@ciscode/authentication-kit 1.0.43 → 1.1.1

package/src/controllers/permission.controller.js

@@ -1,81 +0,0 @@
-const Permission = require('../models/permission.model');
-
-/**
- * Create a new permission.
- * Expects request body to include at least "name" (and optionally "description").
- */
-const createPermission = async (req, res) => {
-  try {
-    const { name, description } = req.body;
-    if (!name) {
-      return res.status(400).json({ message: 'Permission name is required.' });
-    }
-
-    const newPermission = new Permission({ name, description });
-    await newPermission.save();
-    return res.status(201).json(newPermission);
-  } catch (error) {
-    console.error('Error creating permission:', error);
-    return res.status(500).json({ message: 'Server error', error: error.message });
-  }
-};
-
-/**
- * Retrieve a list of permissions.
- * Supports pagination via query parameters (page & limit).
- */
-const getPermissions = async (req, res) => {
-  try {
-    const { page, limit } = req.query;
-    const permissions = await Permission.paginate({}, {
-      page: parseInt(page) || 1,
-      limit: parseInt(limit) || 10
-    });
-    return res.status(200).json(permissions);
-  } catch (error) {
-    console.error('Error retrieving permissions:', error);
-    return res.status(500).json({ message: 'Server error', error: error.message });
-  }
-};
-
-/**
- * Update a permission by its ID.
- * Expects new values in the request body.
- */
-const updatePermission = async (req, res) => {
-  try {
-    const { id } = req.params;
-    const updatedPermission = await Permission.findByIdAndUpdate(id, req.body, { new: true });
-    if (!updatedPermission) {
-      return res.status(404).json({ message: 'Permission not found.' });
-    }
-    return res.status(200).json(updatedPermission);
-  } catch (error) {
-    console.error('Error updating permission:', error);
-    return res.status(500).json({ message: 'Server error', error: error.message });
-  }
-};
-
-/**
- * Delete a permission by its ID.
- */
-const deletePermission = async (req, res) => {
-  try {
-    const { id } = req.params;
-    const deletedPermission = await Permission.findByIdAndDelete(id);
-    if (!deletedPermission) {
-      return res.status(404).json({ message: 'Permission not found.' });
-    }
-    return res.status(200).json({ message: 'Permission deleted successfully.' });
-  } catch (error) {
-    console.error('Error deleting permission:', error);
-    return res.status(500).json({ message: 'Server error', error: error.message });
-  }
-};
-
-module.exports = {
-  createPermission,
-  getPermissions,
-  updatePermission,
-  deletePermission
-};

package/src/controllers/roles.controller.js

@@ -1,108 +0,0 @@
-const Role = require('../models/role.model');
-
-// Create a new role (accessible by superadmin only)
-const createRole = async (req, res) => {
-  try {
-    const { tenantId, name, description, permissions } = req.body;
-    if (!tenantId || !name) {
-      return res.status(400).json({ message: 'tenantId and role name are required.' });
-    }
-    const newRole = new Role({ tenantId, name, description, permissions });
-    await newRole.save();
-    return res.status(201).json(newRole);
-  } catch (error) {
-    console.error('Error creating role:', error);
-    return res.status(500).json({ message: 'Server error', error: error.message });
-  }
-};
-
-// Get all roles for a specific tenant
-const getRoles = async (req, res) => {
-  try {
-    const { tenantId } = req.params;
-    if (!tenantId) {
-      return res.status(400).json({ message: 'tenantId is required in the URL.' });
-    }
-    const roles = await Role.paginate({ tenantId }, { page: 1, limit: 100 });
-    return res.status(200).json(roles);
-  } catch (error) {
-    console.error('Error retrieving roles:', error);
-    return res.status(500).json({ message: 'Server error', error: error.message });
-  }
-};
-
-const updateRole = async (req, res) => {
-  try {
-    const updatedRole = await Role.findByIdAndUpdate(req.params.id, req.body, { new: true });
-    if (!updatedRole) {
-      return res.status(404).json({ message: 'Role not found.' });
-    }
-    return res.status(200).json(updatedRole);
-  } catch (error) {
-    console.error('Error updating role:', error);
-    return res.status(500).json({ message: 'Server error', error: error.message });
-  }
-};
-
-const deleteRole = async (req, res) => {
-  try {
-    const deletedRole = await Role.findByIdAndDelete(req.params.id);
-    if (!deletedRole) {
-      return res.status(404).json({ message: 'Role not found.' });
-    }
-    return res.status(200).json({ message: 'Role deleted successfully.' });
-  } catch (error) {
-    console.error('Error deleting role:', error);
-    return res.status(500).json({ message: 'Server error', error: error.message });
-  }
-};
-
-/**
- * suspendUser
- * 
- * This controller sets a user's status to "suspended". It expects:
- * - The authenticated user's info in req.user.
- * - The target user's id in req.params.id.
- * 
- * Only a superadmin (a user whose roles include "superadmin") is authorized
- * to perform this action.
- */
-const suspendUser = async (req, res) => {
-  try {
-    // Ensure the authenticated user is provided.
-    if (!req.user || !req.user.roles) {
-      return res.status(403).json({ message: 'Access denied. Superadmin privileges required.' });
-    }
-
-    // Check if the current user has the superadmin role.
-    // (Adjust this check if your roles are stored as ObjectIds or have different structure.)
-    if (!req.user.roles.includes("superadmin")) {
-      return res.status(403).json({ message: 'Access denied. Superadmin privileges required.' });
-    }
-
-    // Extract the target user's ID from the URL.
-    const { id } = req.params;
-    if (!id) {
-      return res.status(400).json({ message: 'User ID is required in the URL.' });
-    }
-
-    // Update the target user's status to "suspended"
-    const updatedUser = await User.findByIdAndUpdate(id, { status: 'suspended' }, { new: true });
-    if (!updatedUser) {
-      return res.status(404).json({ message: 'User not found.' });
-    }
-
-    return res.status(200).json({ message: 'User suspended successfully.', user: updatedUser });
-  } catch (error) {
-    console.error('Error suspending user:', error);
-    return res.status(500).json({ message: 'Server error', error: error.message });
-  }
-};
-
-module.exports = {
-  createRole,
-  getRoles,
-  updateRole,
-  deleteRole,
-  suspendUser
-};

package/src/controllers/user.controller.js

@@ -1,283 +0,0 @@
-const User = require('../models/user.model');
-const nodemailer = require('nodemailer');
-const bcrypt = require('bcryptjs');
-const crypto = require('crypto');
-
-/**
- * Create a new user.
- * For local login, a password is required. If provided, it will be hashed.
- */
-const createUser = async (req, res) => {
-    try {
-      const { email, password, name, tenantId, microsoftId, roles } = req.body;
-      
-      // Validate required fields.
-      if (!email) {
-        return res.status(400).json({ message: 'Email is required.' });
-      }
-      if (!tenantId) {
-        return res.status(400).json({ message: 'TenantId is required.' });
-      }
-      // For local login, password is required.
-      if (!microsoftId && !password) {
-        return res.status(400).json({ message: 'Password is required for local login.' });
-      }
-      
-      // Check if a user with this email already exists for this tenant.
-      const existingUser = await User.findOne({ email, tenantId });
-      if (existingUser) {
-        return res.status(400).json({ message: 'User with this email already exists.' });
-      }
-      
-      // Hash the provided password.
-      const salt = await bcrypt.genSalt(10);
-      const hashedPassword = password ? await bcrypt.hash(password, salt) : undefined;
-      
-      // Set user status to "pending" (waiting for email confirmation)
-      const status = 'pending';
-      
-      // Read the expiration time for the confirmation token from environment variables (in hours)
-      // Default is 24 hours if not specified.
-      const tokenExpiryHours = parseFloat(process.env.EMAIL_TOKEN_EXPIRATION_HOURS) || 24;
-      const tokenExpiration = Date.now() + tokenExpiryHours * 60 * 60 * 1000;
-      
-      // Generate a secure confirmation token.
-      const confirmationToken = crypto.randomBytes(20).toString('hex');
-      
-      // Create and save the new user.
-      const newUser = new User({
-        email,
-        password: hashedPassword,
-        name,
-        tenantId,
-        microsoftId,
-        roles,
-        status,
-        resetPasswordToken: confirmationToken,
-        resetPasswordExpires: tokenExpiration
-      });
-      
-      await newUser.save();
-      
-      // Set up nodemailer transporter using SMTP settings from environment variables.
-      const transporter = nodemailer.createTransport({
-        host: process.env.SMTP_HOST,
-        port: parseInt(process.env.SMTP_PORT),
-        secure: process.env.SMTP_SECURE === 'true',
-        auth: {
-          user: process.env.SMTP_USER,
-          pass: process.env.SMTP_PASS
-        }
-      });
-      
-      // Construct the email confirmation URL.
-      const confirmationUrl = `${process.env.FRONTEND_URL}/confirm-email?token=${confirmationToken}&email=${encodeURIComponent(email)}`;
-      
-      const mailOptions = {
-        from: process.env.FROM_EMAIL,
-        to: email,
-        subject: 'Confirm Your Email Address',
-        text: `Hello,
-  
-  Thank you for registering. Please confirm your account by clicking the link below:
-  
-  ${confirmationUrl}
-  
-  This link will expire in ${tokenExpiryHours} hour(s).
-  
-  If you did not initiate this registration, please ignore this email.
-  
-  Thank you.`
-      };
-      
-      // Send the confirmation email.
-      await transporter.sendMail(mailOptions);
-      
-      return res.status(201).json({ message: 'User created and confirmation email sent successfully.', user: newUser });
-    } catch (error) {
-      console.error('Error creating user:', error);
-      return res.status(500).json({ message: 'Server error', error: error.message });
-    }
-  };
-
-/**
- * Update an existing user.
- * If a new password is provided in the request, it will be hashed before updating.
- */
-const updateUser = async (req, res) => {
-  try {
-    const userId = req.params.id;
-    
-    // If password is provided, hash it before updating.
-    if (req.body.password) {
-      const salt = await bcrypt.genSalt(10);
-      req.body.password = await bcrypt.hash(req.body.password, salt);
-    }
-    
-    const updatedUser = await User.findByIdAndUpdate(userId, req.body, { new: true });
-    if (!updatedUser) {
-      return res.status(404).json({ message: 'User not found.' });
-    }
-    return res.status(200).json(updatedUser);
-  } catch (error) {
-    console.error('Error updating user:', error);
-    return res.status(500).json({ message: 'Server error', error: error.message });
-  }
-};
-
-/**
- * Delete a user by their ID.
- */
-const deleteUser = async (req, res) => {
-  try {
-    const userId = req.params.id;
-    const deletedUser = await User.findByIdAndDelete(userId);
-    if (!deletedUser) {
-      return res.status(404).json({ message: 'User not found.' });
-    }
-    return res.status(200).json({ message: 'User deleted successfully.' });
-  } catch (error) {
-    console.error('Error deleting user:', error);
-    return res.status(500).json({ message: 'Server error', error: error.message });
-  }
-};
-
-/**
- * Create a new user invitation.
- *
- * The endpoint expects at least:
- *   - email: user's email address
- *   - tenantId: the tenant this user belongs to
- * Optionally, it may include:
- *   - name: user's name
- *
- * It creates a new user with no password, generates an invitation token (which we reuse 
- * for password reset), and sends an email with a link where the user can set their password.
- */
-const createUserInvitation = async (req, res) => {
-    try {
-      const { email, tenantId, name } = req.body;
-  
-      // Validate required fields.
-      if (!email) {
-        return res.status(400).json({ message: 'Email is required.' });
-      }
-      if (!tenantId) {
-        return res.status(400).json({ message: 'TenantId is required.' });
-      }
-      
-      // Check if the user already exists for this tenant.
-      const existingUser = await User.findOne({ email, tenantId });
-      if (existingUser) {
-        return res.status(400).json({ message: 'User with this email already exists.' });
-      }
-      
-      // Generate a secure invitation token (similar to a password reset token)
-      const token = crypto.randomBytes(20).toString('hex');
-      // Set the token expiration (e.g., 24 hours from now)
-      const tokenExpiration = Date.now() + 24 * 60 * 60 * 1000; // 24 hours in milliseconds
-      
-      // Create a new user with the invitation token and without a password.
-      // (You can use different fields like invitationToken if preferred; here we re-use resetPasswordToken)
-      const newUser = new User({
-        email,
-        tenantId,
-        name,
-        // No password yet; user will set it later
-        resetPasswordToken: token,
-        resetPasswordExpires: tokenExpiration
-      });
-      await newUser.save();
-      
-      // Setup nodemailer transporter using your SMTP settings from environment variables.
-      const transporter = nodemailer.createTransport({
-        host: process.env.SMTP_HOST,
-        port: parseInt(process.env.SMTP_PORT),
-        secure: process.env.SMTP_SECURE === 'true', // true for 465, false for other ports
-        auth: {
-          user: process.env.SMTP_USER,
-          pass: process.env.SMTP_PASS
-        }
-      });
-      
-      // Construct the invitation URL.
-      // The frontend should have a route like /set-password to handle completing registration.
-      const invitationUrl = `${process.env.FRONTEND_URL}/set-password?token=${token}&email=${encodeURIComponent(email)}`;
-      
-      // Define the email options.
-      const mailOptions = {
-        from: process.env.FROM_EMAIL,
-        to: email,
-        subject: "You're invited: Set up your password",
-        text: `Hello,
-  
-  You have been invited to join our platform. Please click on the link below to set your password and complete your registration:
-  
-  ${invitationUrl}
-  
-  This link will expire in 24 hours. If you did not request this or believe it to be in error, please ignore this email.
-  
-  Thank you!`
-      };
-      
-      // Send the invitation email.
-      await transporter.sendMail(mailOptions);
-      return res.status(201).json({ message: 'Invitation sent successfully. Please check your email.' });
-    } catch (error) {
-      console.error('Error in createUserInvitation:', error);
-      return res.status(500).json({ message: 'Server error', error: error.message });
-    }
-  };
-
-/**
- * GET /api/users
- * Query params:
- *   page, limit, tenantId, email
- */
-const getAllUsers = async (req, res) => {
-  try {
-    /* ---------- filters ---------- */
-    const filter = {};
-    if (req.query.tenantId) filter.tenantId = req.query.tenantId;
-    if (req.query.email)    filter.email    = req.query.email;
-
-    /* ---------- pagination ---------- */
-    const page  = Math.max(parseInt(req.query.page,  10) || 1, 1);
-    const limit = Math.min(parseInt(req.query.limit, 10) || 20, 100);
-    const skip  = (page - 1) * limit;
-
-    /* ---------- query ---------- */
-    const [totalItems, users] = await Promise.all([
-      User.countDocuments(filter),
-      User.find(filter)
-          .populate({ path: 'roles', select: '-__v' })
-          .skip(skip)
-          .limit(limit)
-          .lean()
-    ]);
-
-    return res.status(200).json({
-      data: users,
-      pagination: {
-        totalItems,                        // ← renamed
-        limit,
-        totalPages: Math.ceil(totalItems / limit) || 1,
-        currentPage: page,
-        hasNextPage: page * limit < totalItems,
-        hasPrevPage: page > 1
-      }
-    });
-  } catch (error) {
-    console.error('Error fetching users:', error);
-    return res.status(500).json({ message: 'Server error', error: error.message });
-  }
-};
-
-
-module.exports = {
-  createUser,
-  updateUser,
-  deleteUser,
-  createUserInvitation,
-  getAllUsers
-};

package/src/index.js

@@ -1,32 +0,0 @@
-const express = require('express');
-const connectDB = require('./config/db.config');
-require('dotenv').config();
-
-// Import routes
-const authRoutes            = require('./routes/auth.routes');
-const passwordResetRoutes   = require('./routes/passwordReset.routes');
-const rolesRoutes           = require('./routes/roles.routes');
-const permissionsRoutes     = require('./routes/permission.routes');
-const adminRoutes           = require('./routes/admin.routes');
-const userRoutes            = require('./routes/user.routes');
-
-const app = express();
-
-app.use(express.json());
-connectDB();
-
-// Auth endpoints
-app.use('/api/auth', authRoutes);
-app.use('/api/auth', passwordResetRoutes);
-
-// User management endpoints
-app.use('/api/users', userRoutes);
-
-// Role & Permission endpoints
-app.use('/api/auth/permissions', permissionsRoutes);      // permissions under /api/auth/roles
-app.use('/api/auth/roles', rolesRoutes);            // roles under /api/auth/roles
-
-// Admin‐only endpoints
-app.use('/api/admin', adminRoutes);
-
-module.exports = app;

package/src/middleware/auth.middleware.js

@@ -1,16 +0,0 @@
-const jwt = require("jsonwebtoken");
-
-const authMiddleware = (req, res, next) => {
-    const token = req.headers.authorization?.split(" ")[1];
-    if (!token) return res.status(401).json({ error: "Unauthorized" });
-
-    try {
-        const decoded = jwt.verify(token, process.env.JWT_SECRET);
-        req.user = decoded; // Contains tenantId, userId, roleIds
-        next();
-    } catch (error) {
-        res.status(403).json({ error: "Invalid token" });
-    }
-};
-
-module.exports = authMiddleware;

package/src/middleware/authenticate.js

@@ -1,25 +0,0 @@
-// src/middleware/authenticate.js
-
-const jwt = require('jsonwebtoken');
-require('dotenv').config();
-
-module.exports = (req, res, next) => {
-  const authHeader = req.headers.authorization;
-  if (!authHeader || !authHeader.startsWith('Bearer ')) {
-    return res.status(401).json({ message: 'Missing or invalid Authorization header.' });
-  }
-
-  const token = authHeader.split(' ')[1];
-  jwt.verify(token, process.env.JWT_SECRET, (err, decoded) => {
-    if (err) {
-      // TokenExpiredError comes here when the token is past its exp
-      if (err.name === 'TokenExpiredError') {
-        return res.status(401).json({ message: 'Access token expired.' });
-      }
-      return res.status(401).json({ message: 'Invalid access token.' });
-    }
-    // Attach the payload to req.user for downstream handlers
-    req.user = decoded;
-    next();
-  });
-};

package/src/middleware/rbac.middleware.js

@@ -1,24 +0,0 @@
-const Role = require("../models/role.model");
-
-// Middleware to check if user has required permission
-const hasPermission = (requiredPermission) => {
-    return async (req, res, next) => {
-        try {
-            const { tenantId, roleIds } = req.user;
-
-            // Fetch roles from DB
-            const roles = await Role.find({ _id: { $in: roleIds }, tenantId });
-            const permissions = roles.flatMap(role => role.permissions);
-
-            if (permissions.includes(requiredPermission)) {
-                return next();
-            }
-
-            res.status(403).json({ error: "Forbidden: Insufficient permissions" });
-        } catch (error) {
-            res.status(500).json({ error: "Authorization error" });
-        }
-    };
-};
-
-module.exports = { hasPermission };

package/src/middleware/tenant.middleware.js

@@ -1,16 +0,0 @@
-const jwt = require("jsonwebtoken");
-
-const tenantMiddleware = (req, res, next) => {
-    const token = req.headers.authorization?.split(" ")[1]; // Extract JWT
-    if (!token) return res.status(401).json({ error: "Unauthorized" });
-
-    try {
-        const decoded = jwt.verify(token, process.env.JWT_SECRET);
-        req.tenantId = decoded.tenantId; // Attach tenant ID to request
-        next();
-    } catch (error) {
-        res.status(403).json({ error: "Invalid token" });
-    }
-};
-
-module.exports = tenantMiddleware;

package/src/models/client.model.js

@@ -1,39 +0,0 @@
-const mongoose = require('mongoose');
-const mongoosePaginate = require('mongoose-paginate-v2');
-
-const ClientSchema = new mongoose.Schema({
-  email: {
-    type: String,
-    required: true,
-    unique: true
-  },
-  // Hashed password; may be empty for social/OAuth clients
-  password: {
-    type: String,
-    required: function () {
-      return !this.microsoftId && !this.googleId && !this.facebookId;
-    }
-  },
-  name: { type: String },
-
-  // Social providers (optional)
-  microsoftId: { type: String, index: true },
-  googleId: { type: String, index: true },
-  facebookId: { type: String, index: true },
-
-  // Roles assigned to the client
-  roles: [{ type: mongoose.Schema.Types.ObjectId, ref: 'Role' }],
-
-  // Password reset
-  resetPasswordToken: { type: String },
-  resetPasswordExpires: { type: Date },
-
-  // For refresh flow (your controller already sets this)
-  refreshToken: { type: String },
-
-  createdAt: { type: Date, default: Date.now }
-}, { timestamps: true });
-
-ClientSchema.plugin(mongoosePaginate);
-
-module.exports = mongoose.model('Client', ClientSchema);

package/src/models/permission.model.js

@@ -1,9 +0,0 @@
-const mongoose = require("mongoose");
-
-const PermissionSchema = new mongoose.Schema({
-    name: { type: String, required: true, unique: true }, // e.g., "read:orders"
-    category: { type: String }, // e.g., "Orders"
-    description: { type: String }
-});
-
-module.exports = mongoose.model("Permission", PermissionSchema);

package/src/models/role.model.js

@@ -1,14 +0,0 @@
-const mongoose = require('mongoose');
-const mongoosePaginate = require('mongoose-paginate-v2');
-
-const RoleSchema = new mongoose.Schema({
-  tenantId: { type: String, required: true },
-  name: { type: String, required: true, unique: true },
-  description: { type: String },
-  // Permissions stored as strings (e.g., "create:invoice", "delete:user")
-  permissions: [{ type: String }]
-}, { timestamps: true });
-
-RoleSchema.plugin(mongoosePaginate);
-
-module.exports = mongoose.model('Role', RoleSchema);

package/src/models/tenant.model.js

@@ -1,9 +0,0 @@
-const mongoose = require("mongoose");
-
-const TenantSchema = new mongoose.Schema({
-    _id: String,  // Microsoft Tenant ID
-    name: String,
-    plan: String
-});
-
-module.exports = mongoose.model("Tenant", TenantSchema);