@flusys/nestjs-iam 0.1.0-beta.1 → 0.1.0-beta.2

package/cjs/services/iam-datasource.provider.js

@@ -0,0 +1,205 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", {
+    value: true
+});
+Object.defineProperty(exports, "IAMDataSourceProvider", {
+    enumerable: true,
+    get: function() {
+        return IAMDataSourceProvider;
+    }
+});
+const _modules = require("@flusys/nestjs-shared/modules");
+const _common = require("@nestjs/common");
+const _core = require("@nestjs/core");
+const _express = require("express");
+const _iamconstants = require("../config/iam.constants");
+const _iammoduleoptionsinterface = require("../interfaces/iam-module-options.interface");
+function _define_property(obj, key, value) {
+    if (key in obj) {
+        Object.defineProperty(obj, key, {
+            value: value,
+            enumerable: true,
+            configurable: true,
+            writable: true
+        });
+    } else {
+        obj[key] = value;
+    }
+    return obj;
+}
+function _getRequireWildcardCache(nodeInterop) {
+    if (typeof WeakMap !== "function") return null;
+    var cacheBabelInterop = new WeakMap();
+    var cacheNodeInterop = new WeakMap();
+    return (_getRequireWildcardCache = function(nodeInterop) {
+        return nodeInterop ? cacheNodeInterop : cacheBabelInterop;
+    })(nodeInterop);
+}
+function _interop_require_wildcard(obj, nodeInterop) {
+    if (!nodeInterop && obj && obj.__esModule) {
+        return obj;
+    }
+    if (obj === null || typeof obj !== "object" && typeof obj !== "function") {
+        return {
+            default: obj
+        };
+    }
+    var cache = _getRequireWildcardCache(nodeInterop);
+    if (cache && cache.has(obj)) {
+        return cache.get(obj);
+    }
+    var newObj = {
+        __proto__: null
+    };
+    var hasPropertyDescriptor = Object.defineProperty && Object.getOwnPropertyDescriptor;
+    for(var key in obj){
+        if (key !== "default" && Object.prototype.hasOwnProperty.call(obj, key)) {
+            var desc = hasPropertyDescriptor ? Object.getOwnPropertyDescriptor(obj, key) : null;
+            if (desc && (desc.get || desc.set)) {
+                Object.defineProperty(newObj, key, desc);
+            } else {
+                newObj[key] = obj[key];
+            }
+        }
+    }
+    newObj.default = obj;
+    if (cache) {
+        cache.set(obj, newObj);
+    }
+    return newObj;
+}
+function _ts_decorate(decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for(var i = decorators.length - 1; i >= 0; i--)if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+}
+function _ts_metadata(k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+}
+function _ts_param(paramIndex, decorator) {
+    return function(target, key) {
+        decorator(target, key, paramIndex);
+    };
+}
+let IAMDataSourceProvider = class IAMDataSourceProvider extends _modules.MultiTenantDataSourceService {
+    // ==================== Factory Methods ====================
+    /**
+   * Build parent options from IAMModuleOptions
+   */ static buildParentOptions(options) {
+        return {
+            bootstrapAppConfig: options.bootstrapAppConfig,
+            defaultDatabaseConfig: options.config?.defaultDatabaseConfig,
+            tenantDefaultDatabaseConfig: options.config?.tenantDefaultDatabaseConfig,
+            tenants: options.config?.tenants
+        };
+    }
+    // ==================== Feature Flags ====================
+    /**
+   * Get global enable company feature flag
+   */ getEnableCompanyFeature() {
+        return this.iamOptions.bootstrapAppConfig?.enableCompanyFeature ?? false;
+    }
+    /**
+   * Get enable company feature for specific tenant
+   * Falls back to global setting if not specified per-tenant
+   */ getEnableCompanyFeatureForTenant(tenant) {
+        return tenant?.enableCompanyFeature ?? this.getEnableCompanyFeature();
+    }
+    /**
+   * Get enable company feature for current request context
+   */ getEnableCompanyFeatureForCurrentTenant() {
+        return this.getEnableCompanyFeatureForTenant(this.getCurrentTenant() ?? undefined);
+    }
+    // ==================== Entity Management ====================
+    /**
+   * Get IAM entities dynamically based on configuration
+   * Returns appropriate entities based on company feature and permission mode
+   */ async getIAMEntities() {
+        const { Action, Role, RoleWithCompany, UserIamPermission, UserIamPermissionWithCompany, getIAMEntitiesByConfig } = await Promise.resolve().then(()=>/*#__PURE__*/ _interop_require_wildcard(require("../entities")));
+        const enableCompanyFeature = this.getEnableCompanyFeatureForCurrentTenant();
+        const permissionMode = this.iamOptions.bootstrapAppConfig?.permissionMode || 'FULL';
+        return getIAMEntitiesByConfig(enableCompanyFeature, permissionMode);
+    }
+    // ==================== Overrides ====================
+    /**
+   * Override to dynamically set entities based on tenant config
+   */ async createDataSourceFromConfig(config) {
+        const entities = await this.getIAMEntities();
+        return super.createDataSourceFromConfig(config, entities);
+    }
+    /**
+   * Override to use IAM-specific static cache
+   */ async getSingleDataSource() {
+        if (!IAMDataSourceProvider.singleDataSource) {
+            if (IAMDataSourceProvider.singleConnectionLock) {
+                return IAMDataSourceProvider.singleConnectionLock;
+            }
+            const lockPromise = (async ()=>{
+                const config = this.getDefaultDatabaseConfig();
+                if (!config) {
+                    throw new Error('Default database config is not available');
+                }
+                const ds = await this.createDataSourceFromConfig(config);
+                IAMDataSourceProvider.singleDataSource = ds;
+                IAMDataSourceProvider.initialized = true;
+                return ds;
+            })();
+            IAMDataSourceProvider.singleConnectionLock = lockPromise;
+            try {
+                return await lockPromise;
+            } finally{
+                IAMDataSourceProvider.singleConnectionLock = null;
+            }
+        }
+        return IAMDataSourceProvider.singleDataSource;
+    }
+    /**
+   * Override to use IAM-specific static cache for tenant connections
+   */ async getOrCreateTenantConnection(tenant) {
+        // Return existing initialized connection from IAM-specific cache
+        const existing = IAMDataSourceProvider.tenantConnections.get(tenant.id);
+        if (existing?.isInitialized) {
+            return existing;
+        }
+        // If another request is creating this tenant's connection, wait for it
+        const pendingConnection = IAMDataSourceProvider.connectionLocks.get(tenant.id);
+        if (pendingConnection) {
+            return pendingConnection;
+        }
+        // Create connection with lock to prevent race conditions
+        const config = this.buildTenantDatabaseConfig(tenant);
+        const connectionPromise = this.createDataSourceFromConfig(config);
+        IAMDataSourceProvider.connectionLocks.set(tenant.id, connectionPromise);
+        try {
+            const dataSource = await connectionPromise;
+            IAMDataSourceProvider.tenantConnections.set(tenant.id, dataSource);
+            return dataSource;
+        } finally{
+            IAMDataSourceProvider.connectionLocks.delete(tenant.id);
+        }
+    }
+    constructor(iamOptions, request){
+        super(IAMDataSourceProvider.buildParentOptions(iamOptions), request), _define_property(this, "iamOptions", void 0), _define_property(this, "logger", void 0), this.iamOptions = iamOptions, this.logger = new _common.Logger(IAMDataSourceProvider.name);
+    }
+};
+// Override parent's static properties to have IAM-specific cache
+_define_property(IAMDataSourceProvider, "tenantConnections", new Map());
+_define_property(IAMDataSourceProvider, "singleDataSource", null);
+_define_property(IAMDataSourceProvider, "tenantsRegistry", new Map());
+_define_property(IAMDataSourceProvider, "initialized", false);
+_define_property(IAMDataSourceProvider, "connectionLocks", new Map());
+_define_property(IAMDataSourceProvider, "singleConnectionLock", null);
+IAMDataSourceProvider = _ts_decorate([
+    (0, _common.Injectable)({
+        scope: _common.Scope.REQUEST
+    }),
+    _ts_param(0, (0, _common.Inject)(_iamconstants.IAM_MODULE_OPTIONS)),
+    _ts_param(1, (0, _common.Optional)()),
+    _ts_param(1, (0, _common.Inject)(_core.REQUEST)),
+    _ts_metadata("design:type", Function),
+    _ts_metadata("design:paramtypes", [
+        typeof _iammoduleoptionsinterface.IAMModuleOptions === "undefined" ? Object : _iammoduleoptionsinterface.IAMModuleOptions,
+        typeof _express.Request === "undefined" ? Object : _express.Request
+    ])
+], IAMDataSourceProvider);

package/cjs/services/index.js

@@ -0,0 +1,23 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", {
+    value: true
+});
+_export_star(require("./action.service"), exports);
+_export_star(require("./iam-config.service"), exports);
+_export_star(require("./iam-datasource.provider"), exports);
+_export_star(require("./permission-cache.service"), exports);
+_export_star(require("./permission.service"), exports);
+_export_star(require("./role.service"), exports);
+function _export_star(from, to) {
+    Object.keys(from).forEach(function(k) {
+        if (k !== "default" && !Object.prototype.hasOwnProperty.call(to, k)) {
+            Object.defineProperty(to, k, {
+                enumerable: true,
+                get: function() {
+                    return from[k];
+                }
+            });
+        }
+    });
+    return from;
+}

package/cjs/services/permission-cache.service.js

@@ -0,0 +1,308 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", {
+    value: true
+});
+Object.defineProperty(exports, "PermissionCacheService", {
+    enumerable: true,
+    get: function() {
+        return PermissionCacheService;
+    }
+});
+const _nestjsshared = require("@flusys/nestjs-shared");
+const _common = require("@nestjs/common");
+function _define_property(obj, key, value) {
+    if (key in obj) {
+        Object.defineProperty(obj, key, {
+            value: value,
+            enumerable: true,
+            configurable: true,
+            writable: true
+        });
+    } else {
+        obj[key] = value;
+    }
+    return obj;
+}
+function _ts_decorate(decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for(var i = decorators.length - 1; i >= 0; i--)if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+}
+function _ts_metadata(k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+}
+function _ts_param(paramIndex, decorator) {
+    return function(target, key) {
+        decorator(target, key, paramIndex);
+    };
+}
+let PermissionCacheService = class PermissionCacheService {
+    // ==================== Cache Key Generation ====================
+    /**
+   * Generate cache key for user permissions (backend codes for PermissionGuard)
+   * Format matches PermissionGuard in nestjs-shared
+   */ generateCacheKey(options) {
+        const { userId, companyId, branchId, enableCompanyFeature } = options;
+        if (enableCompanyFeature && companyId) {
+            return `${this.CACHE_PREFIX}:company:${companyId}:branch:${branchId || 'null'}:user:${userId}`;
+        }
+        return `${this.CACHE_PREFIX}:user:${userId}`;
+    }
+    /**
+   * Generate cache key for full my-permissions response
+   */ generateMyPermissionsCacheKey(options) {
+        const { userId, companyId, branchId, enableCompanyFeature } = options;
+        if (enableCompanyFeature && companyId) {
+            return `${this.MY_PERMISSIONS_PREFIX}:company:${companyId}:branch:${branchId || 'null'}:user:${userId}`;
+        }
+        return `${this.MY_PERMISSIONS_PREFIX}:user:${userId}`;
+    }
+    // ==================== Cache Operations ====================
+    /**
+   * Set user permissions in cache
+   *
+   * @param options - Cache key options
+   * @param permissions - Array of permission codes (action codes)
+   */ async setPermissions(options, permissions) {
+        try {
+            const key = this.generateCacheKey(options);
+            await this.cacheManager.set(key, permissions, this.TTL);
+            this.logger.debug(`Cached ${permissions.length} permissions for key: ${key}`);
+        } catch (error) {
+            this.logger.error(`Failed to cache permissions: ${error}`);
+        // Don't throw - cache failure shouldn't break the operation
+        }
+    }
+    /**
+   * Get user permissions from cache
+   *
+   * @param options - Cache key options
+   * @returns Array of permission codes or null if not found
+   */ async getPermissions(options) {
+        try {
+            const key = this.generateCacheKey(options);
+            const result = await this.cacheManager.get(key);
+            return result || null;
+        } catch (error) {
+            this.logger.error(`Failed to get permissions from cache: ${error}`);
+            return null;
+        }
+    }
+    // ==================== My-Permissions Cache Operations ====================
+    /**
+   * Set full my-permissions response in cache
+   * Caches frontend actions and backend codes for quick retrieval
+   *
+   * @param options - Cache key options
+   * @param data - Full permissions data to cache
+   */ async setMyPermissions(options, data) {
+        try {
+            const key = this.generateMyPermissionsCacheKey(options);
+            await this.cacheManager.set(key, data, this.TTL);
+            this.logger.debug(`Cached my-permissions for key: ${key} (${data.frontendActions.length} frontend, ${data.backendCodes.length} backend)`);
+        } catch (error) {
+            this.logger.error(`Failed to cache my-permissions: ${error}`);
+        }
+    }
+    /**
+   * Get full my-permissions response from cache
+   *
+   * @param options - Cache key options
+   * @returns Cached permissions data or null if not found
+   */ async getMyPermissions(options) {
+        try {
+            const key = this.generateMyPermissionsCacheKey(options);
+            const result = await this.cacheManager.get(key);
+            if (result) {
+                this.logger.debug(`Cache hit for my-permissions: ${key}`);
+            }
+            return result || null;
+        } catch (error) {
+            this.logger.error(`Failed to get my-permissions from cache: ${error}`);
+            return null;
+        }
+    }
+    // ==================== Action Code Cache Operations ====================
+    /**
+   * Cache action codes to IDs mapping
+   * Used for parentCodes filter to avoid DB query on cache hit
+   *
+   * @param codeToIdMap - Map of action code to action ID
+   */ async setActionCodeMap(codeToIdMap) {
+        try {
+            const key = `${this.ACTION_CODE_PREFIX}:map`;
+            await this.cacheManager.set(key, codeToIdMap, this.ACTION_CODE_TTL);
+            this.logger.debug(`Cached ${Object.keys(codeToIdMap).length} action code mappings`);
+        } catch (error) {
+            this.logger.error(`Failed to cache action code map: ${error}`);
+        }
+    }
+    /**
+   * Get action IDs for given codes from cache
+   *
+   * @param codes - Array of action codes
+   * @returns Map of code to ID, or null if not cached
+   */ async getActionIdsByCodes(codes) {
+        try {
+            const key = `${this.ACTION_CODE_PREFIX}:map`;
+            const fullMap = await this.cacheManager.get(key);
+            if (!fullMap) {
+                return null;
+            }
+            // Return only requested codes
+            const result = {};
+            for (const code of codes){
+                if (fullMap[code]) {
+                    result[code] = fullMap[code];
+                }
+            }
+            return Object.keys(result).length > 0 ? result : null;
+        } catch (error) {
+            this.logger.error(`Failed to get action IDs from cache: ${error}`);
+            return null;
+        }
+    }
+    /**
+   * Invalidate action code cache
+   * Call when actions are created, updated, or deleted
+   */ async invalidateActionCodeCache() {
+        try {
+            const key = `${this.ACTION_CODE_PREFIX}:map`;
+            await this.cacheManager.del(key);
+            this.logger.debug('Invalidated action code cache');
+        } catch (error) {
+            this.logger.warn(`Failed to invalidate action code cache: ${error}`);
+        }
+    }
+    // ==================== Cache Invalidation ====================
+    /**
+   * Invalidate cache for specific user
+   * Clears both permission codes and my-permissions cache for ALL branches
+   *
+   * @param userId - User ID
+   * @param companyId - Optional company ID
+   * @param branchIds - Optional array of branch IDs to invalidate (if not provided, only null branch is cleared)
+   */ async invalidateUser(userId, companyId, branchIds) {
+        try {
+            const keysToDelete = [
+                // Permission codes cache (for PermissionGuard) - user-based key
+                `${this.CACHE_PREFIX}:user:${userId}`,
+                // My-permissions cache (full response) - user-based key
+                `${this.MY_PERMISSIONS_PREFIX}:user:${userId}`
+            ];
+            // Add company-based keys if companyId provided
+            if (companyId) {
+                // If branchIds provided, invalidate all specified branches
+                // Otherwise, invalidate only null branch (company-wide)
+                const branches = branchIds?.length ? branchIds : [
+                    null
+                ];
+                for (const branchId of branches){
+                    keysToDelete.push(`${this.CACHE_PREFIX}:company:${companyId}:branch:${branchId || 'null'}:user:${userId}`, `${this.MY_PERMISSIONS_PREFIX}:company:${companyId}:branch:${branchId || 'null'}:user:${userId}`);
+                }
+            }
+            // Parallel deletion for better performance
+            await Promise.all(keysToDelete.map((key)=>this.cacheManager.del(key)));
+            this.logger.debug(`Invalidated ${keysToDelete.length} cache keys for user ${userId}`);
+        } catch (error) {
+            this.logger.warn(`Failed to invalidate user cache for ${userId}: ${error}`);
+        }
+    }
+    /**
+   * Invalidate cache for multiple users
+   * Useful when role or company permissions change
+   *
+   * @param userIds - Array of user IDs
+   * @param companyId - Optional company ID
+   * @param branchIds - Optional array of branch IDs to invalidate for each user
+   * @returns Number of users whose cache was invalidated
+   */ async invalidateUsers(userIds, companyId, branchIds) {
+        if (userIds.length === 0) {
+            return 0;
+        }
+        // Parallel invalidation for better performance
+        const results = await Promise.allSettled(userIds.map((userId)=>this.invalidateUser(userId, companyId, branchIds)));
+        const successCount = results.filter((r)=>r.status === 'fulfilled').length;
+        const failedCount = results.filter((r)=>r.status === 'rejected').length;
+        if (failedCount > 0) {
+            this.logger.warn(`Failed to invalidate cache for ${failedCount} users`);
+        }
+        if (successCount > 0) {
+            this.logger.log(`Invalidated cache for ${successCount} users`);
+        }
+        return successCount;
+    }
+    /**
+   * Invalidate cache for all users in company
+   * WARNING: Without pattern matching support in HybridCache, this method
+   * invalidates individual user caches passed in the userIds array.
+   * For true company-wide invalidation, consider upgrading HybridCache with keys() support.
+   *
+   * @param companyId - Company ID
+   * @returns Number of cache entries deleted (always 0 without keys() support)
+   */ async invalidateCompany(companyId) {
+        // Note: HybridCache doesn't support pattern matching (keys() method)
+        // Company-wide invalidation requires passing individual user IDs
+        // This is a placeholder that logs a warning
+        this.logger.warn(`invalidateCompany called for ${companyId}, but pattern matching is not supported. ` + `Use invalidateUsers() with specific user IDs instead.`);
+        return 0;
+    }
+    /**
+   * Invalidate cache for all users with specific role
+   *
+   * @param roleId - Role ID (for logging)
+   * @param userIds - Array of user IDs who have this role
+   * @param companyId - Optional company ID
+   * @param branchIds - Optional array of branch IDs to invalidate
+   * @returns Number of users whose cache was invalidated
+   */ async invalidateRole(roleId, userIds, companyId, branchIds) {
+        if (userIds.length === 0) {
+            this.logger.debug(`No users found for role ${roleId}`);
+            return 0;
+        }
+        const count = await this.invalidateUsers(userIds, companyId, branchIds);
+        if (count > 0) {
+            this.logger.log(`Invalidated cache for ${count} users with role ${roleId}`);
+        }
+        return count;
+    }
+    // ==================== Administrative Operations ====================
+    /**
+   * Clear all permission caches
+   * Uses HybridCache reset methods (memory and redis)
+   * WARNING: Use with caution - this affects all caches, not just permissions
+   */ async clearAll() {
+        try {
+            await this.cacheManager.reset(); // Clear memory cache
+            await this.cacheManager.resetL2(); // Clear redis cache
+            this.logger.warn('Cleared all cache entries (memory and redis)');
+        } catch (error) {
+            this.logger.error(`Failed to clear all caches: ${error}`);
+        }
+    }
+    constructor(cacheManager){
+        _define_property(this, "cacheManager", void 0);
+        _define_property(this, "logger", void 0);
+        _define_property(this, "TTL", void 0); // 1 hour
+        _define_property(this, "ACTION_CODE_TTL", void 0); // 2 hours for action codes (less frequent changes)
+        _define_property(this, "CACHE_PREFIX", void 0);
+        _define_property(this, "MY_PERMISSIONS_PREFIX", void 0);
+        _define_property(this, "ACTION_CODE_PREFIX", void 0);
+        this.cacheManager = cacheManager;
+        this.logger = new _common.Logger(PermissionCacheService.name);
+        this.TTL = 3600000;
+        this.ACTION_CODE_TTL = 7200000;
+        this.CACHE_PREFIX = 'permissions';
+        this.MY_PERMISSIONS_PREFIX = 'my-permissions';
+        this.ACTION_CODE_PREFIX = 'action-codes';
+    }
+};
+PermissionCacheService = _ts_decorate([
+    (0, _common.Injectable)(),
+    _ts_param(0, (0, _common.Inject)('CACHE_INSTANCE')),
+    _ts_metadata("design:type", Function),
+    _ts_metadata("design:paramtypes", [
+        typeof _nestjsshared.HybridCache === "undefined" ? Object : _nestjsshared.HybridCache
+    ])
+], PermissionCacheService);