@flusys/nestjs-iam 1.0.0-rc → 2.0.0

package/fesm/controllers/user-action-permission.controller.js

@@ -26,25 +26,19 @@ function _ts_param(paramIndex, decorator) {
     };
 }
 import { JwtAuthGuard, SingleResponseDto, RequirePermission, USER_ACTION_PERMISSIONS, CurrentUser, ILoggedUserInfo } from '@flusys/nestjs-shared';
-import { BadRequestException, Body, Controller, Inject, Post, UseGuards } from '@nestjs/common';
+import { Body, Controller, Inject, Post, UseGuards } from '@nestjs/common';
 import { ApiBearerAuth, ApiBody, ApiOperation, ApiResponse, ApiTags } from '@nestjs/swagger';
 import { AssignUserActionsDto, GetUserActionsDto, PermissionOperationResultDto } from '../dtos/permission.dto';
+import { validateCompanyAccess } from '../helpers';
 import { PermissionService } from '../services/permission.service';
 import { IAMConfigService } from '../services/iam-config.service';
 export class UserActionPermissionController {
-    /** Validates that user can only manage permissions within their company */ validateCompanyAccess(companyId, user) {
-        if (this.config.isCompanyFeatureEnabled() && user.companyId && companyId) {
-            if (companyId !== user.companyId) {
-                throw new BadRequestException('Cannot manage permissions for users in another company');
-            }
-        }
-    }
     async assignUserActions(dto, user) {
-        this.validateCompanyAccess(dto.companyId, user);
+        validateCompanyAccess(this.config, dto.companyId, user, 'Cannot manage permissions for users in another company');
         return this.permissionService.assignUserActions(dto);
     }
     async getUserActions(dto, user) {
-        this.validateCompanyAccess(dto.companyId, user);
+        validateCompanyAccess(this.config, dto.companyId, user, 'Cannot manage permissions for users in another company');
         const actions = await this.permissionService.getUserActions(dto.userId, dto.branchId, dto.companyId);
         return {
             success: true,

package/fesm/dtos/action.dto.js

@@ -254,30 +254,6 @@ _ts_decorate([
     }),
     _ts_metadata("design:type", Array)
 ], ActionTreeDto.prototype, "children", void 0);
-export class ActionQueryDto {
-    constructor(){
-        _define_property(this, "isActive", void 0);
-        _define_property(this, "parentId", void 0);
-    }
-}
-_ts_decorate([
-    ApiProperty({
-        description: 'Filter by active status',
-        required: false
-    }),
-    IsBoolean(),
-    IsOptional(),
-    _ts_metadata("design:type", Boolean)
-], ActionQueryDto.prototype, "isActive", void 0);
-_ts_decorate([
-    ApiProperty({
-        description: 'Filter by parent ID',
-        required: false
-    }),
-    IsUUID(),
-    IsOptional(),
-    _ts_metadata("design:type", String)
-], ActionQueryDto.prototype, "parentId", void 0);
 export class ActionTreeQueryDto {
     constructor(){
         _define_property(this, "search", void 0);

package/fesm/dtos/permission.dto.js

@@ -290,31 +290,45 @@ export class UserActionResponseDto {
     }
 }
 _ts_decorate([
-    ApiProperty(),
+    ApiProperty({
+        description: 'Permission ID'
+    }),
     _ts_metadata("design:type", String)
 ], UserActionResponseDto.prototype, "id", void 0);
 _ts_decorate([
-    ApiProperty(),
+    ApiProperty({
+        description: 'User ID'
+    }),
     _ts_metadata("design:type", String)
 ], UserActionResponseDto.prototype, "userId", void 0);
 _ts_decorate([
-    ApiProperty(),
+    ApiProperty({
+        description: 'Action ID'
+    }),
     _ts_metadata("design:type", String)
 ], UserActionResponseDto.prototype, "actionId", void 0);
 _ts_decorate([
-    ApiProperty(),
+    ApiProperty({
+        description: 'Action code'
+    }),
     _ts_metadata("design:type", String)
 ], UserActionResponseDto.prototype, "actionCode", void 0);
 _ts_decorate([
-    ApiProperty(),
+    ApiProperty({
+        description: 'Action name'
+    }),
     _ts_metadata("design:type", String)
 ], UserActionResponseDto.prototype, "actionName", void 0);
 _ts_decorate([
-    ApiPropertyOptional(),
+    ApiPropertyOptional({
+        description: 'Branch ID (null = company-wide)'
+    }),
     _ts_metadata("design:type", Object)
 ], UserActionResponseDto.prototype, "branchId", void 0);
 _ts_decorate([
-    ApiProperty(),
+    ApiProperty({
+        description: 'When this permission was created'
+    }),
     _ts_metadata("design:type", typeof Date === "undefined" ? Object : Date)
 ], UserActionResponseDto.prototype, "createdAt", void 0);
 export class RoleActionResponseDto {
@@ -328,27 +342,39 @@ export class RoleActionResponseDto {
     }
 }
 _ts_decorate([
-    ApiProperty(),
+    ApiProperty({
+        description: 'Permission ID'
+    }),
     _ts_metadata("design:type", String)
 ], RoleActionResponseDto.prototype, "id", void 0);
 _ts_decorate([
-    ApiProperty(),
+    ApiProperty({
+        description: 'Role ID'
+    }),
     _ts_metadata("design:type", String)
 ], RoleActionResponseDto.prototype, "roleId", void 0);
 _ts_decorate([
-    ApiProperty(),
+    ApiProperty({
+        description: 'Action ID'
+    }),
     _ts_metadata("design:type", String)
 ], RoleActionResponseDto.prototype, "actionId", void 0);
 _ts_decorate([
-    ApiProperty(),
+    ApiProperty({
+        description: 'Action code'
+    }),
     _ts_metadata("design:type", String)
 ], RoleActionResponseDto.prototype, "actionCode", void 0);
 _ts_decorate([
-    ApiProperty(),
+    ApiProperty({
+        description: 'Action name'
+    }),
     _ts_metadata("design:type", String)
 ], RoleActionResponseDto.prototype, "actionName", void 0);
 _ts_decorate([
-    ApiProperty(),
+    ApiProperty({
+        description: 'When this permission was created'
+    }),
     _ts_metadata("design:type", typeof Date === "undefined" ? Object : Date)
 ], RoleActionResponseDto.prototype, "createdAt", void 0);
 export class CompanyActionResponseDto {
@@ -408,27 +434,39 @@ export class UserRoleResponseDto {
     }
 }
 _ts_decorate([
-    ApiProperty(),
+    ApiProperty({
+        description: 'Permission ID'
+    }),
     _ts_metadata("design:type", String)
 ], UserRoleResponseDto.prototype, "id", void 0);
 _ts_decorate([
-    ApiProperty(),
+    ApiProperty({
+        description: 'User ID'
+    }),
     _ts_metadata("design:type", String)
 ], UserRoleResponseDto.prototype, "userId", void 0);
 _ts_decorate([
-    ApiProperty(),
+    ApiProperty({
+        description: 'Role ID'
+    }),
     _ts_metadata("design:type", String)
 ], UserRoleResponseDto.prototype, "roleId", void 0);
 _ts_decorate([
-    ApiProperty(),
+    ApiProperty({
+        description: 'Role name'
+    }),
     _ts_metadata("design:type", String)
 ], UserRoleResponseDto.prototype, "roleName", void 0);
 _ts_decorate([
-    ApiPropertyOptional(),
+    ApiPropertyOptional({
+        description: 'Branch ID (null = company-wide)'
+    }),
     _ts_metadata("design:type", Object)
 ], UserRoleResponseDto.prototype, "branchId", void 0);
 _ts_decorate([
-    ApiProperty(),
+    ApiProperty({
+        description: 'When this permission was created'
+    }),
     _ts_metadata("design:type", typeof Date === "undefined" ? Object : Date)
 ], UserRoleResponseDto.prototype, "createdAt", void 0);
 export class FrontendActionDto {
@@ -440,19 +478,27 @@ export class FrontendActionDto {
     }
 }
 _ts_decorate([
-    ApiProperty(),
+    ApiProperty({
+        description: 'Action ID'
+    }),
     _ts_metadata("design:type", String)
 ], FrontendActionDto.prototype, "id", void 0);
 _ts_decorate([
-    ApiProperty(),
+    ApiProperty({
+        description: 'Action code'
+    }),
     _ts_metadata("design:type", String)
 ], FrontendActionDto.prototype, "code", void 0);
 _ts_decorate([
-    ApiProperty(),
+    ApiProperty({
+        description: 'Action name'
+    }),
     _ts_metadata("design:type", String)
 ], FrontendActionDto.prototype, "name", void 0);
 _ts_decorate([
-    ApiPropertyOptional(),
+    ApiPropertyOptional({
+        description: 'Action description'
+    }),
     _ts_metadata("design:type", Object)
 ], FrontendActionDto.prototype, "description", void 0);
 export class MyPermissionsQueryDto {
@@ -507,18 +553,26 @@ export class PermissionOperationResultDto {
     }
 }
 _ts_decorate([
-    ApiProperty(),
+    ApiProperty({
+        description: 'Whether the operation succeeded'
+    }),
     _ts_metadata("design:type", Boolean)
 ], PermissionOperationResultDto.prototype, "success", void 0);
 _ts_decorate([
-    ApiProperty(),
+    ApiProperty({
+        description: 'Number of permissions added'
+    }),
     _ts_metadata("design:type", Number)
 ], PermissionOperationResultDto.prototype, "added", void 0);
 _ts_decorate([
-    ApiProperty(),
+    ApiProperty({
+        description: 'Number of permissions removed'
+    }),
     _ts_metadata("design:type", Number)
 ], PermissionOperationResultDto.prototype, "removed", void 0);
 _ts_decorate([
-    ApiProperty(),
+    ApiProperty({
+        description: 'Operation result message'
+    }),
     _ts_metadata("design:type", String)
 ], PermissionOperationResultDto.prototype, "message", void 0);

package/fesm/dtos/role.dto.js

@@ -104,30 +104,6 @@ _ts_decorate([
     IsNotEmpty(),
     _ts_metadata("design:type", String)
 ], UpdateRoleDto.prototype, "id", void 0);
-export class RoleQueryDto {
-    constructor(){
-        _define_property(this, "companyId", void 0);
-        _define_property(this, "isActive", void 0);
-    }
-}
-_ts_decorate([
-    ApiProperty({
-        description: 'Filter by company ID - Only available when company feature is enabled',
-        required: false
-    }),
-    IsUUID(),
-    IsOptional(),
-    _ts_metadata("design:type", String)
-], RoleQueryDto.prototype, "companyId", void 0);
-_ts_decorate([
-    ApiProperty({
-        description: 'Filter by active status',
-        required: false
-    }),
-    IsBoolean(),
-    IsOptional(),
-    _ts_metadata("design:type", Boolean)
-], RoleQueryDto.prototype, "isActive", void 0);
 export class RoleResponseDto {
     constructor(){
         _define_property(this, "id", void 0);

package/fesm/helpers/company-access.helper.js

@@ -0,0 +1,14 @@
+import { ForbiddenException } from '@nestjs/common';
+/**
+ * Validates that user has access to the specified company.
+ * Used for user-action and role-permission operations when company feature is enabled.
+ *
+ * @throws ForbiddenException if user doesn't have access to the company
+ */ export function validateCompanyAccess(config, companyId, user, errorMessage = 'You do not have access to this company') {
+    if (!config.isCompanyFeatureEnabled() || !companyId) {
+        return;
+    }
+    if (user.companyId !== companyId) {
+        throw new ForbiddenException(errorMessage);
+    }
+}

package/fesm/helpers/index.js

@@ -1,2 +1,2 @@
-export * from './permission-evaluator.helper';
+export * from './company-access.helper';
 export * from './permission-mode.helper';

package/fesm/interfaces/iam-module-options.interface.js

@@ -1 +1,3 @@
-export * from './iam-module-async-options.interface';
+/**
+ * Async options for IAMModule registration
+ */ export { };

package/fesm/interfaces/index.js

@@ -1,4 +1,3 @@
 export * from './action.interface';
 export * from './role.interface';
 export * from './iam-module-options.interface';
-export * from './iam-module-async-options.interface';

package/fesm/modules/iam.module.js

@@ -6,16 +6,14 @@ function _ts_decorate(decorators, target, key, desc) {
 }
 import { PERMISSION_GUARD_CONFIG } from '@flusys/nestjs-shared';
 import { CacheModule, UtilsModule } from '@flusys/nestjs-shared/modules';
-import { Module, Scope } from '@nestjs/common';
-import { getRepositoryToken } from '@nestjs/typeorm';
+import { Module } from '@nestjs/common';
 import { IAM_MODULE_OPTIONS } from '../config/iam.constants';
 import { ActionController, CompanyActionPermissionController, MyPermissionController, RoleController, RolePermissionController, UserActionPermissionController } from '../controllers';
-import { Action, Role, RoleWithCompany, UserIamPermission, UserIamPermissionWithCompany } from '../entities';
 import { IAMPermissionMode } from '../enums/permission-type.enum';
-import { PermissionEvaluatorHelper, PermissionModeHelper } from '../helpers';
+import { PermissionModeHelper } from '../helpers';
 import { ActionService, PermissionService, RoleService } from '../services';
 import { IAMConfigService } from '../services/iam-config.service';
-import { IAMDataSourceProvider } from '../services/iam-datasource.provider';
+import { IAMDataSourceService } from '../services/iam-datasource.service';
 import { PermissionCacheService } from '../services/permission-cache.service';
 export class IAMModule {
     static getControllers(permissionMode, enableCompanyFeature) {
@@ -44,33 +42,11 @@ export class IAMModule {
         }
         return baseControllers;
     }
-    static getEntities(permissionMode, enableCompanyFeature) {
-        // Core entities
-        const entities = [];
-        // Action entity - always included
-        entities.push(Action);
-        // Permission entity is always needed
-        if (enableCompanyFeature) {
-            entities.push(UserIamPermissionWithCompany);
-        } else {
-            entities.push(UserIamPermission);
-        }
-        // Role entity - Only for RBAC or FULL mode
-        if (permissionMode === IAMPermissionMode.RBAC || permissionMode === IAMPermissionMode.FULL) {
-            if (enableCompanyFeature) {
-                entities.push(RoleWithCompany);
-            } else {
-                entities.push(Role);
-            }
-        }
-        return entities;
-    }
     static getServices(permissionMode) {
         const services = [
             ActionService,
             PermissionService,
-            PermissionCacheService,
-            PermissionEvaluatorHelper
+            PermissionCacheService
         ];
         // RoleService - Only for RBAC or FULL mode
         if (permissionMode === IAMPermissionMode.RBAC || permissionMode === IAMPermissionMode.FULL) {
@@ -78,10 +54,7 @@ export class IAMModule {
         }
         return services;
     }
-    /**
-   * Provide PermissionGuard config with enableCompanyFeature
-   * This ensures guard uses correct cache key format matching the permission cache service
-   */ static getPermissionGuardConfigProvider(enableCompanyFeature) {
+    static getPermissionGuardConfigProvider(enableCompanyFeature) {
         return {
             provide: PERMISSION_GUARD_CONFIG,
             useValue: {
@@ -89,30 +62,24 @@ export class IAMModule {
             }
         };
     }
-    /**
-   * Create repository providers that use IAMDataSourceProvider
-   * This replaces TypeOrmModule.forFeature() functionality
-   */ static getRepositoryProviders(permissionMode, enableCompanyFeature) {
-        const entities = this.getEntities(permissionMode, enableCompanyFeature);
-        return entities.map((entity)=>({
-                provide: getRepositoryToken(entity),
-                scope: Scope.REQUEST,
-                useFactory: async (dataSourceProvider)=>{
-                    return await dataSourceProvider.getRepository(entity);
-                },
-                inject: [
-                    IAMDataSourceProvider
-                ]
-            }));
+    static getExports(permissionMode) {
+        const baseExports = [
+            IAMConfigService,
+            IAMDataSourceService,
+            ActionService,
+            PermissionService,
+            PermissionCacheService,
+            PERMISSION_GUARD_CONFIG
+        ];
+        if (permissionMode === IAMPermissionMode.RBAC || permissionMode === IAMPermissionMode.FULL) {
+            baseExports.push(RoleService);
+        }
+        return baseExports;
     }
     static forRoot(options = {}) {
         const { global = false, includeController = false } = options;
-        const databaseMode = options.bootstrapAppConfig?.databaseMode;
         const enableCompanyFeature = options.bootstrapAppConfig?.enableCompanyFeature ?? false;
-        // Read permissionMode from bootstrap config using helper
         const permissionMode = PermissionModeHelper.fromString(options.bootstrapAppConfig?.permissionMode);
-        const isMultiTenant = databaseMode === 'multi-tenant';
-        const entities = this.getEntities(permissionMode, enableCompanyFeature);
         const controllers = includeController ? this.getControllers(permissionMode, enableCompanyFeature) : [];
         const providers = [
             {
@@ -120,87 +87,52 @@ export class IAMModule {
                 useValue: options
             },
             IAMConfigService,
-            IAMDataSourceProvider,
+            IAMDataSourceService,
             ...this.getServices(permissionMode),
             this.getPermissionGuardConfigProvider(enableCompanyFeature)
         ];
-        const imports = [
-            CacheModule,
-            UtilsModule
-        ];
         const module = {
             module: IAMModule,
-            imports,
+            imports: [
+                CacheModule,
+                UtilsModule
+            ],
             controllers,
             providers,
-            exports: [
-                IAMConfigService,
-                IAMDataSourceProvider,
-                ActionService,
-                PermissionService,
-                PermissionCacheService,
-                PermissionEvaluatorHelper,
-                PERMISSION_GUARD_CONFIG,
-                ...permissionMode === IAMPermissionMode.RBAC || permissionMode === IAMPermissionMode.FULL ? [
-                    RoleService
-                ] : []
-            ]
+            exports: this.getExports(permissionMode)
         };
-        if (global) {
-            return {
-                ...module,
-                global: true
-            };
-        }
-        return module;
+        return global ? {
+            ...module,
+            global: true
+        } : module;
     }
     static forRootAsync(asyncOptions) {
         const { global = false, includeController = false, imports: externalImports = [] } = asyncOptions;
-        const databaseMode = asyncOptions.bootstrapAppConfig?.databaseMode;
         const enableCompanyFeature = asyncOptions.bootstrapAppConfig?.enableCompanyFeature ?? false;
-        // Read permissionMode from bootstrap config using helper
         const permissionMode = PermissionModeHelper.fromString(asyncOptions.bootstrapAppConfig?.permissionMode);
-        const isMultiTenant = databaseMode === 'multi-tenant';
-        const entities = this.getEntities(permissionMode, enableCompanyFeature);
         const controllers = includeController ? this.getControllers(permissionMode, enableCompanyFeature) : [];
-        const asyncProviders = this.createAsyncProviders(asyncOptions);
         const providers = [
-            ...asyncProviders,
+            ...this.createAsyncProviders(asyncOptions),
             IAMConfigService,
-            IAMDataSourceProvider,
+            IAMDataSourceService,
             ...this.getServices(permissionMode),
             this.getPermissionGuardConfigProvider(enableCompanyFeature)
         ];
-        const imports = [
-            ...externalImports,
-            CacheModule,
-            UtilsModule
-        ];
         const module = {
             module: IAMModule,
-            imports,
+            imports: [
+                ...externalImports,
+                CacheModule,
+                UtilsModule
+            ],
             controllers,
             providers,
-            exports: [
-                IAMConfigService,
-                IAMDataSourceProvider,
-                ActionService,
-                PermissionService,
-                PermissionCacheService,
-                PermissionEvaluatorHelper,
-                PERMISSION_GUARD_CONFIG,
-                ...permissionMode === IAMPermissionMode.RBAC || permissionMode === IAMPermissionMode.FULL ? [
-                    RoleService
-                ] : []
-            ]
+            exports: this.getExports(permissionMode)
         };
-        if (global) {
-            return {
-                ...module,
-                global: true
-            };
-        }
-        return module;
+        return global ? {
+            ...module,
+            global: true
+        } : module;
     }
     static createAsyncProviders(options) {
         if (options.useExisting || options.useFactory) {