@fiado/type-kit 3.111.0 → 3.113.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/_test_/unit/platformRbac/enums/__snapshots__/permissionBits.test.ts.snap +2 -1
- package/bin/platformRbac/dtos/CompleteMyProfileRequest.d.ts +9 -0
- package/bin/platformRbac/dtos/CompleteMyProfileRequest.js +34 -0
- package/bin/platformRbac/dtos/CreateTenantRequest.d.ts +2 -0
- package/bin/platformRbac/dtos/CreateTenantRequest.js +6 -0
- package/bin/platformRbac/dtos/SelfRegisterCompleteRequest.d.ts +21 -0
- package/bin/platformRbac/dtos/SelfRegisterCompleteRequest.js +60 -0
- package/bin/platformRbac/dtos/SelfRegisterStartRequest.d.ts +18 -0
- package/bin/platformRbac/dtos/SelfRegisterStartRequest.js +52 -0
- package/bin/platformRbac/dtos/SelfRegisterVerifyOtpRequest.d.ts +14 -0
- package/bin/platformRbac/dtos/SelfRegisterVerifyOtpRequest.js +39 -0
- package/bin/platformRbac/enums/Permission.d.ts +1 -0
- package/bin/platformRbac/enums/Permission.js +5 -0
- package/bin/platformRbac/index.d.ts +4 -0
- package/bin/platformRbac/index.js +7 -0
- package/package.json +1 -1
- package/src/platformRbac/dtos/CompleteMyProfileRequest.ts +12 -0
- package/src/platformRbac/dtos/CreateTenantRequest.ts +2 -0
- package/src/platformRbac/dtos/SelfRegisterCompleteRequest.ts +25 -0
- package/src/platformRbac/dtos/SelfRegisterStartRequest.ts +22 -0
- package/src/platformRbac/dtos/SelfRegisterVerifyOtpRequest.ts +18 -0
- package/src/platformRbac/enums/Permission.ts +5 -0
- package/src/platformRbac/index.ts +8 -0
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
// Jest Snapshot v1, https://jestjs.io/docs/snapshot-testing
|
|
2
2
|
|
|
3
|
-
exports[`PERMISSION_BIT_ORDER PERMS_VERSION es número estable 1`] = `
|
|
3
|
+
exports[`PERMISSION_BIT_ORDER PERMS_VERSION es número estable 1`] = `488222087`;
|
|
4
4
|
|
|
5
5
|
exports[`PERMISSION_BIT_ORDER append-only: snapshot del ORDEN COMPLETO (rompe ante cualquier reorden/inserción) 1`] = `
|
|
6
6
|
[
|
|
@@ -123,5 +123,6 @@ exports[`PERMISSION_BIT_ORDER append-only: snapshot del ORDEN COMPLETO (rompe an
|
|
|
123
123
|
"platform.tenant.userfields.manage",
|
|
124
124
|
"agents.app.access",
|
|
125
125
|
"platform.user.create.lateral",
|
|
126
|
+
"platform.application.manage",
|
|
126
127
|
]
|
|
127
128
|
`;
|
|
@@ -0,0 +1,9 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Body del PUT /me/profile/complete (autenticado, gate post-MFA del autoregistro). DEC-RBAC-034.
|
|
3
|
+
* Opera sobre el propio usuario (cognitoSub del token). Valida nombre + los `userFieldDefs` requeridos
|
|
4
|
+
* del tenant (422 MISSING_REQUIRED_FIELDS si faltan) y flipea `profileComplete=true`.
|
|
5
|
+
*/
|
|
6
|
+
export declare class CompleteMyProfileRequest {
|
|
7
|
+
displayName: string;
|
|
8
|
+
customFields?: Record<string, string>;
|
|
9
|
+
}
|
|
@@ -0,0 +1,34 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
|
|
3
|
+
var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
|
|
4
|
+
if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
|
|
5
|
+
else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
|
|
6
|
+
return c > 3 && r && Object.defineProperty(target, key, r), r;
|
|
7
|
+
};
|
|
8
|
+
var __metadata = (this && this.__metadata) || function (k, v) {
|
|
9
|
+
if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
|
|
10
|
+
};
|
|
11
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
12
|
+
exports.CompleteMyProfileRequest = void 0;
|
|
13
|
+
const class_transformer_1 = require("class-transformer");
|
|
14
|
+
const class_validator_1 = require("class-validator");
|
|
15
|
+
/**
|
|
16
|
+
* Body del PUT /me/profile/complete (autenticado, gate post-MFA del autoregistro). DEC-RBAC-034.
|
|
17
|
+
* Opera sobre el propio usuario (cognitoSub del token). Valida nombre + los `userFieldDefs` requeridos
|
|
18
|
+
* del tenant (422 MISSING_REQUIRED_FIELDS si faltan) y flipea `profileComplete=true`.
|
|
19
|
+
*/
|
|
20
|
+
class CompleteMyProfileRequest {
|
|
21
|
+
}
|
|
22
|
+
exports.CompleteMyProfileRequest = CompleteMyProfileRequest;
|
|
23
|
+
__decorate([
|
|
24
|
+
(0, class_transformer_1.Expose)(),
|
|
25
|
+
(0, class_validator_1.IsString)(),
|
|
26
|
+
(0, class_validator_1.IsNotEmpty)(),
|
|
27
|
+
__metadata("design:type", String)
|
|
28
|
+
], CompleteMyProfileRequest.prototype, "displayName", void 0);
|
|
29
|
+
__decorate([
|
|
30
|
+
(0, class_transformer_1.Expose)(),
|
|
31
|
+
(0, class_validator_1.IsOptional)(),
|
|
32
|
+
(0, class_validator_1.IsObject)(),
|
|
33
|
+
__metadata("design:type", Object)
|
|
34
|
+
], CompleteMyProfileRequest.prototype, "customFields", void 0);
|
|
@@ -19,4 +19,6 @@ export declare class CreateTenantRequest {
|
|
|
19
19
|
tokenValidationMode?: TokenValidationMode;
|
|
20
20
|
/** Tipo de tenant a crear. Si se omite, el onboarding aplica su default (hoy: retail). */
|
|
21
21
|
tenantType?: TenantType;
|
|
22
|
+
/** DEC-RBAC-034: aplicación (plantilla) de la que se crea el tenant; opcional, fallback a tenantType (back-compat). */
|
|
23
|
+
applicationId?: string;
|
|
22
24
|
}
|
|
@@ -80,3 +80,9 @@ __decorate([
|
|
|
80
80
|
(0, class_validator_1.IsEnum)(tenantTypes_1.TenantType),
|
|
81
81
|
__metadata("design:type", String)
|
|
82
82
|
], CreateTenantRequest.prototype, "tenantType", void 0);
|
|
83
|
+
__decorate([
|
|
84
|
+
(0, class_transformer_1.Expose)(),
|
|
85
|
+
(0, class_validator_1.IsOptional)(),
|
|
86
|
+
(0, class_validator_1.IsString)(),
|
|
87
|
+
__metadata("design:type", String)
|
|
88
|
+
], CreateTenantRequest.prototype, "applicationId", void 0);
|
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Body del POST /self-register/complete (público, anónimo). DEC-RBAC-033.
|
|
3
|
+
* Consume el `completionToken` del verify-otp (validación condicional atómica server-side, anti
|
|
4
|
+
* doble-complete). La password la elige el usuario y nace permanente (usuario ACTIVE). `displayName`
|
|
5
|
+
* y `customFields` son opcionales (point 6): si llegan completos, `profileComplete=true` y se saltea
|
|
6
|
+
* el gate post-MFA; si no, el usuario nace `profileComplete=false` con displayName placeholder.
|
|
7
|
+
* La password NUNCA se persiste: viaja solo acá, directo a Cognito.
|
|
8
|
+
*/
|
|
9
|
+
export declare class SelfRegisterCompleteRequest {
|
|
10
|
+
tenantId: string;
|
|
11
|
+
email: string;
|
|
12
|
+
completionToken: string;
|
|
13
|
+
password: string;
|
|
14
|
+
displayName?: string;
|
|
15
|
+
customFields?: Record<string, string>;
|
|
16
|
+
}
|
|
17
|
+
/** Respuesta del complete. El usuario nace ACTIVE; `profileComplete` indica si falta completar perfil. */
|
|
18
|
+
export interface SelfRegisterCompleteResponse {
|
|
19
|
+
cognitoSub: string;
|
|
20
|
+
profileComplete: boolean;
|
|
21
|
+
}
|
|
@@ -0,0 +1,60 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
|
|
3
|
+
var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
|
|
4
|
+
if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
|
|
5
|
+
else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
|
|
6
|
+
return c > 3 && r && Object.defineProperty(target, key, r), r;
|
|
7
|
+
};
|
|
8
|
+
var __metadata = (this && this.__metadata) || function (k, v) {
|
|
9
|
+
if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
|
|
10
|
+
};
|
|
11
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
12
|
+
exports.SelfRegisterCompleteRequest = void 0;
|
|
13
|
+
const class_transformer_1 = require("class-transformer");
|
|
14
|
+
const class_validator_1 = require("class-validator");
|
|
15
|
+
/**
|
|
16
|
+
* Body del POST /self-register/complete (público, anónimo). DEC-RBAC-033.
|
|
17
|
+
* Consume el `completionToken` del verify-otp (validación condicional atómica server-side, anti
|
|
18
|
+
* doble-complete). La password la elige el usuario y nace permanente (usuario ACTIVE). `displayName`
|
|
19
|
+
* y `customFields` son opcionales (point 6): si llegan completos, `profileComplete=true` y se saltea
|
|
20
|
+
* el gate post-MFA; si no, el usuario nace `profileComplete=false` con displayName placeholder.
|
|
21
|
+
* La password NUNCA se persiste: viaja solo acá, directo a Cognito.
|
|
22
|
+
*/
|
|
23
|
+
class SelfRegisterCompleteRequest {
|
|
24
|
+
}
|
|
25
|
+
exports.SelfRegisterCompleteRequest = SelfRegisterCompleteRequest;
|
|
26
|
+
__decorate([
|
|
27
|
+
(0, class_transformer_1.Expose)(),
|
|
28
|
+
(0, class_validator_1.IsString)(),
|
|
29
|
+
(0, class_validator_1.IsNotEmpty)(),
|
|
30
|
+
__metadata("design:type", String)
|
|
31
|
+
], SelfRegisterCompleteRequest.prototype, "tenantId", void 0);
|
|
32
|
+
__decorate([
|
|
33
|
+
(0, class_transformer_1.Expose)(),
|
|
34
|
+
(0, class_validator_1.IsEmail)(),
|
|
35
|
+
__metadata("design:type", String)
|
|
36
|
+
], SelfRegisterCompleteRequest.prototype, "email", void 0);
|
|
37
|
+
__decorate([
|
|
38
|
+
(0, class_transformer_1.Expose)(),
|
|
39
|
+
(0, class_validator_1.IsString)(),
|
|
40
|
+
(0, class_validator_1.IsNotEmpty)(),
|
|
41
|
+
__metadata("design:type", String)
|
|
42
|
+
], SelfRegisterCompleteRequest.prototype, "completionToken", void 0);
|
|
43
|
+
__decorate([
|
|
44
|
+
(0, class_transformer_1.Expose)(),
|
|
45
|
+
(0, class_validator_1.IsString)(),
|
|
46
|
+
(0, class_validator_1.MinLength)(8),
|
|
47
|
+
__metadata("design:type", String)
|
|
48
|
+
], SelfRegisterCompleteRequest.prototype, "password", void 0);
|
|
49
|
+
__decorate([
|
|
50
|
+
(0, class_transformer_1.Expose)(),
|
|
51
|
+
(0, class_validator_1.IsOptional)(),
|
|
52
|
+
(0, class_validator_1.IsString)(),
|
|
53
|
+
__metadata("design:type", String)
|
|
54
|
+
], SelfRegisterCompleteRequest.prototype, "displayName", void 0);
|
|
55
|
+
__decorate([
|
|
56
|
+
(0, class_transformer_1.Expose)(),
|
|
57
|
+
(0, class_validator_1.IsOptional)(),
|
|
58
|
+
(0, class_validator_1.IsObject)(),
|
|
59
|
+
__metadata("design:type", Object)
|
|
60
|
+
], SelfRegisterCompleteRequest.prototype, "customFields", void 0);
|
|
@@ -0,0 +1,18 @@
|
|
|
1
|
+
import { PermissionScope } from '../enums/PermissionScope';
|
|
2
|
+
/**
|
|
3
|
+
* Body del POST /self-register/start (público, anónimo). DEC-RBAC-030/031.
|
|
4
|
+
* El `roleId`/`scope`/`scopeRef` los manda el front pero el server los valida contra la allowlist
|
|
5
|
+
* del tenant (`autoregister.allowedRoles`) — guarda anti-escalación. NO incluye campos obligatorios:
|
|
6
|
+
* se completan post-MFA (DEC-RBAC-034). El email se normaliza lowercase server-side.
|
|
7
|
+
*/
|
|
8
|
+
export declare class SelfRegisterStartRequest {
|
|
9
|
+
tenantId: string;
|
|
10
|
+
email: string;
|
|
11
|
+
roleId: string;
|
|
12
|
+
scope: PermissionScope;
|
|
13
|
+
scopeRef: string;
|
|
14
|
+
}
|
|
15
|
+
/** Respuesta del start. `expiresAt` epoch ms del registro pendiente. Genérica también en los caminos de rechazo silencioso (anti-enumeración). */
|
|
16
|
+
export interface SelfRegisterStartResponse {
|
|
17
|
+
expiresAt: number;
|
|
18
|
+
}
|
|
@@ -0,0 +1,52 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
|
|
3
|
+
var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
|
|
4
|
+
if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
|
|
5
|
+
else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
|
|
6
|
+
return c > 3 && r && Object.defineProperty(target, key, r), r;
|
|
7
|
+
};
|
|
8
|
+
var __metadata = (this && this.__metadata) || function (k, v) {
|
|
9
|
+
if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
|
|
10
|
+
};
|
|
11
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
12
|
+
exports.SelfRegisterStartRequest = void 0;
|
|
13
|
+
const class_transformer_1 = require("class-transformer");
|
|
14
|
+
const class_validator_1 = require("class-validator");
|
|
15
|
+
const PermissionScope_1 = require("../enums/PermissionScope");
|
|
16
|
+
/**
|
|
17
|
+
* Body del POST /self-register/start (público, anónimo). DEC-RBAC-030/031.
|
|
18
|
+
* El `roleId`/`scope`/`scopeRef` los manda el front pero el server los valida contra la allowlist
|
|
19
|
+
* del tenant (`autoregister.allowedRoles`) — guarda anti-escalación. NO incluye campos obligatorios:
|
|
20
|
+
* se completan post-MFA (DEC-RBAC-034). El email se normaliza lowercase server-side.
|
|
21
|
+
*/
|
|
22
|
+
class SelfRegisterStartRequest {
|
|
23
|
+
}
|
|
24
|
+
exports.SelfRegisterStartRequest = SelfRegisterStartRequest;
|
|
25
|
+
__decorate([
|
|
26
|
+
(0, class_transformer_1.Expose)(),
|
|
27
|
+
(0, class_validator_1.IsString)(),
|
|
28
|
+
(0, class_validator_1.IsNotEmpty)(),
|
|
29
|
+
__metadata("design:type", String)
|
|
30
|
+
], SelfRegisterStartRequest.prototype, "tenantId", void 0);
|
|
31
|
+
__decorate([
|
|
32
|
+
(0, class_transformer_1.Expose)(),
|
|
33
|
+
(0, class_validator_1.IsEmail)(),
|
|
34
|
+
__metadata("design:type", String)
|
|
35
|
+
], SelfRegisterStartRequest.prototype, "email", void 0);
|
|
36
|
+
__decorate([
|
|
37
|
+
(0, class_transformer_1.Expose)(),
|
|
38
|
+
(0, class_validator_1.IsString)(),
|
|
39
|
+
(0, class_validator_1.IsNotEmpty)(),
|
|
40
|
+
__metadata("design:type", String)
|
|
41
|
+
], SelfRegisterStartRequest.prototype, "roleId", void 0);
|
|
42
|
+
__decorate([
|
|
43
|
+
(0, class_transformer_1.Expose)(),
|
|
44
|
+
(0, class_validator_1.IsEnum)(PermissionScope_1.PermissionScope),
|
|
45
|
+
__metadata("design:type", String)
|
|
46
|
+
], SelfRegisterStartRequest.prototype, "scope", void 0);
|
|
47
|
+
__decorate([
|
|
48
|
+
(0, class_transformer_1.Expose)(),
|
|
49
|
+
(0, class_validator_1.IsString)(),
|
|
50
|
+
(0, class_validator_1.IsNotEmpty)(),
|
|
51
|
+
__metadata("design:type", String)
|
|
52
|
+
], SelfRegisterStartRequest.prototype, "scopeRef", void 0);
|
|
@@ -0,0 +1,14 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Body del POST /self-register/verify-otp (público, anónimo). DEC-RBAC-032.
|
|
3
|
+
* El OTP lo verifica `fiado-messages-lambda` (one-shot). En éxito el server devuelve un
|
|
4
|
+
* `completionToken` one-time que `complete` debe presentar.
|
|
5
|
+
*/
|
|
6
|
+
export declare class SelfRegisterVerifyOtpRequest {
|
|
7
|
+
tenantId: string;
|
|
8
|
+
email: string;
|
|
9
|
+
otp: string;
|
|
10
|
+
}
|
|
11
|
+
/** Respuesta del verify-otp. `completionToken` one-time para el paso `complete`. */
|
|
12
|
+
export interface SelfRegisterVerifyOtpResponse {
|
|
13
|
+
completionToken: string;
|
|
14
|
+
}
|
|
@@ -0,0 +1,39 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
|
|
3
|
+
var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
|
|
4
|
+
if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
|
|
5
|
+
else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
|
|
6
|
+
return c > 3 && r && Object.defineProperty(target, key, r), r;
|
|
7
|
+
};
|
|
8
|
+
var __metadata = (this && this.__metadata) || function (k, v) {
|
|
9
|
+
if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
|
|
10
|
+
};
|
|
11
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
12
|
+
exports.SelfRegisterVerifyOtpRequest = void 0;
|
|
13
|
+
const class_transformer_1 = require("class-transformer");
|
|
14
|
+
const class_validator_1 = require("class-validator");
|
|
15
|
+
/**
|
|
16
|
+
* Body del POST /self-register/verify-otp (público, anónimo). DEC-RBAC-032.
|
|
17
|
+
* El OTP lo verifica `fiado-messages-lambda` (one-shot). En éxito el server devuelve un
|
|
18
|
+
* `completionToken` one-time que `complete` debe presentar.
|
|
19
|
+
*/
|
|
20
|
+
class SelfRegisterVerifyOtpRequest {
|
|
21
|
+
}
|
|
22
|
+
exports.SelfRegisterVerifyOtpRequest = SelfRegisterVerifyOtpRequest;
|
|
23
|
+
__decorate([
|
|
24
|
+
(0, class_transformer_1.Expose)(),
|
|
25
|
+
(0, class_validator_1.IsString)(),
|
|
26
|
+
(0, class_validator_1.IsNotEmpty)(),
|
|
27
|
+
__metadata("design:type", String)
|
|
28
|
+
], SelfRegisterVerifyOtpRequest.prototype, "tenantId", void 0);
|
|
29
|
+
__decorate([
|
|
30
|
+
(0, class_transformer_1.Expose)(),
|
|
31
|
+
(0, class_validator_1.IsEmail)(),
|
|
32
|
+
__metadata("design:type", String)
|
|
33
|
+
], SelfRegisterVerifyOtpRequest.prototype, "email", void 0);
|
|
34
|
+
__decorate([
|
|
35
|
+
(0, class_transformer_1.Expose)(),
|
|
36
|
+
(0, class_validator_1.IsString)(),
|
|
37
|
+
(0, class_validator_1.IsNotEmpty)(),
|
|
38
|
+
__metadata("design:type", String)
|
|
39
|
+
], SelfRegisterVerifyOtpRequest.prototype, "otp", void 0);
|
|
@@ -53,6 +53,7 @@ export declare enum Permission {
|
|
|
53
53
|
PLATFORM_ROLE_DELETE = "platform.role.delete",
|
|
54
54
|
PLATFORM_AUDIT_VIEW = "platform.audit.view",
|
|
55
55
|
PLATFORM_TENANT_USERFIELDS_MANAGE = "platform.tenant.userfields.manage",
|
|
56
|
+
PLATFORM_APPLICATION_MANAGE = "platform.application.manage",
|
|
56
57
|
TENANT_USER_CREATE = "tenant.user.create",
|
|
57
58
|
TENANT_USER_CREATE_LATERAL = "tenant.user.create.lateral",
|
|
58
59
|
TENANT_USER_READ = "tenant.user.read",
|
|
@@ -68,6 +68,8 @@ var Permission;
|
|
|
68
68
|
Permission["PLATFORM_ROLE_DELETE"] = "platform.role.delete";
|
|
69
69
|
Permission["PLATFORM_AUDIT_VIEW"] = "platform.audit.view";
|
|
70
70
|
Permission["PLATFORM_TENANT_USERFIELDS_MANAGE"] = "platform.tenant.userfields.manage";
|
|
71
|
+
// DEC-RBAC-036: gestión de aplicaciones (plantillas) — reemplaza el reuso de rbac.catalog.manage en /applications.
|
|
72
|
+
Permission["PLATFORM_APPLICATION_MANAGE"] = "platform.application.manage";
|
|
71
73
|
// ====================================================
|
|
72
74
|
// TENANT — operaciones dentro del silo de un tenant
|
|
73
75
|
// ====================================================
|
|
@@ -339,6 +341,9 @@ exports.PERMISSION_BIT_ORDER = [
|
|
|
339
341
|
// Append-only 2026-06-19: lateral platform (platform_super_admin asigna roles scope PLATFORM).
|
|
340
342
|
// Al FINAL para no correr bits existentes (PERMS_VERSION cambia, índices previos se conservan).
|
|
341
343
|
Permission.PLATFORM_USER_CREATE_LATERAL,
|
|
344
|
+
// Append-only 2026-06-24 (DEC-RBAC-036): gate dedicada de gestión de aplicaciones (plantillas).
|
|
345
|
+
// Al FINAL para no correr bits existentes (PERMS_VERSION cambia, índices previos se conservan).
|
|
346
|
+
Permission.PLATFORM_APPLICATION_MANAGE,
|
|
342
347
|
];
|
|
343
348
|
function djb2(input) {
|
|
344
349
|
let h = 5381;
|
|
@@ -39,3 +39,7 @@ export * from './enums/PermissionKind';
|
|
|
39
39
|
export type { LevelDef, ApplicationSecurityPolicyDefault, ApplicationBrandingDefault, ApplicationDefaults, SeedRole, Application, } from './application/Application';
|
|
40
40
|
export type { ApplicationPermission } from './application/ApplicationPermission';
|
|
41
41
|
export type { CreateApplicationRequest, UpdateApplicationRequest, UpsertApplicationPermissionRequest, } from './application/requests';
|
|
42
|
+
export * from './dtos/SelfRegisterStartRequest';
|
|
43
|
+
export * from './dtos/SelfRegisterVerifyOtpRequest';
|
|
44
|
+
export * from './dtos/SelfRegisterCompleteRequest';
|
|
45
|
+
export * from './dtos/CompleteMyProfileRequest';
|
|
@@ -86,3 +86,10 @@ __exportStar(require("./dtos/UpdateUserFieldRequest"), exports);
|
|
|
86
86
|
// los requests son interfaces plain (sin decoradores class-validator) → type-only.
|
|
87
87
|
__exportStar(require("./enums/ApplicationStatus"), exports);
|
|
88
88
|
__exportStar(require("./enums/PermissionKind"), exports);
|
|
89
|
+
// Autoregistro self-service por tenant (DEC-RBAC-030..034). Los Request llevan decoradores
|
|
90
|
+
// class-validator (export de valor — se hidratan con plainToInstance); los Response son interfaces
|
|
91
|
+
// plain (type-only). Consumidos por los endpoints públicos de platform-rbac-business + el gate de perfil.
|
|
92
|
+
__exportStar(require("./dtos/SelfRegisterStartRequest"), exports);
|
|
93
|
+
__exportStar(require("./dtos/SelfRegisterVerifyOtpRequest"), exports);
|
|
94
|
+
__exportStar(require("./dtos/SelfRegisterCompleteRequest"), exports);
|
|
95
|
+
__exportStar(require("./dtos/CompleteMyProfileRequest"), exports);
|
package/package.json
CHANGED
|
@@ -0,0 +1,12 @@
|
|
|
1
|
+
import { Expose } from 'class-transformer';
|
|
2
|
+
import { IsNotEmpty, IsObject, IsOptional, IsString } from 'class-validator';
|
|
3
|
+
|
|
4
|
+
/**
|
|
5
|
+
* Body del PUT /me/profile/complete (autenticado, gate post-MFA del autoregistro). DEC-RBAC-034.
|
|
6
|
+
* Opera sobre el propio usuario (cognitoSub del token). Valida nombre + los `userFieldDefs` requeridos
|
|
7
|
+
* del tenant (422 MISSING_REQUIRED_FIELDS si faltan) y flipea `profileComplete=true`.
|
|
8
|
+
*/
|
|
9
|
+
export class CompleteMyProfileRequest {
|
|
10
|
+
@Expose() @IsString() @IsNotEmpty() displayName!: string;
|
|
11
|
+
@Expose() @IsOptional() @IsObject() customFields?: Record<string, string>;
|
|
12
|
+
}
|
|
@@ -22,4 +22,6 @@ export class CreateTenantRequest {
|
|
|
22
22
|
@Expose() @IsOptional() @IsEnum(TokenValidationMode) tokenValidationMode?: TokenValidationMode;
|
|
23
23
|
/** Tipo de tenant a crear. Si se omite, el onboarding aplica su default (hoy: retail). */
|
|
24
24
|
@Expose() @IsOptional() @IsEnum(TenantType) tenantType?: TenantType;
|
|
25
|
+
/** DEC-RBAC-034: aplicación (plantilla) de la que se crea el tenant; opcional, fallback a tenantType (back-compat). */
|
|
26
|
+
@Expose() @IsOptional() @IsString() applicationId?: string;
|
|
25
27
|
}
|
|
@@ -0,0 +1,25 @@
|
|
|
1
|
+
import { Expose } from 'class-transformer';
|
|
2
|
+
import { IsEmail, IsNotEmpty, IsObject, IsOptional, IsString, MinLength } from 'class-validator';
|
|
3
|
+
|
|
4
|
+
/**
|
|
5
|
+
* Body del POST /self-register/complete (público, anónimo). DEC-RBAC-033.
|
|
6
|
+
* Consume el `completionToken` del verify-otp (validación condicional atómica server-side, anti
|
|
7
|
+
* doble-complete). La password la elige el usuario y nace permanente (usuario ACTIVE). `displayName`
|
|
8
|
+
* y `customFields` son opcionales (point 6): si llegan completos, `profileComplete=true` y se saltea
|
|
9
|
+
* el gate post-MFA; si no, el usuario nace `profileComplete=false` con displayName placeholder.
|
|
10
|
+
* La password NUNCA se persiste: viaja solo acá, directo a Cognito.
|
|
11
|
+
*/
|
|
12
|
+
export class SelfRegisterCompleteRequest {
|
|
13
|
+
@Expose() @IsString() @IsNotEmpty() tenantId!: string;
|
|
14
|
+
@Expose() @IsEmail() email!: string;
|
|
15
|
+
@Expose() @IsString() @IsNotEmpty() completionToken!: string;
|
|
16
|
+
@Expose() @IsString() @MinLength(8) password!: string;
|
|
17
|
+
@Expose() @IsOptional() @IsString() displayName?: string;
|
|
18
|
+
@Expose() @IsOptional() @IsObject() customFields?: Record<string, string>;
|
|
19
|
+
}
|
|
20
|
+
|
|
21
|
+
/** Respuesta del complete. El usuario nace ACTIVE; `profileComplete` indica si falta completar perfil. */
|
|
22
|
+
export interface SelfRegisterCompleteResponse {
|
|
23
|
+
cognitoSub: string;
|
|
24
|
+
profileComplete: boolean;
|
|
25
|
+
}
|
|
@@ -0,0 +1,22 @@
|
|
|
1
|
+
import { Expose } from 'class-transformer';
|
|
2
|
+
import { IsEmail, IsEnum, IsNotEmpty, IsString } from 'class-validator';
|
|
3
|
+
import { PermissionScope } from '../enums/PermissionScope';
|
|
4
|
+
|
|
5
|
+
/**
|
|
6
|
+
* Body del POST /self-register/start (público, anónimo). DEC-RBAC-030/031.
|
|
7
|
+
* El `roleId`/`scope`/`scopeRef` los manda el front pero el server los valida contra la allowlist
|
|
8
|
+
* del tenant (`autoregister.allowedRoles`) — guarda anti-escalación. NO incluye campos obligatorios:
|
|
9
|
+
* se completan post-MFA (DEC-RBAC-034). El email se normaliza lowercase server-side.
|
|
10
|
+
*/
|
|
11
|
+
export class SelfRegisterStartRequest {
|
|
12
|
+
@Expose() @IsString() @IsNotEmpty() tenantId!: string;
|
|
13
|
+
@Expose() @IsEmail() email!: string;
|
|
14
|
+
@Expose() @IsString() @IsNotEmpty() roleId!: string;
|
|
15
|
+
@Expose() @IsEnum(PermissionScope) scope!: PermissionScope;
|
|
16
|
+
@Expose() @IsString() @IsNotEmpty() scopeRef!: string;
|
|
17
|
+
}
|
|
18
|
+
|
|
19
|
+
/** Respuesta del start. `expiresAt` epoch ms del registro pendiente. Genérica también en los caminos de rechazo silencioso (anti-enumeración). */
|
|
20
|
+
export interface SelfRegisterStartResponse {
|
|
21
|
+
expiresAt: number;
|
|
22
|
+
}
|
|
@@ -0,0 +1,18 @@
|
|
|
1
|
+
import { Expose } from 'class-transformer';
|
|
2
|
+
import { IsEmail, IsNotEmpty, IsString } from 'class-validator';
|
|
3
|
+
|
|
4
|
+
/**
|
|
5
|
+
* Body del POST /self-register/verify-otp (público, anónimo). DEC-RBAC-032.
|
|
6
|
+
* El OTP lo verifica `fiado-messages-lambda` (one-shot). En éxito el server devuelve un
|
|
7
|
+
* `completionToken` one-time que `complete` debe presentar.
|
|
8
|
+
*/
|
|
9
|
+
export class SelfRegisterVerifyOtpRequest {
|
|
10
|
+
@Expose() @IsString() @IsNotEmpty() tenantId!: string;
|
|
11
|
+
@Expose() @IsEmail() email!: string;
|
|
12
|
+
@Expose() @IsString() @IsNotEmpty() otp!: string;
|
|
13
|
+
}
|
|
14
|
+
|
|
15
|
+
/** Respuesta del verify-otp. `completionToken` one-time para el paso `complete`. */
|
|
16
|
+
export interface SelfRegisterVerifyOtpResponse {
|
|
17
|
+
completionToken: string;
|
|
18
|
+
}
|
|
@@ -63,6 +63,8 @@ export enum Permission {
|
|
|
63
63
|
PLATFORM_ROLE_DELETE = 'platform.role.delete',
|
|
64
64
|
PLATFORM_AUDIT_VIEW = 'platform.audit.view',
|
|
65
65
|
PLATFORM_TENANT_USERFIELDS_MANAGE = 'platform.tenant.userfields.manage',
|
|
66
|
+
// DEC-RBAC-036: gestión de aplicaciones (plantillas) — reemplaza el reuso de rbac.catalog.manage en /applications.
|
|
67
|
+
PLATFORM_APPLICATION_MANAGE = 'platform.application.manage',
|
|
66
68
|
|
|
67
69
|
// ====================================================
|
|
68
70
|
// TENANT — operaciones dentro del silo de un tenant
|
|
@@ -341,6 +343,9 @@ export const PERMISSION_BIT_ORDER: readonly Permission[] = [
|
|
|
341
343
|
// Append-only 2026-06-19: lateral platform (platform_super_admin asigna roles scope PLATFORM).
|
|
342
344
|
// Al FINAL para no correr bits existentes (PERMS_VERSION cambia, índices previos se conservan).
|
|
343
345
|
Permission.PLATFORM_USER_CREATE_LATERAL,
|
|
346
|
+
// Append-only 2026-06-24 (DEC-RBAC-036): gate dedicada de gestión de aplicaciones (plantillas).
|
|
347
|
+
// Al FINAL para no correr bits existentes (PERMS_VERSION cambia, índices previos se conservan).
|
|
348
|
+
Permission.PLATFORM_APPLICATION_MANAGE,
|
|
344
349
|
] as const;
|
|
345
350
|
|
|
346
351
|
function djb2(input: string): number {
|
|
@@ -93,3 +93,11 @@ export type {
|
|
|
93
93
|
UpdateApplicationRequest,
|
|
94
94
|
UpsertApplicationPermissionRequest,
|
|
95
95
|
} from './application/requests';
|
|
96
|
+
|
|
97
|
+
// Autoregistro self-service por tenant (DEC-RBAC-030..034). Los Request llevan decoradores
|
|
98
|
+
// class-validator (export de valor — se hidratan con plainToInstance); los Response son interfaces
|
|
99
|
+
// plain (type-only). Consumidos por los endpoints públicos de platform-rbac-business + el gate de perfil.
|
|
100
|
+
export * from './dtos/SelfRegisterStartRequest';
|
|
101
|
+
export * from './dtos/SelfRegisterVerifyOtpRequest';
|
|
102
|
+
export * from './dtos/SelfRegisterCompleteRequest';
|
|
103
|
+
export * from './dtos/CompleteMyProfileRequest';
|