@flusys/nestjs-iam 0.1.0-beta.1 → 0.1.0-beta.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (118) hide show
  1. package/README.md +665 -0
  2. package/cjs/config/iam.constants.js +11 -0
  3. package/cjs/config/index.js +18 -0
  4. package/cjs/controllers/action.controller.js +117 -0
  5. package/cjs/controllers/company-action-permission.controller.js +110 -0
  6. package/cjs/controllers/index.js +23 -0
  7. package/cjs/controllers/my-permission.controller.js +90 -0
  8. package/cjs/controllers/role-permission.controller.js +160 -0
  9. package/cjs/controllers/role.controller.js +58 -0
  10. package/cjs/controllers/user-action-permission.controller.js +110 -0
  11. package/cjs/docs/iam-swagger.config.js +202 -0
  12. package/cjs/docs/index.js +18 -0
  13. package/cjs/dtos/action.dto.js +347 -0
  14. package/cjs/dtos/index.js +21 -0
  15. package/cjs/dtos/permission.dto.js +554 -0
  16. package/cjs/dtos/role.dto.js +238 -0
  17. package/cjs/entities/action-base.entity.js +135 -0
  18. package/cjs/entities/action.entity.js +28 -0
  19. package/cjs/entities/index.js +81 -0
  20. package/cjs/entities/permission-base.entity.js +156 -0
  21. package/cjs/entities/permission-with-company.entity.js +99 -0
  22. package/cjs/entities/role-base.entity.js +86 -0
  23. package/cjs/entities/role-with-company.entity.js +55 -0
  24. package/cjs/entities/role.entity.js +25 -0
  25. package/cjs/entities/user-iam-permission.entity.js +57 -0
  26. package/cjs/enums/action-type.enum.js +22 -0
  27. package/cjs/enums/index.js +19 -0
  28. package/cjs/enums/permission-type.enum.js +16 -0
  29. package/cjs/helpers/index.js +19 -0
  30. package/cjs/helpers/permission-evaluator.helper.js +175 -0
  31. package/cjs/helpers/permission-mode.helper.js +49 -0
  32. package/cjs/index.js +28 -79
  33. package/cjs/interfaces/action.interface.js +4 -0
  34. package/cjs/interfaces/iam-module-async-options.interface.js +4 -0
  35. package/cjs/interfaces/iam-module-options.interface.js +18 -0
  36. package/cjs/interfaces/index.js +21 -0
  37. package/cjs/interfaces/role.interface.js +7 -0
  38. package/cjs/modules/iam.module.js +237 -0
  39. package/cjs/modules/index.js +18 -0
  40. package/cjs/services/action.service.js +253 -0
  41. package/cjs/services/iam-config.service.js +107 -0
  42. package/cjs/services/iam-datasource.provider.js +205 -0
  43. package/cjs/services/index.js +23 -0
  44. package/cjs/services/permission-cache.service.js +308 -0
  45. package/cjs/services/permission.service.js +1020 -0
  46. package/cjs/services/role.service.js +181 -0
  47. package/cjs/types/index.js +18 -0
  48. package/cjs/types/logic-node.type.js +54 -0
  49. package/fesm/config/iam.constants.js +1 -0
  50. package/fesm/config/index.js +1 -0
  51. package/fesm/controllers/action.controller.js +107 -0
  52. package/fesm/controllers/company-action-permission.controller.js +100 -0
  53. package/fesm/controllers/index.js +7 -0
  54. package/fesm/controllers/my-permission.controller.js +80 -0
  55. package/fesm/controllers/role-permission.controller.js +150 -0
  56. package/fesm/controllers/role.controller.js +48 -0
  57. package/fesm/controllers/user-action-permission.controller.js +100 -0
  58. package/fesm/docs/iam-swagger.config.js +192 -0
  59. package/fesm/docs/index.js +1 -0
  60. package/fesm/dtos/action.dto.js +317 -0
  61. package/fesm/dtos/index.js +4 -0
  62. package/fesm/dtos/permission.dto.js +490 -0
  63. package/fesm/dtos/role.dto.js +214 -0
  64. package/fesm/entities/action-base.entity.js +128 -0
  65. package/fesm/entities/action.entity.js +18 -0
  66. package/fesm/entities/index.js +56 -0
  67. package/fesm/entities/permission-base.entity.js +138 -0
  68. package/fesm/entities/permission-with-company.entity.js +89 -0
  69. package/fesm/entities/role-base.entity.js +79 -0
  70. package/fesm/entities/role-with-company.entity.js +45 -0
  71. package/fesm/entities/role.entity.js +15 -0
  72. package/fesm/entities/user-iam-permission.entity.js +38 -0
  73. package/fesm/enums/action-type.enum.js +12 -0
  74. package/fesm/enums/index.js +2 -0
  75. package/fesm/enums/permission-type.enum.js +6 -0
  76. package/fesm/helpers/index.js +2 -0
  77. package/fesm/helpers/permission-evaluator.helper.js +165 -0
  78. package/fesm/helpers/permission-mode.helper.js +49 -0
  79. package/fesm/index.js +11 -79
  80. package/fesm/interfaces/action.interface.js +3 -0
  81. package/fesm/interfaces/iam-module-async-options.interface.js +3 -0
  82. package/fesm/interfaces/iam-module-options.interface.js +1 -0
  83. package/fesm/interfaces/index.js +4 -0
  84. package/fesm/interfaces/role.interface.js +4 -0
  85. package/fesm/modules/iam.module.js +227 -0
  86. package/fesm/modules/index.js +1 -0
  87. package/fesm/services/action.service.js +243 -0
  88. package/fesm/services/iam-config.service.js +97 -0
  89. package/fesm/services/iam-datasource.provider.js +154 -0
  90. package/fesm/services/index.js +6 -0
  91. package/fesm/services/permission-cache.service.js +298 -0
  92. package/fesm/services/permission.service.js +1010 -0
  93. package/fesm/services/role.service.js +171 -0
  94. package/fesm/types/index.js +1 -0
  95. package/fesm/types/logic-node.type.js +36 -0
  96. package/package.json +25 -25
  97. package/cjs/config-index.js +0 -1
  98. package/cjs/controllers-index.js +0 -1
  99. package/cjs/docs-index.js +0 -79
  100. package/cjs/dtos-index.js +0 -1
  101. package/cjs/entities-index.js +0 -1
  102. package/cjs/enums-index.js +0 -1
  103. package/cjs/helpers-index.js +0 -1
  104. package/cjs/interfaces-index.js +0 -1
  105. package/cjs/modules-index.js +0 -1
  106. package/cjs/services-index.js +0 -1
  107. package/cjs/types-index.js +0 -1
  108. package/fesm/config-index.js +0 -1
  109. package/fesm/controllers-index.js +0 -1
  110. package/fesm/docs-index.js +0 -79
  111. package/fesm/dtos-index.js +0 -1
  112. package/fesm/entities-index.js +0 -1
  113. package/fesm/enums-index.js +0 -1
  114. package/fesm/helpers-index.js +0 -1
  115. package/fesm/interfaces-index.js +0 -0
  116. package/fesm/modules-index.js +0 -1
  117. package/fesm/services-index.js +0 -1
  118. package/fesm/types-index.js +0 -1
@@ -0,0 +1,150 @@
1
+ function _define_property(obj, key, value) {
2
+ if (key in obj) {
3
+ Object.defineProperty(obj, key, {
4
+ value: value,
5
+ enumerable: true,
6
+ configurable: true,
7
+ writable: true
8
+ });
9
+ } else {
10
+ obj[key] = value;
11
+ }
12
+ return obj;
13
+ }
14
+ function _ts_decorate(decorators, target, key, desc) {
15
+ var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
16
+ if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
17
+ else for(var i = decorators.length - 1; i >= 0; i--)if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
18
+ return c > 3 && r && Object.defineProperty(target, key, r), r;
19
+ }
20
+ function _ts_metadata(k, v) {
21
+ if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
22
+ }
23
+ function _ts_param(paramIndex, decorator) {
24
+ return function(target, key) {
25
+ decorator(target, key, paramIndex);
26
+ };
27
+ }
28
+ import { JwtAuthGuard, SingleResponseDto } from '@flusys/nestjs-shared';
29
+ import { Body, Controller, Get, Inject, Param, Post, Query, UseGuards } from '@nestjs/common';
30
+ import { ApiBearerAuth, ApiBody, ApiOperation, ApiResponse, ApiTags } from '@nestjs/swagger';
31
+ import { AssignRoleActionsDto, AssignUserRolesDto, GetRoleActionsDto, GetUserRolesDto, PermissionOperationResultDto } from '../dtos/permission.dto';
32
+ import { PermissionService } from '../services/permission.service';
33
+ export class RolePermissionController {
34
+ async assignRoleActions(dto) {
35
+ return this.permissionService.assignRoleActions(dto);
36
+ }
37
+ async getRoleActions(roleId, query) {
38
+ const actions = await this.permissionService.getRoleActions(roleId);
39
+ return {
40
+ success: true,
41
+ message: 'Role actions retrieved successfully',
42
+ data: actions
43
+ };
44
+ }
45
+ async assignUserRoles(dto) {
46
+ return this.permissionService.assignUserRoles(dto);
47
+ }
48
+ async getUserRoles(userId, query) {
49
+ const roles = await this.permissionService.getUserRoles(userId, query.branchId, query.companyId);
50
+ return {
51
+ success: true,
52
+ message: 'User roles retrieved successfully',
53
+ data: roles
54
+ };
55
+ }
56
+ // NOTE: @Inject() required for bundled code - type metadata may be lost during esbuild
57
+ constructor(permissionService){
58
+ _define_property(this, "permissionService", void 0);
59
+ this.permissionService = permissionService;
60
+ }
61
+ }
62
+ _ts_decorate([
63
+ Post('role-actions/assign'),
64
+ ApiOperation({
65
+ summary: 'Assign/remove actions to/from role',
66
+ description: 'RBAC mode. No branch scoping.'
67
+ }),
68
+ ApiResponse({
69
+ status: 200,
70
+ type: PermissionOperationResultDto
71
+ }),
72
+ ApiBody({
73
+ type: AssignRoleActionsDto
74
+ }),
75
+ _ts_param(0, Body()),
76
+ _ts_metadata("design:type", Function),
77
+ _ts_metadata("design:paramtypes", [
78
+ typeof AssignRoleActionsDto === "undefined" ? Object : AssignRoleActionsDto
79
+ ]),
80
+ _ts_metadata("design:returntype", Promise)
81
+ ], RolePermissionController.prototype, "assignRoleActions", null);
82
+ _ts_decorate([
83
+ Get('role-actions/:roleId'),
84
+ ApiOperation({
85
+ summary: 'Get role actions',
86
+ description: 'Returns actions assigned to role.'
87
+ }),
88
+ ApiResponse({
89
+ status: 200,
90
+ type: SingleResponseDto
91
+ }),
92
+ _ts_param(0, Param('roleId')),
93
+ _ts_param(1, Query()),
94
+ _ts_metadata("design:type", Function),
95
+ _ts_metadata("design:paramtypes", [
96
+ String,
97
+ typeof GetRoleActionsDto === "undefined" ? Object : GetRoleActionsDto
98
+ ]),
99
+ _ts_metadata("design:returntype", Promise)
100
+ ], RolePermissionController.prototype, "getRoleActions", null);
101
+ _ts_decorate([
102
+ Post('user-roles/assign'),
103
+ ApiOperation({
104
+ summary: 'Assign/remove roles to/from user',
105
+ description: 'RBAC mode. If company feature enabled, branchId is required.'
106
+ }),
107
+ ApiResponse({
108
+ status: 200,
109
+ type: PermissionOperationResultDto
110
+ }),
111
+ ApiBody({
112
+ type: AssignUserRolesDto
113
+ }),
114
+ _ts_param(0, Body()),
115
+ _ts_metadata("design:type", Function),
116
+ _ts_metadata("design:paramtypes", [
117
+ typeof AssignUserRolesDto === "undefined" ? Object : AssignUserRolesDto
118
+ ]),
119
+ _ts_metadata("design:returntype", Promise)
120
+ ], RolePermissionController.prototype, "assignUserRoles", null);
121
+ _ts_decorate([
122
+ Get('user-roles/:userId'),
123
+ ApiOperation({
124
+ summary: 'Get user roles',
125
+ description: 'Returns roles assigned to user. Filter by companyId and branchId.'
126
+ }),
127
+ ApiResponse({
128
+ status: 200,
129
+ type: SingleResponseDto
130
+ }),
131
+ _ts_param(0, Param('userId')),
132
+ _ts_param(1, Query()),
133
+ _ts_metadata("design:type", Function),
134
+ _ts_metadata("design:paramtypes", [
135
+ String,
136
+ typeof GetUserRolesDto === "undefined" ? Object : GetUserRolesDto
137
+ ]),
138
+ _ts_metadata("design:returntype", Promise)
139
+ ], RolePermissionController.prototype, "getUserRoles", null);
140
+ RolePermissionController = _ts_decorate([
141
+ ApiTags('IAM - Role Permissions'),
142
+ Controller('iam/permissions'),
143
+ UseGuards(JwtAuthGuard),
144
+ ApiBearerAuth(),
145
+ _ts_param(0, Inject(PermissionService)),
146
+ _ts_metadata("design:type", Function),
147
+ _ts_metadata("design:paramtypes", [
148
+ typeof PermissionService === "undefined" ? Object : PermissionService
149
+ ])
150
+ ], RolePermissionController);
@@ -0,0 +1,48 @@
1
+ function _define_property(obj, key, value) {
2
+ if (key in obj) {
3
+ Object.defineProperty(obj, key, {
4
+ value: value,
5
+ enumerable: true,
6
+ configurable: true,
7
+ writable: true
8
+ });
9
+ } else {
10
+ obj[key] = value;
11
+ }
12
+ return obj;
13
+ }
14
+ function _ts_decorate(decorators, target, key, desc) {
15
+ var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
16
+ if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
17
+ else for(var i = decorators.length - 1; i >= 0; i--)if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
18
+ return c > 3 && r && Object.defineProperty(target, key, r), r;
19
+ }
20
+ function _ts_metadata(k, v) {
21
+ if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
22
+ }
23
+ function _ts_param(paramIndex, decorator) {
24
+ return function(target, key) {
25
+ decorator(target, key, paramIndex);
26
+ };
27
+ }
28
+ import { createApiController } from '@flusys/nestjs-shared/classes';
29
+ import { Controller, Inject } from '@nestjs/common';
30
+ import { ApiTags } from '@nestjs/swagger';
31
+ import { CreateRoleDto, RoleResponseDto, UpdateRoleDto } from '../dtos/role.dto';
32
+ import { RoleService } from '../services/role.service';
33
+ export class RoleController extends createApiController(CreateRoleDto, UpdateRoleDto, RoleResponseDto, {
34
+ security: 'jwt'
35
+ }) {
36
+ constructor(roleService){
37
+ super(roleService), _define_property(this, "roleService", void 0), this.roleService = roleService;
38
+ }
39
+ }
40
+ RoleController = _ts_decorate([
41
+ ApiTags('IAM - Roles'),
42
+ Controller('iam/roles'),
43
+ _ts_param(0, Inject(RoleService)),
44
+ _ts_metadata("design:type", Function),
45
+ _ts_metadata("design:paramtypes", [
46
+ typeof RoleService === "undefined" ? Object : RoleService
47
+ ])
48
+ ], RoleController);
@@ -0,0 +1,100 @@
1
+ function _define_property(obj, key, value) {
2
+ if (key in obj) {
3
+ Object.defineProperty(obj, key, {
4
+ value: value,
5
+ enumerable: true,
6
+ configurable: true,
7
+ writable: true
8
+ });
9
+ } else {
10
+ obj[key] = value;
11
+ }
12
+ return obj;
13
+ }
14
+ function _ts_decorate(decorators, target, key, desc) {
15
+ var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
16
+ if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
17
+ else for(var i = decorators.length - 1; i >= 0; i--)if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
18
+ return c > 3 && r && Object.defineProperty(target, key, r), r;
19
+ }
20
+ function _ts_metadata(k, v) {
21
+ if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
22
+ }
23
+ function _ts_param(paramIndex, decorator) {
24
+ return function(target, key) {
25
+ decorator(target, key, paramIndex);
26
+ };
27
+ }
28
+ import { JwtAuthGuard, SingleResponseDto } from '@flusys/nestjs-shared';
29
+ import { Body, Controller, Get, Inject, Param, Post, Query, UseGuards } from '@nestjs/common';
30
+ import { ApiBearerAuth, ApiBody, ApiOperation, ApiResponse, ApiTags } from '@nestjs/swagger';
31
+ import { AssignUserActionsDto, GetUserActionsDto, PermissionOperationResultDto } from '../dtos/permission.dto';
32
+ import { PermissionService } from '../services/permission.service';
33
+ export class UserActionPermissionController {
34
+ async assignUserActions(dto) {
35
+ return this.permissionService.assignUserActions(dto);
36
+ }
37
+ async getUserActions(userId, query) {
38
+ const actions = await this.permissionService.getUserActions(userId, query.branchId, query.companyId);
39
+ return {
40
+ success: true,
41
+ message: 'User actions retrieved successfully',
42
+ data: actions
43
+ };
44
+ }
45
+ // NOTE: @Inject() required for bundled code - type metadata may be lost during esbuild
46
+ constructor(permissionService){
47
+ _define_property(this, "permissionService", void 0);
48
+ this.permissionService = permissionService;
49
+ }
50
+ }
51
+ _ts_decorate([
52
+ Post('user-actions/assign'),
53
+ ApiOperation({
54
+ summary: 'Assign/remove actions to/from user',
55
+ description: 'Direct permissions. If company feature enabled, branchId is required.'
56
+ }),
57
+ ApiResponse({
58
+ status: 200,
59
+ type: PermissionOperationResultDto
60
+ }),
61
+ ApiBody({
62
+ type: AssignUserActionsDto
63
+ }),
64
+ _ts_param(0, Body()),
65
+ _ts_metadata("design:type", Function),
66
+ _ts_metadata("design:paramtypes", [
67
+ typeof AssignUserActionsDto === "undefined" ? Object : AssignUserActionsDto
68
+ ]),
69
+ _ts_metadata("design:returntype", Promise)
70
+ ], UserActionPermissionController.prototype, "assignUserActions", null);
71
+ _ts_decorate([
72
+ Get('user-actions/:userId'),
73
+ ApiOperation({
74
+ summary: 'Get user direct actions',
75
+ description: 'Returns direct action permissions for user. Filter by companyId and branchId.'
76
+ }),
77
+ ApiResponse({
78
+ status: 200,
79
+ type: SingleResponseDto
80
+ }),
81
+ _ts_param(0, Param('userId')),
82
+ _ts_param(1, Query()),
83
+ _ts_metadata("design:type", Function),
84
+ _ts_metadata("design:paramtypes", [
85
+ String,
86
+ typeof GetUserActionsDto === "undefined" ? Object : GetUserActionsDto
87
+ ]),
88
+ _ts_metadata("design:returntype", Promise)
89
+ ], UserActionPermissionController.prototype, "getUserActions", null);
90
+ UserActionPermissionController = _ts_decorate([
91
+ ApiTags('IAM - User Action Permissions'),
92
+ Controller('iam/permissions'),
93
+ UseGuards(JwtAuthGuard),
94
+ ApiBearerAuth(),
95
+ _ts_param(0, Inject(PermissionService)),
96
+ _ts_metadata("design:type", Function),
97
+ _ts_metadata("design:paramtypes", [
98
+ typeof PermissionService === "undefined" ? Object : PermissionService
99
+ ])
100
+ ], UserActionPermissionController);
@@ -0,0 +1,192 @@
1
+ import { IAMPermissionMode } from '../enums/permission-type.enum';
2
+ /** Auth-related tags that should always be excluded from IAM API docs */ const AUTH_RELATED_TAGS = [
3
+ 'Authentication',
4
+ 'Users',
5
+ 'Companies',
6
+ 'Branches',
7
+ 'User Permissions',
8
+ 'Company Selection'
9
+ ];
10
+ export function iamSwaggerConfig(enableCompanyFeature = false, permissionMode = IAMPermissionMode.FULL) {
11
+ const excludeSchemaProperties = enableCompanyFeature ? [] : [
12
+ // DTOs with companyId and branchId
13
+ {
14
+ schemaName: 'AssignUserActionsDto',
15
+ properties: [
16
+ 'companyId',
17
+ 'branchId'
18
+ ]
19
+ },
20
+ {
21
+ schemaName: 'AssignUserRolesDto',
22
+ properties: [
23
+ 'companyId',
24
+ 'branchId'
25
+ ]
26
+ },
27
+ {
28
+ schemaName: 'GetUserActionsDto',
29
+ properties: [
30
+ 'companyId',
31
+ 'branchId'
32
+ ]
33
+ },
34
+ {
35
+ schemaName: 'GetUserRolesDto',
36
+ properties: [
37
+ 'companyId',
38
+ 'branchId'
39
+ ]
40
+ },
41
+ // Response DTOs with branchId
42
+ {
43
+ schemaName: 'UserActionResponseDto',
44
+ properties: [
45
+ 'branchId'
46
+ ]
47
+ },
48
+ {
49
+ schemaName: 'UserRoleResponseDto',
50
+ properties: [
51
+ 'branchId'
52
+ ]
53
+ },
54
+ // Company-related DTOs (entire schemas hidden via tag exclusion, but just in case)
55
+ {
56
+ schemaName: 'AssignCompanyActionsDto',
57
+ properties: [
58
+ 'companyId'
59
+ ]
60
+ },
61
+ {
62
+ schemaName: 'CompanyActionResponseDto',
63
+ properties: [
64
+ 'companyId'
65
+ ]
66
+ }
67
+ ];
68
+ // Hide query parameters for GET endpoints when company feature is disabled
69
+ const excludeQueryParameters = enableCompanyFeature ? [] : [
70
+ {
71
+ pathPattern: '/iam/permissions/user-actions/*',
72
+ method: 'get',
73
+ parameters: [
74
+ 'companyId',
75
+ 'branchId'
76
+ ]
77
+ },
78
+ {
79
+ pathPattern: '/iam/permissions/user-roles/*',
80
+ method: 'get',
81
+ parameters: [
82
+ 'companyId',
83
+ 'branchId'
84
+ ]
85
+ }
86
+ ];
87
+ // Build exclude tags list: always exclude Auth tags + conditionally exclude based on permission mode
88
+ const excludeTags = [
89
+ ...AUTH_RELATED_TAGS
90
+ ];
91
+ // Hide company-related IAM endpoints when company feature is disabled
92
+ if (!enableCompanyFeature) {
93
+ excludeTags.push('IAM - Company Action Permissions');
94
+ }
95
+ // Conditionally exclude endpoints based on permission mode
96
+ if (permissionMode === IAMPermissionMode.RBAC) {
97
+ // RBAC only - hide direct user action endpoints
98
+ excludeTags.push('IAM - Permissions (Direct)');
99
+ } else if (permissionMode === IAMPermissionMode.DIRECT) {
100
+ // Direct only - hide RBAC endpoints
101
+ excludeTags.push('IAM - Permissions (RBAC)');
102
+ excludeTags.push('IAM - Roles'); // Roles are only used in RBAC
103
+ }
104
+ return {
105
+ title: 'IAM API',
106
+ description: `
107
+ ## Identity & Access Management API
108
+
109
+ Advanced permission system with flexible modes: RBAC, Direct Permissions, or both.
110
+
111
+ ### Current Configuration
112
+ - **Permission Mode**: ${permissionMode === IAMPermissionMode.RBAC ? '**RBAC** (Role-Based Access Control)' : permissionMode === IAMPermissionMode.DIRECT ? '**DIRECT** (Direct User Permissions)' : '**FULL** (RBAC + Direct)'}${enableCompanyFeature ? '\n- **Company Feature**: Enabled (Multi-tenant with company/branch scoping)' : '\n- **Company Feature**: Disabled'}
113
+
114
+ ### Features Based on Mode
115
+
116
+ ${permissionMode === IAMPermissionMode.RBAC || permissionMode === IAMPermissionMode.FULL ? `#### RBAC Features (Active)
117
+ - **Roles**: Create company-scoped roles${enableCompanyFeature ? ' (auto-filtered by user company)' : ''}
118
+ - **Role-Actions**: Assign actions to roles
119
+ - **User-Roles**: Assign roles to users${enableCompanyFeature ? ' at branch level' : ''}
120
+ ` : ''}${permissionMode === IAMPermissionMode.DIRECT || permissionMode === IAMPermissionMode.FULL ? `#### Direct Permission Features (Active)
121
+ - **User-Actions**: Direct action assignment to users${enableCompanyFeature ? ' at branch level' : ''}
122
+ ` : ''}${enableCompanyFeature ? `#### Company Features (Active)
123
+ - **Company-Action Whitelist**: Control which actions are available per company
124
+ - **Branch-Based Scoping**: Permissions scoped to specific branches
125
+ - **Auto-Filtering**: Roles automatically filtered by user's company
126
+ - **Action Tree Filtering**: Available actions filtered by company whitelist
127
+ ` : ''}
128
+ ### Core Concepts
129
+
130
+ #### Actions
131
+ Represent permissions in the system. Can be hierarchical.
132
+
133
+ **Action Types:**
134
+ - \`menu\` - Menu visibility (actions with type='menu' are used as menus)
135
+ - \`endpoint\` - API endpoint access
136
+ - \`frontend\` - Frontend feature toggles
137
+ ${permissionMode === IAMPermissionMode.RBAC || permissionMode === IAMPermissionMode.FULL ? `
138
+ #### Roles
139
+ Collections of actions that can be assigned to users.${enableCompanyFeature ? ' Scoped to companies.' : ' Global across the system.'}
140
+ ` : ''}${enableCompanyFeature ? `
141
+ #### Company-Action Whitelist
142
+ Controls which actions are available to a company. Users/roles can only use whitelisted actions.
143
+
144
+ **Flow:**
145
+ 1. Admin assigns actions to company (whitelist)
146
+ 2. Only whitelisted actions appear in permission assignment UIs
147
+ 3. Users/roles cannot be assigned non-whitelisted actions
148
+ ` : ''}
149
+ ### Permission Resolution
150
+
151
+ ${permissionMode === IAMPermissionMode.FULL ? `1. **Company-Action Whitelist** - Filter by company (if enabled)
152
+ 2. **UserAction (DENY)** - Explicit denials take precedence
153
+ 3. **UserAction (GRANT)** - Direct user grants
154
+ 4. **UserRole → RoleAction** - Inherited from assigned roles
155
+ 5. **Action Permission Logic** - Complex AND/OR rules` : permissionMode === IAMPermissionMode.RBAC ? `1. **Company-Action Whitelist** - Filter by company (if enabled)
156
+ 2. **UserRole → RoleAction** - Actions inherited from roles
157
+ 3. **Action Permission Logic** - Complex AND/OR rules` : `1. **Company-Action Whitelist** - Filter by company (if enabled)
158
+ 2. **UserAction (DENY)** - Explicit denials take precedence
159
+ 3. **UserAction (GRANT)** - Direct user grants
160
+ 4. **Action Permission Logic** - Complex AND/OR rules`}
161
+
162
+ ### API Endpoints Summary
163
+
164
+ #### Available Endpoints
165
+ - ✅ **Actions**: CRUD operations, tree view${enableCompanyFeature ? ', filtered tree for permissions' : ''}${permissionMode === IAMPermissionMode.RBAC || permissionMode === IAMPermissionMode.FULL ? `
166
+ - ✅ **Roles**: CRUD operations${enableCompanyFeature ? ' (auto-filtered by company)' : ''}
167
+ - ✅ **Role-Actions**: Assign actions to roles, get role actions
168
+ - ✅ **User-Roles**: Assign roles to users, get user roles` : `
169
+ - ❌ **Roles**: Disabled (RBAC mode not active)`}${permissionMode === IAMPermissionMode.DIRECT || permissionMode === IAMPermissionMode.FULL ? `
170
+ - ✅ **User-Actions**: Direct action assignment to users` : `
171
+ - ❌ **User-Actions**: Disabled (DIRECT mode not active)`}${enableCompanyFeature ? `
172
+ - ✅ **Company-Actions**: Whitelist actions for companies` : `
173
+ - ❌ **Company-Actions**: Disabled (company feature not enabled)`}
174
+ - ✅ **My Permissions**: Get current user's complete permissions (includes menu-type actions)
175
+
176
+ ### Best Practices
177
+
178
+ 1. **Action Codes**: Use meaningful codes like \`user.create\`, \`order.view\`
179
+ 2. **Hierarchical Actions**: Group related actions (use parentId for hierarchy)${permissionMode === IAMPermissionMode.RBAC || permissionMode === IAMPermissionMode.FULL ? `
180
+ 3. **Role Design**: Create roles for common permission patterns` : ''}${permissionMode === IAMPermissionMode.DIRECT || permissionMode === IAMPermissionMode.FULL ? `
181
+ ${permissionMode === IAMPermissionMode.FULL ? '4' : '3'}. **Direct Actions**: Use sparingly for exceptions` : ''}${enableCompanyFeature ? `
182
+ ${permissionMode === IAMPermissionMode.FULL ? '5' : '4'}. **Company Whitelisting**: Set up action whitelist before assigning permissions
183
+ ${permissionMode === IAMPermissionMode.FULL ? '6' : '5'}. **Branch Scoping**: Use branches for location-based access control` : ''}
184
+ `,
185
+ version: '1.0',
186
+ path: 'api/docs/iam',
187
+ bearerAuth: true,
188
+ excludeSchemaProperties,
189
+ excludeTags,
190
+ excludeQueryParameters
191
+ };
192
+ }
@@ -0,0 +1 @@
1
+ export * from './iam-swagger.config';