@flusys/nestjs-iam 0.1.0-alpha.1 → 0.1.0-beta.2

package/cjs/entities/permission-with-company.entity.js

@@ -0,0 +1,99 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", {
+    value: true
+});
+Object.defineProperty(exports, "UserIamPermissionWithCompany", {
+    enumerable: true,
+    get: function() {
+        return UserIamPermissionWithCompany;
+    }
+});
+const _typeorm = require("typeorm");
+const _permissionbaseentity = require("./permission-base.entity");
+function _define_property(obj, key, value) {
+    if (key in obj) {
+        Object.defineProperty(obj, key, {
+            value: value,
+            enumerable: true,
+            configurable: true,
+            writable: true
+        });
+    } else {
+        obj[key] = value;
+    }
+    return obj;
+}
+function _ts_decorate(decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for(var i = decorators.length - 1; i >= 0; i--)if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+}
+function _ts_metadata(k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+}
+let UserIamPermissionWithCompany = class UserIamPermissionWithCompany extends _permissionbaseentity.PermissionBase {
+    constructor(...args){
+        super(...args), /**
+   * Company ID - Company scope for this permission
+   * - null: Global permission (not company-specific)
+   * - set: Permission belongs to this company
+   */ _define_property(this, "companyId", void 0), /**
+   * Branch ID - Branch scope for this permission
+   * - null: Company-wide permission (all branches in company)
+   * - set: Permission applies only to this specific branch
+   */ _define_property(this, "branchId", void 0);
+    }
+};
+_ts_decorate([
+    (0, _typeorm.Column)({
+        type: 'uuid',
+        nullable: true,
+        name: 'company_id'
+    }),
+    _ts_metadata("design:type", Object)
+], UserIamPermissionWithCompany.prototype, "companyId", void 0);
+_ts_decorate([
+    (0, _typeorm.Column)({
+        type: 'uuid',
+        nullable: true,
+        name: 'branch_id'
+    }),
+    _ts_metadata("design:type", Object)
+], UserIamPermissionWithCompany.prototype, "branchId", void 0);
+UserIamPermissionWithCompany = _ts_decorate([
+    (0, _typeorm.Entity)({
+        name: 'user_iam_permission'
+    }),
+    (0, _typeorm.Index)([
+        'permissionType',
+        'sourceId',
+        'targetId'
+    ], {
+        unique: true
+    }),
+    (0, _typeorm.Index)([
+        'sourceId',
+        'sourceType'
+    ]),
+    (0, _typeorm.Index)([
+        'targetId',
+        'targetType'
+    ]),
+    (0, _typeorm.Index)([
+        'permissionType'
+    ]),
+    (0, _typeorm.Index)([
+        'userId'
+    ]),
+    (0, _typeorm.Index)([
+        'companyId'
+    ]),
+    (0, _typeorm.Index)([
+        'branchId'
+    ]),
+    (0, _typeorm.Index)([
+        'companyId',
+        'branchId'
+    ])
+], UserIamPermissionWithCompany);

package/cjs/entities/role-base.entity.js

@@ -0,0 +1,86 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", {
+    value: true
+});
+Object.defineProperty(exports, "RoleBase", {
+    enumerable: true,
+    get: function() {
+        return RoleBase;
+    }
+});
+const _nestjsshared = require("@flusys/nestjs-shared");
+const _typeorm = require("typeorm");
+function _define_property(obj, key, value) {
+    if (key in obj) {
+        Object.defineProperty(obj, key, {
+            value: value,
+            enumerable: true,
+            configurable: true,
+            writable: true
+        });
+    } else {
+        obj[key] = value;
+    }
+    return obj;
+}
+function _ts_decorate(decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for(var i = decorators.length - 1; i >= 0; i--)if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+}
+function _ts_metadata(k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+}
+let RoleBase = class RoleBase extends _nestjsshared.Identity {
+    constructor(...args){
+        super(...args), _define_property(this, "readOnly", void 0), _define_property(this, "name", void 0), _define_property(this, "description", void 0), _define_property(this, "isActive", void 0), _define_property(this, "serial", void 0), _define_property(this, "metadata", void 0);
+    }
+};
+_ts_decorate([
+    (0, _typeorm.Column)({
+        type: 'boolean',
+        nullable: false,
+        default: false,
+        name: 'read_only'
+    }),
+    _ts_metadata("design:type", Boolean)
+], RoleBase.prototype, "readOnly", void 0);
+_ts_decorate([
+    (0, _typeorm.Column)({
+        type: 'varchar',
+        length: 255,
+        nullable: false
+    }),
+    _ts_metadata("design:type", String)
+], RoleBase.prototype, "name", void 0);
+_ts_decorate([
+    (0, _typeorm.Column)({
+        type: 'varchar',
+        length: 500,
+        nullable: true
+    }),
+    _ts_metadata("design:type", Object)
+], RoleBase.prototype, "description", void 0);
+_ts_decorate([
+    (0, _typeorm.Column)({
+        type: 'boolean',
+        nullable: false,
+        default: true,
+        name: 'is_active'
+    }),
+    _ts_metadata("design:type", Boolean)
+], RoleBase.prototype, "isActive", void 0);
+_ts_decorate([
+    (0, _typeorm.Column)({
+        type: 'int',
+        nullable: true
+    }),
+    _ts_metadata("design:type", Object)
+], RoleBase.prototype, "serial", void 0);
+_ts_decorate([
+    (0, _typeorm.Column)('simple-json', {
+        nullable: true
+    }),
+    _ts_metadata("design:type", Object)
+], RoleBase.prototype, "metadata", void 0);

package/cjs/entities/role-with-company.entity.js

@@ -0,0 +1,55 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", {
+    value: true
+});
+Object.defineProperty(exports, "RoleWithCompany", {
+    enumerable: true,
+    get: function() {
+        return RoleWithCompany;
+    }
+});
+const _typeorm = require("typeorm");
+const _rolebaseentity = require("./role-base.entity");
+function _define_property(obj, key, value) {
+    if (key in obj) {
+        Object.defineProperty(obj, key, {
+            value: value,
+            enumerable: true,
+            configurable: true,
+            writable: true
+        });
+    } else {
+        obj[key] = value;
+    }
+    return obj;
+}
+function _ts_decorate(decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for(var i = decorators.length - 1; i >= 0; i--)if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+}
+function _ts_metadata(k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+}
+let RoleWithCompany = class RoleWithCompany extends _rolebaseentity.RoleBase {
+    constructor(...args){
+        super(...args), _define_property(this, "companyId", void 0);
+    }
+};
+_ts_decorate([
+    (0, _typeorm.Column)({
+        type: 'uuid',
+        nullable: true,
+        name: 'company_id'
+    }),
+    _ts_metadata("design:type", Object)
+], RoleWithCompany.prototype, "companyId", void 0);
+RoleWithCompany = _ts_decorate([
+    (0, _typeorm.Entity)({
+        name: 'role'
+    }),
+    (0, _typeorm.Index)([
+        'companyId'
+    ])
+], RoleWithCompany);

package/cjs/entities/role.entity.js

@@ -0,0 +1,25 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", {
+    value: true
+});
+Object.defineProperty(exports, "Role", {
+    enumerable: true,
+    get: function() {
+        return Role;
+    }
+});
+const _typeorm = require("typeorm");
+const _rolebaseentity = require("./role-base.entity");
+function _ts_decorate(decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for(var i = decorators.length - 1; i >= 0; i--)if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+}
+let Role = class Role extends _rolebaseentity.RoleBase {
+};
+Role = _ts_decorate([
+    (0, _typeorm.Entity)({
+        name: 'role'
+    })
+], Role);

package/cjs/entities/user-iam-permission.entity.js

@@ -0,0 +1,57 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", {
+    value: true
+});
+function _export(target, all) {
+    for(var name in all)Object.defineProperty(target, name, {
+        enumerable: true,
+        get: Object.getOwnPropertyDescriptor(all, name).get
+    });
+}
+_export(exports, {
+    get IamEntityType () {
+        return _permissionbaseentity.IamEntityType;
+    },
+    get IamPermissionType () {
+        return _permissionbaseentity.IamPermissionType;
+    },
+    get UserIamPermission () {
+        return UserIamPermission;
+    }
+});
+const _typeorm = require("typeorm");
+const _permissionbaseentity = require("./permission-base.entity");
+function _ts_decorate(decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for(var i = decorators.length - 1; i >= 0; i--)if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+}
+let UserIamPermission = class UserIamPermission extends _permissionbaseentity.PermissionBase {
+};
+UserIamPermission = _ts_decorate([
+    (0, _typeorm.Entity)({
+        name: 'user_iam_permission'
+    }),
+    (0, _typeorm.Index)([
+        'permissionType',
+        'sourceId',
+        'targetId'
+    ], {
+        unique: true
+    }),
+    (0, _typeorm.Index)([
+        'sourceId',
+        'sourceType'
+    ]),
+    (0, _typeorm.Index)([
+        'targetId',
+        'targetType'
+    ]),
+    (0, _typeorm.Index)([
+        'permissionType'
+    ]),
+    (0, _typeorm.Index)([
+        'userId'
+    ])
+], UserIamPermission);

package/cjs/enums/action-type.enum.js

@@ -0,0 +1,22 @@
+/**
+ * ActionType Enum - Categorizes actions by their usage context
+ *
+ * - BACKEND: Actions for API endpoint permissions (cached for PermissionGuard)
+ * - FRONTEND: Actions for frontend features (returned in my-permissions API)
+ * - BOTH: Actions used for both backend and frontend (cached + returned)
+ */ "use strict";
+Object.defineProperty(exports, "__esModule", {
+    value: true
+});
+Object.defineProperty(exports, "ActionType", {
+    enumerable: true,
+    get: function() {
+        return ActionType;
+    }
+});
+var ActionType = /*#__PURE__*/ function(ActionType) {
+    ActionType["BACKEND"] = "backend";
+    ActionType["FRONTEND"] = "frontend";
+    ActionType["BOTH"] = "both";
+    return ActionType;
+}({});

package/cjs/enums/index.js

@@ -0,0 +1,19 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", {
+    value: true
+});
+_export_star(require("./action-type.enum"), exports);
+_export_star(require("./permission-type.enum"), exports);
+function _export_star(from, to) {
+    Object.keys(from).forEach(function(k) {
+        if (k !== "default" && !Object.prototype.hasOwnProperty.call(to, k)) {
+            Object.defineProperty(to, k, {
+                enumerable: true,
+                get: function() {
+                    return from[k];
+                }
+            });
+        }
+    });
+    return from;
+}

package/cjs/enums/permission-type.enum.js

@@ -0,0 +1,16 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", {
+    value: true
+});
+Object.defineProperty(exports, "IAMPermissionMode", {
+    enumerable: true,
+    get: function() {
+        return IAMPermissionMode;
+    }
+});
+var IAMPermissionMode = /*#__PURE__*/ function(IAMPermissionMode) {
+    IAMPermissionMode[IAMPermissionMode["RBAC"] = 1] = "RBAC";
+    IAMPermissionMode[IAMPermissionMode["DIRECT"] = 2] = "DIRECT";
+    IAMPermissionMode[IAMPermissionMode["FULL"] = 3] = "FULL";
+    return IAMPermissionMode;
+}({});

package/cjs/helpers/index.js

@@ -0,0 +1,19 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", {
+    value: true
+});
+_export_star(require("./permission-evaluator.helper"), exports);
+_export_star(require("./permission-mode.helper"), exports);
+function _export_star(from, to) {
+    Object.keys(from).forEach(function(k) {
+        if (k !== "default" && !Object.prototype.hasOwnProperty.call(to, k)) {
+            Object.defineProperty(to, k, {
+                enumerable: true,
+                get: function() {
+                    return from[k];
+                }
+            });
+        }
+    });
+    return from;
+}

package/cjs/helpers/permission-evaluator.helper.js

@@ -0,0 +1,175 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", {
+    value: true
+});
+Object.defineProperty(exports, "PermissionEvaluatorHelper", {
+    enumerable: true,
+    get: function() {
+        return PermissionEvaluatorHelper;
+    }
+});
+const _common = require("@nestjs/common");
+function _ts_decorate(decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for(var i = decorators.length - 1; i >= 0; i--)if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+}
+let PermissionEvaluatorHelper = class PermissionEvaluatorHelper {
+    /**
+   * Evaluate if user has access based on permission logic
+   *
+   * @param logic - Permission logic to evaluate
+   * @param context - User permission context
+   * @returns true if user has access, false otherwise
+   */ evaluate(logic, context) {
+        // If no logic defined, access is granted
+        if (!logic) {
+            return true;
+        }
+        return this.evaluateNode(logic, context);
+    }
+    /**
+   * Evaluate a single logic node
+   */ evaluateNode(node, context) {
+        switch(node.type){
+            case 'action':
+                return this.evaluateAction(node.actionId, context);
+            case 'group':
+                return this.evaluateGroup(node, context);
+            default:
+                // Unknown node type, deny access
+                return false;
+        }
+    }
+    /**
+   * Evaluate action permission
+   * Priority: Deny > Grant > Inherited
+   */ evaluateAction(actionId, context) {
+        // 1. Check explicit deny (highest priority)
+        if (context.deniedActionIds.has(actionId)) {
+            return false;
+        }
+        // 2. Check explicit grant
+        if (context.grantedActionIds.has(actionId)) {
+            return true;
+        }
+        // 3. Check inherited actions (from parent actions)
+        if (context.inheritedActionIds?.has(actionId)) {
+            return true;
+        }
+        // No permission found
+        return false;
+    }
+    /**
+   * Evaluate group (AND/OR logic)
+   */ evaluateGroup(node, context) {
+        if (!node.children || node.children.length === 0) {
+            return false;
+        }
+        const results = node.children.map((child)=>this.evaluateNode(child, context));
+        if (node.operator === 'AND') {
+            // ALL children must be true
+            return results.every((result)=>result === true);
+        } else if (node.operator === 'OR') {
+            // ANY child must be true
+            return results.some((result)=>result === true);
+        }
+        // Unknown operator, deny access
+        return false;
+    }
+    /**
+   * Batch evaluate multiple logic nodes
+   * Useful for checking multiple permissions at once
+   *
+   * @param logics - Array of logic nodes to evaluate
+   * @param context - User permission context
+   * @returns Map of logic ID to evaluation result
+   */ batchEvaluate(logics, context) {
+        const results = new Map();
+        for (const item of logics){
+            results.set(item.id, this.evaluate(item.logic, context));
+        }
+        return results;
+    }
+    /**
+   * Check if user has ANY of the specified actions
+   *
+   * @param actionIds - Array of action IDs
+   * @param context - User permission context
+   * @returns true if user has at least one action
+   */ hasAnyAction(actionIds, context) {
+        return actionIds.some((actionId)=>this.evaluateAction(actionId, context));
+    }
+    /**
+   * Check if user has ALL of the specified actions
+   *
+   * @param actionIds - Array of action IDs
+   * @param context - User permission context
+   * @returns true if user has all actions
+   */ hasAllActions(actionIds, context) {
+        return actionIds.every((actionId)=>this.evaluateAction(actionId, context));
+    }
+    /**
+   * Check if user has ANY of the specified roles
+   *
+   * @param roleIds - Array of role IDs
+   * @param context - User permission context
+   * @returns true if user has at least one role
+   */ hasAnyRole(roleIds, context) {
+        return roleIds.some((roleId)=>context.roleIds.has(roleId));
+    }
+    /**
+   * Check if user has ALL of the specified roles
+   *
+   * @param roleIds - Array of role IDs
+   * @param context - User permission context
+   * @returns true if user has all roles
+   */ hasAllRoles(roleIds, context) {
+        return roleIds.every((roleId)=>context.roleIds.has(roleId));
+    }
+    /**
+   * Simplified evaluation for menu filtering
+   * Uses action codes instead of action IDs
+   *
+   * @param logic - Permission logic to evaluate
+   * @param actionCodes - Set of action codes the user has
+   * @returns true if user has access, false otherwise
+   */ evaluateLogicNode(logic, actionCodes) {
+        if (!logic) {
+            return true;
+        }
+        return this.evaluateNodeSimple(logic, actionCodes);
+    }
+    /**
+   * Simplified node evaluation using codes
+   */ evaluateNodeSimple(node, actionCodes) {
+        switch(node.type){
+            case 'action':
+                // Check if user has action by actionId (which matches action.code)
+                return node.actionId ? actionCodes.has(node.actionId) : false;
+            case 'group':
+                return this.evaluateGroupSimple(node, actionCodes);
+            default:
+                return false;
+        }
+    }
+    /**
+   * Simplified group evaluation
+   */ evaluateGroupSimple(node, actionCodes) {
+        if (!node.children || node.children.length === 0) {
+            // Empty AND = true, Empty OR = false
+            return node.operator === 'AND';
+        }
+        const results = node.children.map((child)=>this.evaluateNodeSimple(child, actionCodes));
+        if (node.operator === 'AND') {
+            return results.every((result)=>result === true);
+        } else if (node.operator === 'OR') {
+            return results.some((result)=>result === true);
+        }
+        return false;
+    }
+};
+PermissionEvaluatorHelper = _ts_decorate([
+    (0, _common.Injectable)()
+], PermissionEvaluatorHelper);

package/cjs/helpers/permission-mode.helper.js

@@ -0,0 +1,49 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", {
+    value: true
+});
+Object.defineProperty(exports, "PermissionModeHelper", {
+    enumerable: true,
+    get: function() {
+        return PermissionModeHelper;
+    }
+});
+const _permissiontypeenum = require("../enums/permission-type.enum");
+let PermissionModeHelper = class PermissionModeHelper {
+    /**
+   * Convert permission mode string to enum value
+   *
+   * @param modeStr - Permission mode string ('FULL', 'RBAC', 'DIRECT')
+   * @returns IAMPermissionMode enum value
+   * @default IAMPermissionMode.FULL if invalid/missing
+   *
+   * @example
+   * ```typescript
+   * const mode = PermissionModeHelper.fromString('RBAC');
+   * // Returns: IAMPermissionMode.RBAC
+   *
+   * const mode = PermissionModeHelper.fromString(undefined);
+   * // Returns: IAMPermissionMode.FULL (default)
+   * ```
+   */ static fromString(modeStr) {
+        if (!modeStr) {
+            return _permissiontypeenum.IAMPermissionMode.FULL;
+        }
+        const mode = _permissiontypeenum.IAMPermissionMode[modeStr];
+        return mode ?? _permissiontypeenum.IAMPermissionMode.FULL;
+    }
+    /**
+   * Convert enum value to string (for serialization/logging)
+   *
+   * @param mode - IAMPermissionMode enum value
+   * @returns String representation
+   *
+   * @example
+   * ```typescript
+   * const str = PermissionModeHelper.toString(IAMPermissionMode.RBAC);
+   * // Returns: 'RBAC'
+   * ```
+   */ static toString(mode) {
+        return _permissiontypeenum.IAMPermissionMode[mode];
+    }
+};