@decaf-ts/for-nest 0.11.2-refactor.3 → 0.11.2-refactor.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +273 -1
- package/dist/for-nest.cjs +123 -98
- package/dist/for-nest.js +127 -101
- package/lib/cjs/decaf-model/DecafModelModule.cjs +7 -2
- package/lib/cjs/decaf-model/FromModelController.cjs +121 -68
- package/lib/cjs/decaf-model/decorators/utils.cjs +4 -3
- package/lib/cjs/decaf-model/utils.cjs +10 -4
- package/lib/cjs/decorators.cjs +4 -3
- package/lib/cjs/index.cjs +3 -3
- package/lib/esm/decaf-model/DecafModelModule.js +6 -1
- package/lib/esm/decaf-model/FromModelController.js +122 -69
- package/lib/esm/decaf-model/decorators/utils.js +3 -2
- package/lib/esm/decaf-model/utils.js +9 -3
- package/lib/esm/decorators.js +3 -2
- package/lib/esm/index.js +3 -3
- package/lib/types/decaf-model/FromModelController.d.cts +3 -0
- package/lib/types/decaf-model/FromModelController.d.mts +3 -0
- package/lib/types/index.d.cts +3 -3
- package/lib/types/index.d.mts +3 -3
- package/package.json +1 -1
package/README.md
CHANGED
|
@@ -53,8 +53,280 @@ Now you can create new repositories from this template and enjoy having everythi
|
|
|
53
53
|
- [WebStorm](./workdocs/tutorials/For%20Developers.md#webstorm)
|
|
54
54
|
- [Considerations](./workdocs/tutorials/For%20Developers.md#considerations)
|
|
55
55
|
|
|
56
|
+
---
|
|
56
57
|
|
|
57
|
-
|
|
58
|
+
## Module Configuration
|
|
59
|
+
|
|
60
|
+
### `DecafModule.forRootAsync(options)`
|
|
61
|
+
|
|
62
|
+
The main entry point. Boots persistence, registers controllers, and wires the request pipeline.
|
|
63
|
+
|
|
64
|
+
```ts
|
|
65
|
+
import { DecafModule } from "@decaf-ts/for-nest";
|
|
66
|
+
|
|
67
|
+
@Module({
|
|
68
|
+
imports: [
|
|
69
|
+
DecafModule.forRootAsync({
|
|
70
|
+
conf: [
|
|
71
|
+
[FabricClientAdapter, fabricConfig, new FabricTransformer()],
|
|
72
|
+
[TypeORMAdapter, pgConfig, new TypeORMTransformer()],
|
|
73
|
+
[NanoAdapter, couchConfig, new NanoTransformer()],
|
|
74
|
+
],
|
|
75
|
+
autoControllers: true,
|
|
76
|
+
aggregations: false,
|
|
77
|
+
handlers: [ImpersonateHandler],
|
|
78
|
+
controllerExposure: { Product: true, Batch: ["hlf-fabric"] },
|
|
79
|
+
controllerConfig: { Product: { auth: { public: true } } },
|
|
80
|
+
observerOptions: { enableObserverEvents: true },
|
|
81
|
+
initialization: async () => { await Service.boot(); },
|
|
82
|
+
}),
|
|
83
|
+
],
|
|
84
|
+
})
|
|
85
|
+
export class AppModule {}
|
|
86
|
+
```
|
|
87
|
+
|
|
88
|
+
#### `DecafModuleOptions`
|
|
89
|
+
|
|
90
|
+
| Option | Type | Required | Default | Description |
|
|
91
|
+
|---|---|---|---|---|
|
|
92
|
+
| `conf` | `[Constructor<Adapter>, ConfigOf<Adapter>, ...any[], Transformer?][]` | Yes | — | Array of adapter tuples: `[AdapterClass, adapterConfig, ...args, transformer?]`. The trailing transformer (instance or constructor) maps request context fields to adapter-specific keys. If omitted, the adapter's registered `@requestToContextTransformer` is used. |
|
|
93
|
+
| `autoControllers` | `boolean` | Yes | — | When `true`, auto-generates CRUD controllers for all models registered to each adapter flavour. |
|
|
94
|
+
| `autoServices` | `boolean` | No | `false` | When `true`, generates a `ModelService` provider for every tracked model (injectable as `${ModelName}Service`). |
|
|
95
|
+
| `aggregations` | `boolean` | No | `true` | When `false`, disables grouping/aggregation routes globally by setting `allowGroupingQueries: false` as a `globalDefaults` override. |
|
|
96
|
+
| `controllerExposure` | `Record<string, boolean \| string[]>` | No | — | Per-model exposure overrides. `true` exposes on all flavours; an array of flavour strings restricts exposure; `false` hides the model. When omitted, the `@expose` decorator metadata is used. |
|
|
97
|
+
| `controllerConfig` | `Record<string, ModelControllerFactoryConfig>` | No | — | Per-model controller factory config. Merged on top of decorator-level `@controllerConfig` and `globalDefaults`. See [ModelControllerFactoryConfig](#modelcontrollerfactoryconfig) below. |
|
|
98
|
+
| `observerOptions` | `ObserverEventsOptions` | No | — | SSE observer event configuration. See [ObserverEventsOptions](#observereventsoptions) below. |
|
|
99
|
+
| `handlers` | `Type<DecafRequestHandler>[]` | No | `[]` | Request handlers executed by `DecafHandlerExecutor` before the controller method. Each handler receives `(context, req, res)`. |
|
|
100
|
+
| `initialization` | `() => Promise<void>` | No | — | Called once after persistence boots but before the Nest module finishes initializing. Use for `Service.boot()` or similar setup. |
|
|
101
|
+
| `alias` | `string` | No | — | Optional adapter alias for multi-instance scenarios. |
|
|
102
|
+
|
|
103
|
+
#### `ModelControllerFactoryConfig`
|
|
104
|
+
|
|
105
|
+
Per-controller knobs merged in this priority order (later wins):
|
|
106
|
+
|
|
107
|
+
1. `globalDefaults` (from `aggregations: false`)
|
|
108
|
+
2. `@controllerConfig()` decorator on the model class
|
|
109
|
+
3. `controllerConfig[modelName]` in `DecafModuleOptions`
|
|
110
|
+
|
|
111
|
+
| Option | Type | Default | Description |
|
|
112
|
+
|---|---|---|---|
|
|
113
|
+
| `allowStatementlessQuery` | `boolean` | `false` | Allows `@query()` methods without a matching `@statement()` to be exposed as GET routes. |
|
|
114
|
+
| `allowGroupingQueries` | `boolean \| GroupingQueryFlags` | `true` | Enables or fine-tunes aggregation endpoints (`count`, `avg`, `max`, `min`, `sum`, `distinct`, `group`). Set to `false` to hide all aggregation routes. |
|
|
115
|
+
| `allowBulkStatement` | `boolean \| BulkStatementFlags` | `false` | Enables or fine-tunes bulk CRUD routes (`bulk` path: GET=readAll, PUT=updateAll, DELETE=deleteAll). |
|
|
116
|
+
| `auth` | `AuthConfig` | — | Per-controller auth configuration. See [AuthConfig](#authconfig) below. |
|
|
117
|
+
|
|
118
|
+
**`GroupingQueryFlags`**: `{ count?: boolean; avg?: boolean; max?: boolean; min?: boolean; sum?: boolean; distinct?: boolean; group?: boolean }`
|
|
119
|
+
|
|
120
|
+
**`BulkStatementFlags`**: `{ create?: boolean; read?: boolean; update?: boolean; delete?: boolean }`
|
|
121
|
+
|
|
122
|
+
#### `AuthConfig`
|
|
123
|
+
|
|
124
|
+
Applied at the **class level** to every auto-generated controller for that model:
|
|
125
|
+
|
|
126
|
+
| Option | Type | Default | Description |
|
|
127
|
+
|---|---|---|---|
|
|
128
|
+
| `public` | `boolean` | `false` | When `true`, applies `@Public()` — the `AuthInterceptor` skips authorization entirely. |
|
|
129
|
+
| `roles` | `string[]` | — | When provided, applies `@RequireRoles(...roles)` — the auth handler validates the user has all listed roles. |
|
|
130
|
+
| `skipModelRoles` | `boolean` | `false` | When `true`, sets `SKIP_MODEL_ROLES_KEY` metadata — the `AuthInterceptor` passes `undefined` as the model to `authHandler.authorize()`, so model-level `@roles()` checks are skipped. Route-level roles (if set) still apply. |
|
|
131
|
+
|
|
132
|
+
If `auth` is omitted, `@Auth(Model)` is applied by default (requires authentication + model-level role checks).
|
|
133
|
+
|
|
134
|
+
#### `ObserverEventsOptions`
|
|
135
|
+
|
|
136
|
+
| Option | Type | Default | Description |
|
|
137
|
+
|---|---|---|---|
|
|
138
|
+
| `enableObserverEvents` | `boolean` | `false` | Enables SSE stream events globally. |
|
|
139
|
+
| `observerFlavours` | `any[]` | all registered | List of adapter flavours that will emit stream events. |
|
|
140
|
+
| `observerApiPath` | `string` | `"/events"` | SSE endpoint path. |
|
|
141
|
+
|
|
142
|
+
---
|
|
143
|
+
|
|
144
|
+
## Auth Configuration
|
|
145
|
+
|
|
146
|
+
### `DecafAuthModule.forRoot(options)`
|
|
147
|
+
|
|
148
|
+
Optional standalone module for registering auth wiring independently of `DecafCoreModule`.
|
|
149
|
+
|
|
150
|
+
```ts
|
|
151
|
+
import { DecafAuthModule } from "@decaf-ts/for-nest";
|
|
152
|
+
|
|
153
|
+
@Module({
|
|
154
|
+
imports: [
|
|
155
|
+
DecafAuthModule.forRoot({
|
|
156
|
+
global: true,
|
|
157
|
+
handler: MyAuthHandler,
|
|
158
|
+
}),
|
|
159
|
+
],
|
|
160
|
+
})
|
|
161
|
+
export class AppModule {}
|
|
162
|
+
```
|
|
163
|
+
|
|
164
|
+
> **Note:** `DecafCoreModule` (booted via `DecafModule.forRootAsync`) already registers `DecafRequestHandlerInterceptor` as a global `APP_INTERCEPTOR`. `DecafAuthModule` does **not** duplicate this registration.
|
|
165
|
+
|
|
166
|
+
#### `DecafAuthModuleOptions`
|
|
167
|
+
|
|
168
|
+
| Option | Type | Default | Description |
|
|
169
|
+
|---|---|---|---|
|
|
170
|
+
| `global` | `boolean` | `false` | When `true`, registers `AuthInterceptor` as a global `APP_INTERCEPTOR` (via `useExisting`) and marks the module as `@Global()`. When `false`, `AuthInterceptor` is provided but only activated on routes decorated with `@Auth()` or `@RequireRoles()`. |
|
|
171
|
+
| `handler` | `Type<AuthHandler>` | — | Concrete auth handler class. Registered both as itself and under the `AUTH_HANDLER` token. |
|
|
172
|
+
|
|
173
|
+
### Manual Auth Wiring (without `DecafAuthModule`)
|
|
174
|
+
|
|
175
|
+
For full control, wire auth directly in your module:
|
|
176
|
+
|
|
177
|
+
```ts
|
|
178
|
+
import { AUTH_HANDLER, AuthInterceptor } from "@decaf-ts/for-nest";
|
|
179
|
+
import { APP_INTERCEPTOR } from "@nestjs/core";
|
|
180
|
+
|
|
181
|
+
@Global()
|
|
182
|
+
@Module({
|
|
183
|
+
providers: [
|
|
184
|
+
AuthInterceptor,
|
|
185
|
+
AuthService,
|
|
186
|
+
FabricKeycloakAuthHandler,
|
|
187
|
+
{ provide: AUTH_HANDLER, useClass: FabricKeycloakAuthHandler },
|
|
188
|
+
{ provide: APP_INTERCEPTOR, useExisting: AuthInterceptor },
|
|
189
|
+
],
|
|
190
|
+
exports: [AUTH_HANDLER, AuthInterceptor, AuthService],
|
|
191
|
+
})
|
|
192
|
+
export class AuthModule {}
|
|
193
|
+
```
|
|
194
|
+
|
|
195
|
+
---
|
|
196
|
+
|
|
197
|
+
## Auth Decorators
|
|
198
|
+
|
|
199
|
+
### `@Auth(model?)`
|
|
200
|
+
|
|
201
|
+
Applies `ApiBearerAuth()`, `UseInterceptors(AuthInterceptor)`, and (when a model is given) sets `AUTH_META_KEY` metadata so the handler knows which model is being accessed.
|
|
202
|
+
|
|
203
|
+
```ts
|
|
204
|
+
@Auth(Product)
|
|
205
|
+
@Controller("product")
|
|
206
|
+
export class ProductController {}
|
|
207
|
+
```
|
|
208
|
+
|
|
209
|
+
### `@Public()`
|
|
210
|
+
|
|
211
|
+
Marks a route or controller as public — `AuthInterceptor` skips authorization.
|
|
212
|
+
|
|
213
|
+
```ts
|
|
214
|
+
@Public()
|
|
215
|
+
@Get("health")
|
|
216
|
+
health() { return { status: "ok" }; }
|
|
217
|
+
```
|
|
218
|
+
|
|
219
|
+
### `@RequireRoles(...roles)`
|
|
220
|
+
|
|
221
|
+
Requires the user to have all listed roles. Applies `ApiSecurity("bearer")`, `SetMetadata(REQUIRED_ROLES_KEY, roles)`, and `UseInterceptors(AuthInterceptor)`.
|
|
222
|
+
|
|
223
|
+
```ts
|
|
224
|
+
@RequireRoles("admin", "writer")
|
|
225
|
+
@Put("product/:id")
|
|
226
|
+
update() {}
|
|
227
|
+
```
|
|
228
|
+
|
|
229
|
+
### `@SkipFabricIdentity()` *(application-specific)*
|
|
230
|
+
|
|
231
|
+
Application-level decorator (e.g. in ew-backend) that sets metadata to skip Fabric identity re-enrollment for specific routes. Not part of `for-nest`.
|
|
232
|
+
|
|
233
|
+
---
|
|
234
|
+
|
|
235
|
+
## Auth Handler
|
|
236
|
+
|
|
237
|
+
### `AuthHandler<EC, C, D>`
|
|
238
|
+
|
|
239
|
+
Abstract base class from `@decaf-ts/for-http/server`. Concrete handlers extend it and override:
|
|
240
|
+
|
|
241
|
+
| Method | Required | Description |
|
|
242
|
+
|---|---|---|
|
|
243
|
+
| `extractFromAuth(ctx: EC): D \| Promise<D>` | Yes | Pulls auth data (user, roles, organization) from the platform execution context. MUST throw `AuthorizationError` when unauthenticated. |
|
|
244
|
+
| `bindToContext(ctx: C, data: D)` | Yes* | Binds auth data to the request context. Default implementation calls `ctx.accumulate(data)`. Override to add adapter-specific keys (e.g. `UUID`, `organization`). |
|
|
245
|
+
| `validate(data, routeRoles, model, ...args)` | No | Default validates route roles then model-level roles (from `@roles()`). Override for custom logic. |
|
|
246
|
+
|
|
247
|
+
\* The default `bindToContext` exists but every concrete handler typically overrides it.
|
|
248
|
+
|
|
249
|
+
```ts
|
|
250
|
+
import { AuthHandler } from "@decaf-ts/for-nest";
|
|
251
|
+
import { AuthorizationError } from "@decaf-ts/core";
|
|
252
|
+
|
|
253
|
+
class CustomAuthHandler extends AuthHandler {
|
|
254
|
+
protected extractFromAuth(ctx: ExecutionContext) {
|
|
255
|
+
const req = ctx.switchToHttp().getRequest();
|
|
256
|
+
const token = req.headers.authorization?.split(" ")[1];
|
|
257
|
+
if (!token) throw new AuthorizationError("Unauthenticated");
|
|
258
|
+
return { user: "alice", roles: ["admin"] };
|
|
259
|
+
}
|
|
260
|
+
|
|
261
|
+
protected bindToContext(ctx: DecafRequestContext, data: AuthData) {
|
|
262
|
+
ctx.accumulate({ UUID: data.user, user: data.user });
|
|
263
|
+
}
|
|
264
|
+
}
|
|
265
|
+
```
|
|
266
|
+
|
|
267
|
+
### `AuthData` / `UserData`
|
|
268
|
+
|
|
269
|
+
| Field | Type | Description |
|
|
270
|
+
|---|---|---|
|
|
271
|
+
| `user` | `string` | Authenticated user identifier. |
|
|
272
|
+
| `roles` | `string[]` | Roles granted to the user. |
|
|
273
|
+
| `organization` | `string` | Organization / tenant / MSP. |
|
|
274
|
+
|
|
275
|
+
---
|
|
276
|
+
|
|
277
|
+
## Auth Interceptor Flow
|
|
278
|
+
|
|
279
|
+
```
|
|
280
|
+
Request → AuthInterceptor → DecafRequestHandlerInterceptor → Controller
|
|
281
|
+
```
|
|
282
|
+
|
|
283
|
+
1. **`AuthInterceptor`** (request-scoped):
|
|
284
|
+
- Reads `IS_PUBLIC_KEY` — if `true`, skips auth.
|
|
285
|
+
- Reads `AUTH_META_KEY` (model name) and `REQUIRED_ROLES_KEY` (route roles).
|
|
286
|
+
- Reads `SKIP_MODEL_ROLES_KEY` — if `true`, passes `undefined` as model (skips model-level role checks).
|
|
287
|
+
- Calls `authHandler.authorize(ctx, effectiveModel, requiredRoles, requestContext)`.
|
|
288
|
+
- Runs `applyTransformers()` — iterates `Adapter.flavoursToTransform()`, instantiates each `RequestToContextTransformer` if needed, calls `transformer.from(requestContext)`, and accumulates the result.
|
|
289
|
+
- Enriches the logger with `user` / `organization` if present.
|
|
290
|
+
|
|
291
|
+
2. **`DecafRequestHandlerInterceptor`** (request-scoped, registered by `DecafCoreModule`):
|
|
292
|
+
- Calls `contextualize(req)` — accumulates `headers`, `logger`, `timestamp`, `operation` into the request context.
|
|
293
|
+
- Calls `executor.exec(req, res)` — runs all registered `DecafRequestHandler` instances in sequence.
|
|
294
|
+
|
|
295
|
+
---
|
|
296
|
+
|
|
297
|
+
## Webhook Module
|
|
298
|
+
|
|
299
|
+
### `DecafWebhookModule.forRootAsync(options)`
|
|
300
|
+
|
|
301
|
+
Standalone module for webhook delivery. Boots its own persistence layer (separate from `DecafModule`).
|
|
302
|
+
|
|
303
|
+
```ts
|
|
304
|
+
import { DecafWebhookModule } from "@decaf-ts/for-nest";
|
|
305
|
+
|
|
306
|
+
@Module({
|
|
307
|
+
imports: [
|
|
308
|
+
DecafWebhookModule.forRootAsync({
|
|
309
|
+
conf: [[NanoAdapter, couchConfig, new NanoTransformer()]],
|
|
310
|
+
webhookApiPath: "/webhooks",
|
|
311
|
+
handlers: [WebhookAuthHandler],
|
|
312
|
+
}),
|
|
313
|
+
],
|
|
314
|
+
})
|
|
315
|
+
export class AppModule {}
|
|
316
|
+
```
|
|
317
|
+
|
|
318
|
+
#### `DecafWebhookModuleOptions`
|
|
319
|
+
|
|
320
|
+
| Option | Type | Required | Default | Description |
|
|
321
|
+
|---|---|---|---|---|
|
|
322
|
+
| `conf` | same as `DecafModuleOptions.conf` | Yes | — | Adapter tuples for webhook persistence. |
|
|
323
|
+
| `handlers` | `Type<DecafRequestHandler>[]` | No | `[]` | Request handlers for the webhook pipeline. |
|
|
324
|
+
| `initialization` | `() => Promise<void>` | No | — | Called after webhook persistence boots. |
|
|
325
|
+
| `webhookApiPath` | `string` | No | `"/webhooks"` | Router prefix for webhook controllers. |
|
|
326
|
+
|
|
327
|
+
---
|
|
328
|
+
|
|
329
|
+
## Migration execution
|
|
58
330
|
|
|
59
331
|
`DecafCoreModule.migrate` wraps `MigrationService.migrateAdapters` once the persistence layer is ready. Use it to orchestrate upgrades across the adapters you boot in `DecafCoreModule.bootPersistence`.
|
|
60
332
|
|