures.every(featureName => this.sessionService.isFeatureEnabled(featureName));
+                if (!allFeaturesEnabled) {
+                    return false; // Filter out this permission
+                }
+            }
+            return true;
+        })
+            .map(permission => ({
+            ...permission,
+            children: this.filterPermissions(permission.children)
+        }))
+            .filter(permission => {
+            // Remove permissions that have no children if they were only containers
+            // (This is optional - you might want to keep parent permissions even without children)
+            return true;
+        });
     }
     async reload() {
         this.cache = null;
@@ -882,6 +994,10 @@ class AXPAuthModule {
                 const initializerFn = initializeAppState(inject(AXPSessionService));
                 return initializerFn();
             }),
+            {
+                provide: AXP_SESSION_SERVICE,
+                useExisting: AXPSessionService,
+            },
         ] }); }
 }
 i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "20.3.12", ngImport: i0, type: AXPAuthModule, decorators: [{
@@ -895,6 +1011,10 @@ i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "20.3.12", ngImpo
                             const initializerFn = initializeAppState(inject(AXPSessionService));
                             return initializerFn();
                         }),
+                        {
+                            provide: AXP_SESSION_SERVICE,
+                            useExisting: AXPSessionService,
+                        },
                     ],
                 }]
         }], ctorParameters: () => [{ type: undefined, decorators: [{
@@ -984,169 +1104,9 @@ class TimeUtil {
 }
 //#endregion
 
-//#region ----   Challenge Data Types   ----
-//#endregion
-
-//#region ----   Abstract Challenge Provider   ----
-/**
- * Abstract base class for login challenge providers
- *
- * Implement this class to create custom challenge mechanisms like:
- * - Image CAPTCHA
- * - reCAPTCHA
- * - SMS verification
- * - Email verification
- *
- * @example
- * ```typescript
- * @Injectable()
- * export class MyImageCaptchaProvider extends AXPLoginChallengeProvider {
- *   readonly name = 'image-captcha';
- *
- *   checkResponse(error: unknown): AXPChallengeCheckResult | null {
- *     if (error instanceof HttpErrorResponse) {
- *       if (error.error?.requiresCaptcha) {
- *         return { required: true };
- *       }
- *     }
- *     return null;
- *   }
- *
- *   async getChallenge(): Promise<AXPLoginChallengeData> {
- *     const response = await this.http.get('/api/captcha').toPromise();
- *     return {
- *       id: response.id,
- *       content: response.image,
- *       contentType: 'image-base64'
- *     };
- *   }
- *
- *   async refreshChallenge(): Promise<AXPLoginChallengeData> {
- *     return this.getChallenge();
- *   }
- *
- *   getChallengeComponent(): Type<AXPLoginChallengeComponentBase> {
- *     return MyCaptchaChallengeComponent;
- *   }
- * }
- * ```
- */
-class AXPLoginChallengeProvider {
-    /**
-     * Returns the component type for rendering the challenge UI
-     *
-     * Override this method to provide a custom challenge UI component.
-     * If not overridden (returns null), the login component will use
-     * a default built-in UI.
-     *
-     * @returns Component type extending AXPLoginChallengeComponentBase, or null for default UI
-     */
-    getChallengeComponent() {
-        return null;
-    }
-}
-//#endregion
-
-//#region ----   Injection Token   ----
-/**
- * Injection token for the login challenge provider
- *
- * This token is optional - if not provided, no challenge mechanism will be used.
- *
- * @example
- * ```typescript
- * // In your app module or provider configuration:
- * providers: [
- *   {
- *     provide: AXP_LOGIN_CHALLENGE_PROVIDER,
- *     useClass: MyImageCaptchaProvider
- *   }
- * ]
- *
- * // In a component:
- * private challengeProvider = inject(AXP_LOGIN_CHALLENGE_PROVIDER, { optional: true });
- * ```
- */
-const AXP_LOGIN_CHALLENGE_PROVIDER = new InjectionToken('AXP_LOGIN_CHALLENGE_PROVIDER');
-//#endregion
-
-//#region ----   Base Challenge Component   ----
-/**
- * Base class for login challenge UI components
- *
- * Providers can extend this class to create custom challenge UIs.
- * The login component will render this component and listen to its outputs.
- *
- * @example
- * ```typescript
- * @Component({
- *   selector: 'my-captcha-challenge',
- *   template: `
- *     <div class="captcha-container">
- *       <img [src]="'data:image/png;base64,' + challengeData().content" />
- *       <input
- *         type="text"
- *         [value]="response()"
- *         (input)="onResponseChange($event)"
- *       />
- *       <button (click)="onRefreshClick()">Refresh</button>
- *     </div>
- *   `
- * })
- * export class MyCaptchaChallengeComponent extends AXPLoginChallengeComponentBase {
- *   response = signal('');
- *
- *   onResponseChange(event: Event) {
- *     const value = (event.target as HTMLInputElement).value;
- *     this.response.set(value);
- *     this.responseChange.emit(value);
- *   }
- *
- *   onRefreshClick() {
- *     this.refreshRequest.emit();
- *   }
- * }
- * ```
- */
-class AXPLoginChallengeComponentBase {
-    constructor() {
-        //#region ----   Inputs   ----
-        /**
-         * Challenge data to display
-         * Contains the image/content and metadata from the server
-         */
-        this.challengeData = input.required(...(ngDevMode ? [{ debugName: "challengeData" }] : []));
-        /**
-         * Whether the challenge is currently loading (e.g., refreshing)
-         */
-        this.isLoading = input(false, ...(ngDevMode ? [{ debugName: "isLoading" }] : []));
-        //#endregion
-        //#region ----   Outputs   ----
-        /**
-         * Emits when the user enters or changes their response
-         * The login component will capture this value and include it in credentials
-         */
-        this.responseChange = output();
-        /**
-         * Emits when the user requests a new challenge (e.g., clicks refresh button)
-         * The login component will call provider.refreshChallenge()
-         */
-        this.refreshRequest = output();
-    }
-    static { this.ɵfac = i0.ɵɵngDeclareFactory({ minVersion: "12.0.0", version: "20.3.12", ngImport: i0, type: AXPLoginChallengeComponentBase, deps: [], target: i0.ɵɵFactoryTarget.Component }); }
-    static { this.ɵcmp = i0.ɵɵngDeclareComponent({ minVersion: "17.1.0", version: "20.3.12", type: AXPLoginChallengeComponentBase, isStandalone: true, selector: "ng-component", inputs: { challengeData: { classPropertyName: "challengeData", publicName: "challengeData", isSignal: true, isRequired: true, transformFunction: null }, isLoading: { classPropertyName: "isLoading", publicName: "isLoading", isSignal: true, isRequired: false, transformFunction: null } }, outputs: { responseChange: "responseChange", refreshRequest: "refreshRequest" }, ngImport: i0, template: '', isInline: true }); }
-}
-i0.ɵɵngDeclareClassMetadata({ minVersion: "12.0.0", version: "20.3.12", ngImport: i0, type: AXPLoginChallengeComponentBase, decorators: [{
-            type: Component,
-            args: [{
-                    template: '',
-                    standalone: true,
-                }]
-        }], propDecorators: { challengeData: [{ type: i0.Input, args: [{ isSignal: true, alias: "challengeData", required: true }] }], isLoading: [{ type: i0.Input, args: [{ isSignal: true, alias: "isLoading", required: false }] }], responseChange: [{ type: i0.Output, args: ["responseChange"] }], refreshRequest: [{ type: i0.Output, args: ["refreshRequest"] }] } });
-
 /**
  * Generated bundle index. Do not edit.
  */
 
-export { AXPAuthGuard, AXPAuthModule, AXPAuthStrategy, AXPAuthStrategyRegistryService, AXPFeatureDirective, AXPFeatureGuard, AXPLoginChallengeComponentBase, AXPLoginChallengeProvider, AXPPermissionDefinitionBuilder, AXPPermissionDefinitionGroupBuilder, AXPPermissionDefinitionProviderContext, AXPPermissionDefinitionService, AXPPermissionDirective, AXPPermissionEvaluatorScopeProvider, AXPPermissionGuard, AXPSessionContext, AXPSessionService, AXPSessionStatus, AXPUnauthenticatedError, AXPUnauthorizedError, AXP_APPLICATION_LOADER, AXP_FEATURE_LOADER, AXP_LOGIN_CHALLENGE_PROVIDER, AXP_PERMISSION_DEFINITION_PROVIDER, AXP_PERMISSION_LOADER, AXP_TENANT_LOADER, JwtUtil, PkceUtil, TimeUtil, initializeAppState };
+export { AXPAuthGuard, AXPAuthModule, AXPAuthStrategy, AXPAuthStrategyRegistryService, AXPFeatureDirective, AXPFeatureGuard, AXPPermissionDefinitionBuilder, AXPPermissionDefinitionGroupBuilder, AXPPermissionDefinitionProviderContext, AXPPermissionDefinitionService, AXPPermissionDirective, AXPPermissionEvaluatorScopeProvider, AXPPermissionGuard, AXPSessionContext, AXPSessionService, AXPSessionStatus, AXPUnauthenticatedError, AXPUnauthorizedError, AXP_APPLICATION_LOADER, AXP_FEATURE_CHECKER, AXP_FEATURE_LOADER, AXP_PERMISSION_CHECKER, AXP_PERMISSION_DEFINITION_PROVIDER, AXP_PERMISSION_LOADER, AXP_TENANT_LOADER, JwtUtil, PkceUtil, TimeUtil, initializeAppState };
 //# sourceMappingURL=acorex-platform-auth.mjs.map