@flusys/nestjs-iam 1.0.0-rc → 2.0.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@flusys/nestjs-iam",
-  "version": "1.0.0-rc",
+  "version": "2.0.0",
   "description": "Identity and Access Management (IAM) module for NestJS applications",
   "main": "cjs/index.js",
   "module": "fesm/index.js",
@@ -89,7 +89,7 @@
     "typeorm": "^0.3.0"
   },
   "dependencies": {
-    "@flusys/nestjs-core": "1.0.0-rc",
-    "@flusys/nestjs-shared": "1.0.0-rc"
+    "@flusys/nestjs-core": "2.0.0",
+    "@flusys/nestjs-shared": "2.0.0"
   }
 }

package/services/action.service.d.ts

@@ -1,4 +1,4 @@
-import { RequestScopedApiService, HybridCache } from '@flusys/nestjs-shared/classes';
+import { HybridCache, RequestScopedApiService } from '@flusys/nestjs-shared/classes';
 import { ILoggedUserInfo } from '@flusys/nestjs-shared/interfaces';
 import { UtilsService } from '@flusys/nestjs-shared/modules';
 import { EntityTarget, Repository, SelectQueryBuilder } from 'typeorm';
@@ -6,7 +6,7 @@ import { CreateActionDto, UpdateActionDto } from '../dtos/action.dto';
 import { ActionBase } from '../entities/action-base.entity';
 import { IAction, IActionTree } from '../interfaces/action.interface';
 import { IAMConfigService } from './iam-config.service';
-import { IAMDataSourceProvider } from './iam-datasource.provider';
+import { IAMDataSourceService } from './iam-datasource.service';
 import { PermissionService } from './permission.service';
 export declare class ActionService extends RequestScopedApiService<CreateActionDto, UpdateActionDto, IAction, ActionBase, Repository<ActionBase>> {
     protected cacheManager: HybridCache;
@@ -14,9 +14,9 @@ export declare class ActionService extends RequestScopedApiService<CreateActionD
     private readonly iamConfigService;
     private readonly dataSourceProvider;
     private readonly permissionService;
-    constructor(cacheManager: HybridCache, utilsService: UtilsService, iamConfigService: IAMConfigService, dataSourceProvider: IAMDataSourceProvider, permissionService: PermissionService);
+    constructor(cacheManager: HybridCache, utilsService: UtilsService, iamConfigService: IAMConfigService, dataSourceProvider: IAMDataSourceService, permissionService: PermissionService);
     protected resolveEntity(): EntityTarget<ActionBase>;
-    protected getDataSourceProvider(): IAMDataSourceProvider;
+    protected getDataSourceProvider(): IAMDataSourceService;
     getSelectQuery(query: SelectQueryBuilder<ActionBase>, _user: ILoggedUserInfo | null, select?: string[]): Promise<{
         query: SelectQueryBuilder<ActionBase>;
         isRaw: boolean;
@@ -26,6 +26,8 @@ export declare class ActionService extends RequestScopedApiService<CreateActionD
         isRaw: boolean;
     }>;
     protected convertEntityToResponseDto(entity: ActionBase, _isRaw: boolean): IAction;
+    private readonly actionSelectFields;
+    private requireUser;
     getActionsForPermission(user: ILoggedUserInfo): Promise<IAction[]>;
     getActionTree(user: ILoggedUserInfo, search?: string, isActive?: boolean, withDeleted?: boolean): Promise<IActionTree[]>;
     private buildActionTree;

package/services/iam-config.service.d.ts

@@ -7,7 +7,6 @@ export declare class IAMConfigService implements IModuleConfigService {
     constructor(injectedOptions?: IAMModuleOptions);
     getDatabaseMode(): DatabaseMode;
     isMultiTenant(): boolean;
-    getEnableCompanyFeature(): boolean;
     isCompanyFeatureEnabled(): boolean;
     getPermissionMode(): IAMPermissionMode;
     isRbacEnabled(): boolean;

package/services/{iam-datasource.provider.d.ts → iam-datasource.service.d.ts}

@@ -3,9 +3,9 @@ import { IDatabaseConfig, ITenantDatabaseConfig } from '@flusys/nestjs-core';
 import { Logger } from '@nestjs/common';
 import { Request } from 'express';
 import { DataSource } from 'typeorm';
-import { IAMModuleOptions } from '../interfaces/iam-module-options.interface';
-export declare class IAMDataSourceProvider extends MultiTenantDataSourceService {
-    private readonly iamOptions;
+import { IAMConfigService } from './iam-config.service';
+export declare class IAMDataSourceService extends MultiTenantDataSourceService {
+    private readonly configService;
     protected readonly logger: Logger;
     protected static readonly tenantConnections: Map<string, DataSource>;
     protected static singleDataSource: DataSource | null;
@@ -13,9 +13,8 @@ export declare class IAMDataSourceProvider extends MultiTenantDataSourceService
     protected static initialized: boolean;
     protected static readonly connectionLocks: Map<string, Promise<DataSource>>;
     protected static singleConnectionLock: Promise<DataSource> | null;
-    constructor(iamOptions: IAMModuleOptions, request?: Request);
+    constructor(configService: IAMConfigService, request?: Request);
     private static buildParentOptions;
-    getEnableCompanyFeature(): boolean;
     getEnableCompanyFeatureForTenant(tenant?: ITenantDatabaseConfig): boolean;
     getEnableCompanyFeatureForCurrentTenant(): boolean;
     getIAMEntities(): Promise<any[]>;

package/services/index.d.ts

@@ -1,6 +1,6 @@
 export * from './action.service';
 export * from './iam-config.service';
-export * from './iam-datasource.provider';
+export * from './iam-datasource.service';
 export * from './permission-cache.service';
 export * from './permission.service';
 export * from './role.service';

package/services/permission-cache.service.d.ts

@@ -26,17 +26,14 @@ export declare class PermissionCacheService {
     constructor(cacheManager: HybridCache);
     generateCacheKey(options: PermissionCacheKeyOptions): string;
     generateMyPermissionsCacheKey(options: PermissionCacheKeyOptions): string;
+    private buildCacheKey;
     setPermissions(options: PermissionCacheKeyOptions, permissions: string[]): Promise<void>;
-    getPermissions(options: PermissionCacheKeyOptions): Promise<string[] | null>;
     setMyPermissions(options: PermissionCacheKeyOptions, data: CachedMyPermissions): Promise<void>;
     getMyPermissions(options: PermissionCacheKeyOptions): Promise<CachedMyPermissions | null>;
     private generateActionCodeCacheKey;
     setActionCodeMap(codeToIdMap: Record<string, string>, tenantId?: string): Promise<void>;
     getActionIdsByCodes(codes: string[], tenantId?: string): Promise<Record<string, string> | null>;
-    invalidateActionCodeCache(tenantId?: string): Promise<void>;
     invalidateUser(userId: string, companyId?: string | null, branchIds?: (string | null)[]): Promise<void>;
     invalidateUsers(userIds: string[], companyId?: string | null, branchIds?: (string | null)[]): Promise<number>;
-    invalidateCompany(companyId: string): Promise<number>;
     invalidateRole(roleId: string, userIds: string[], companyId?: string | null, branchIds?: (string | null)[]): Promise<number>;
-    clearAll(): Promise<void>;
 }

package/services/permission.service.d.ts

@@ -1,13 +1,13 @@
 import { AssignCompanyActionsDto, AssignRoleActionsDto, AssignUserActionsDto, AssignUserRolesDto, CompanyActionResponseDto, MyPermissionsResponseDto, PermissionOperationResultDto, RoleActionResponseDto, UserActionResponseDto, UserRoleResponseDto } from '../dtos/permission.dto';
 import { IAMConfigService } from './iam-config.service';
-import { IAMDataSourceProvider } from './iam-datasource.provider';
+import { IAMDataSourceService } from './iam-datasource.service';
 import { PermissionCacheService } from './permission-cache.service';
 export declare class PermissionService {
     private readonly permissionCacheService;
     private readonly iamConfigService;
     private readonly dataSourceProvider;
     private readonly logger;
-    constructor(permissionCacheService: PermissionCacheService, iamConfigService: IAMConfigService, dataSourceProvider: IAMDataSourceProvider);
+    constructor(permissionCacheService: PermissionCacheService, iamConfigService: IAMConfigService, dataSourceProvider: IAMDataSourceService);
     private getPermissionRepository;
     private getActionRepository;
     private getRoleRepository;
@@ -30,6 +30,8 @@ export declare class PermissionService {
     private collectAllActionIds;
     private applyCompanyWhitelist;
     private buildAndCachePermissionData;
+    private splitItemsByAction;
+    private buildOperationResult;
     private getUserRoleIds;
     private getRoleActionIds;
     private getUserActionIds;

package/services/role.service.d.ts

@@ -6,15 +6,15 @@ import { CreateRoleDto, UpdateRoleDto } from '../dtos/role.dto';
 import { RoleBase } from '../entities/role-base.entity';
 import { IRole } from '../interfaces/role.interface';
 import { IAMConfigService } from './iam-config.service';
-import { IAMDataSourceProvider } from './iam-datasource.provider';
+import { IAMDataSourceService } from './iam-datasource.service';
 export declare class RoleService extends RequestScopedApiService<CreateRoleDto, UpdateRoleDto, IRole, RoleBase, Repository<RoleBase>> {
     protected cacheManager: HybridCache;
     protected utilsService: UtilsService;
     private readonly iamConfigService;
     private readonly dataSourceProvider;
-    constructor(cacheManager: HybridCache, utilsService: UtilsService, iamConfigService: IAMConfigService, dataSourceProvider: IAMDataSourceProvider);
+    constructor(cacheManager: HybridCache, utilsService: UtilsService, iamConfigService: IAMConfigService, dataSourceProvider: IAMDataSourceService);
     protected resolveEntity(): EntityTarget<RoleBase>;
-    protected getDataSourceProvider(): IAMDataSourceProvider;
+    protected getDataSourceProvider(): IAMDataSourceService;
     convertSingleDtoToEntity(dto: CreateRoleDto | UpdateRoleDto, user: ILoggedUserInfo | null): Promise<RoleBase>;
     getSelectQuery(query: SelectQueryBuilder<RoleBase>, _user: ILoggedUserInfo | null, select?: string[]): Promise<{
         query: SelectQueryBuilder<RoleBase>;

package/cjs/helpers/permission-evaluator.helper.js

@@ -1,175 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", {
-    value: true
-});
-Object.defineProperty(exports, "PermissionEvaluatorHelper", {
-    enumerable: true,
-    get: function() {
-        return PermissionEvaluatorHelper;
-    }
-});
-const _common = require("@nestjs/common");
-function _ts_decorate(decorators, target, key, desc) {
-    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
-    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
-    else for(var i = decorators.length - 1; i >= 0; i--)if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
-    return c > 3 && r && Object.defineProperty(target, key, r), r;
-}
-let PermissionEvaluatorHelper = class PermissionEvaluatorHelper {
-    /**
-   * Evaluate if user has access based on permission logic
-   *
-   * @param logic - Permission logic to evaluate
-   * @param context - User permission context
-   * @returns true if user has access, false otherwise
-   */ evaluate(logic, context) {
-        // If no logic defined, access is granted
-        if (!logic) {
-            return true;
-        }
-        return this.evaluateNode(logic, context);
-    }
-    /**
-   * Evaluate a single logic node
-   */ evaluateNode(node, context) {
-        switch(node.type){
-            case 'action':
-                return this.evaluateAction(node.actionId, context);
-            case 'group':
-                return this.evaluateGroup(node, context);
-            default:
-                // Unknown node type, deny access
-                return false;
-        }
-    }
-    /**
-   * Evaluate action permission
-   * Priority: Deny > Grant > Inherited
-   */ evaluateAction(actionId, context) {
-        // 1. Check explicit deny (highest priority)
-        if (context.deniedActionIds.has(actionId)) {
-            return false;
-        }
-        // 2. Check explicit grant
-        if (context.grantedActionIds.has(actionId)) {
-            return true;
-        }
-        // 3. Check inherited actions (from parent actions)
-        if (context.inheritedActionIds?.has(actionId)) {
-            return true;
-        }
-        // No permission found
-        return false;
-    }
-    /**
-   * Evaluate group (AND/OR logic)
-   */ evaluateGroup(node, context) {
-        if (!node.children || node.children.length === 0) {
-            return false;
-        }
-        const results = node.children.map((child)=>this.evaluateNode(child, context));
-        if (node.operator === 'AND') {
-            // ALL children must be true
-            return results.every((result)=>result === true);
-        } else if (node.operator === 'OR') {
-            // ANY child must be true
-            return results.some((result)=>result === true);
-        }
-        // Unknown operator, deny access
-        return false;
-    }
-    /**
-   * Batch evaluate multiple logic nodes
-   * Useful for checking multiple permissions at once
-   *
-   * @param logics - Array of logic nodes to evaluate
-   * @param context - User permission context
-   * @returns Map of logic ID to evaluation result
-   */ batchEvaluate(logics, context) {
-        const results = new Map();
-        for (const item of logics){
-            results.set(item.id, this.evaluate(item.logic, context));
-        }
-        return results;
-    }
-    /**
-   * Check if user has ANY of the specified actions
-   *
-   * @param actionIds - Array of action IDs
-   * @param context - User permission context
-   * @returns true if user has at least one action
-   */ hasAnyAction(actionIds, context) {
-        return actionIds.some((actionId)=>this.evaluateAction(actionId, context));
-    }
-    /**
-   * Check if user has ALL of the specified actions
-   *
-   * @param actionIds - Array of action IDs
-   * @param context - User permission context
-   * @returns true if user has all actions
-   */ hasAllActions(actionIds, context) {
-        return actionIds.every((actionId)=>this.evaluateAction(actionId, context));
-    }
-    /**
-   * Check if user has ANY of the specified roles
-   *
-   * @param roleIds - Array of role IDs
-   * @param context - User permission context
-   * @returns true if user has at least one role
-   */ hasAnyRole(roleIds, context) {
-        return roleIds.some((roleId)=>context.roleIds.has(roleId));
-    }
-    /**
-   * Check if user has ALL of the specified roles
-   *
-   * @param roleIds - Array of role IDs
-   * @param context - User permission context
-   * @returns true if user has all roles
-   */ hasAllRoles(roleIds, context) {
-        return roleIds.every((roleId)=>context.roleIds.has(roleId));
-    }
-    /**
-   * Simplified evaluation for menu filtering
-   * Uses action codes instead of action IDs
-   *
-   * @param logic - Permission logic to evaluate
-   * @param actionCodes - Set of action codes the user has
-   * @returns true if user has access, false otherwise
-   */ evaluateLogicNode(logic, actionCodes) {
-        if (!logic) {
-            return true;
-        }
-        return this.evaluateNodeSimple(logic, actionCodes);
-    }
-    /**
-   * Simplified node evaluation using codes
-   */ evaluateNodeSimple(node, actionCodes) {
-        switch(node.type){
-            case 'action':
-                // Check if user has action by actionId (which matches action.code)
-                return node.actionId ? actionCodes.has(node.actionId) : false;
-            case 'group':
-                return this.evaluateGroupSimple(node, actionCodes);
-            default:
-                return false;
-        }
-    }
-    /**
-   * Simplified group evaluation
-   */ evaluateGroupSimple(node, actionCodes) {
-        if (!node.children || node.children.length === 0) {
-            // Empty AND = true, Empty OR = false
-            return node.operator === 'AND';
-        }
-        const results = node.children.map((child)=>this.evaluateNodeSimple(child, actionCodes));
-        if (node.operator === 'AND') {
-            return results.every((result)=>result === true);
-        } else if (node.operator === 'OR') {
-            return results.some((result)=>result === true);
-        }
-        return false;
-    }
-};
-PermissionEvaluatorHelper = _ts_decorate([
-    (0, _common.Injectable)()
-], PermissionEvaluatorHelper);

package/cjs/interfaces/iam-module-async-options.interface.js

@@ -1,4 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", {
-    value: true
-});

package/fesm/helpers/permission-evaluator.helper.js

@@ -1,165 +0,0 @@
-function _ts_decorate(decorators, target, key, desc) {
-    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
-    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
-    else for(var i = decorators.length - 1; i >= 0; i--)if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
-    return c > 3 && r && Object.defineProperty(target, key, r), r;
-}
-import { Injectable } from '@nestjs/common';
-export class PermissionEvaluatorHelper {
-    /**
-   * Evaluate if user has access based on permission logic
-   *
-   * @param logic - Permission logic to evaluate
-   * @param context - User permission context
-   * @returns true if user has access, false otherwise
-   */ evaluate(logic, context) {
-        // If no logic defined, access is granted
-        if (!logic) {
-            return true;
-        }
-        return this.evaluateNode(logic, context);
-    }
-    /**
-   * Evaluate a single logic node
-   */ evaluateNode(node, context) {
-        switch(node.type){
-            case 'action':
-                return this.evaluateAction(node.actionId, context);
-            case 'group':
-                return this.evaluateGroup(node, context);
-            default:
-                // Unknown node type, deny access
-                return false;
-        }
-    }
-    /**
-   * Evaluate action permission
-   * Priority: Deny > Grant > Inherited
-   */ evaluateAction(actionId, context) {
-        // 1. Check explicit deny (highest priority)
-        if (context.deniedActionIds.has(actionId)) {
-            return false;
-        }
-        // 2. Check explicit grant
-        if (context.grantedActionIds.has(actionId)) {
-            return true;
-        }
-        // 3. Check inherited actions (from parent actions)
-        if (context.inheritedActionIds?.has(actionId)) {
-            return true;
-        }
-        // No permission found
-        return false;
-    }
-    /**
-   * Evaluate group (AND/OR logic)
-   */ evaluateGroup(node, context) {
-        if (!node.children || node.children.length === 0) {
-            return false;
-        }
-        const results = node.children.map((child)=>this.evaluateNode(child, context));
-        if (node.operator === 'AND') {
-            // ALL children must be true
-            return results.every((result)=>result === true);
-        } else if (node.operator === 'OR') {
-            // ANY child must be true
-            return results.some((result)=>result === true);
-        }
-        // Unknown operator, deny access
-        return false;
-    }
-    /**
-   * Batch evaluate multiple logic nodes
-   * Useful for checking multiple permissions at once
-   *
-   * @param logics - Array of logic nodes to evaluate
-   * @param context - User permission context
-   * @returns Map of logic ID to evaluation result
-   */ batchEvaluate(logics, context) {
-        const results = new Map();
-        for (const item of logics){
-            results.set(item.id, this.evaluate(item.logic, context));
-        }
-        return results;
-    }
-    /**
-   * Check if user has ANY of the specified actions
-   *
-   * @param actionIds - Array of action IDs
-   * @param context - User permission context
-   * @returns true if user has at least one action
-   */ hasAnyAction(actionIds, context) {
-        return actionIds.some((actionId)=>this.evaluateAction(actionId, context));
-    }
-    /**
-   * Check if user has ALL of the specified actions
-   *
-   * @param actionIds - Array of action IDs
-   * @param context - User permission context
-   * @returns true if user has all actions
-   */ hasAllActions(actionIds, context) {
-        return actionIds.every((actionId)=>this.evaluateAction(actionId, context));
-    }
-    /**
-   * Check if user has ANY of the specified roles
-   *
-   * @param roleIds - Array of role IDs
-   * @param context - User permission context
-   * @returns true if user has at least one role
-   */ hasAnyRole(roleIds, context) {
-        return roleIds.some((roleId)=>context.roleIds.has(roleId));
-    }
-    /**
-   * Check if user has ALL of the specified roles
-   *
-   * @param roleIds - Array of role IDs
-   * @param context - User permission context
-   * @returns true if user has all roles
-   */ hasAllRoles(roleIds, context) {
-        return roleIds.every((roleId)=>context.roleIds.has(roleId));
-    }
-    /**
-   * Simplified evaluation for menu filtering
-   * Uses action codes instead of action IDs
-   *
-   * @param logic - Permission logic to evaluate
-   * @param actionCodes - Set of action codes the user has
-   * @returns true if user has access, false otherwise
-   */ evaluateLogicNode(logic, actionCodes) {
-        if (!logic) {
-            return true;
-        }
-        return this.evaluateNodeSimple(logic, actionCodes);
-    }
-    /**
-   * Simplified node evaluation using codes
-   */ evaluateNodeSimple(node, actionCodes) {
-        switch(node.type){
-            case 'action':
-                // Check if user has action by actionId (which matches action.code)
-                return node.actionId ? actionCodes.has(node.actionId) : false;
-            case 'group':
-                return this.evaluateGroupSimple(node, actionCodes);
-            default:
-                return false;
-        }
-    }
-    /**
-   * Simplified group evaluation
-   */ evaluateGroupSimple(node, actionCodes) {
-        if (!node.children || node.children.length === 0) {
-            // Empty AND = true, Empty OR = false
-            return node.operator === 'AND';
-        }
-        const results = node.children.map((child)=>this.evaluateNodeSimple(child, actionCodes));
-        if (node.operator === 'AND') {
-            return results.every((result)=>result === true);
-        } else if (node.operator === 'OR') {
-            return results.some((result)=>result === true);
-        }
-        return false;
-    }
-}
-PermissionEvaluatorHelper = _ts_decorate([
-    Injectable()
-], PermissionEvaluatorHelper);

package/fesm/interfaces/iam-module-async-options.interface.js

@@ -1,3 +0,0 @@
-/**
- * Async options for IAMModule registration
- */ export { };

package/helpers/permission-evaluator.helper.d.ts

@@ -1,26 +0,0 @@
-import { LogicNode } from '../types';
-export interface UserPermissionContext {
-    userId: string;
-    branchId?: string | null;
-    grantedActionIds: Set<string>;
-    deniedActionIds: Set<string>;
-    roleIds: Set<string>;
-    inheritedActionIds?: Set<string>;
-}
-export declare class PermissionEvaluatorHelper {
-    evaluate(logic: LogicNode | null, context: UserPermissionContext): boolean;
-    private evaluateNode;
-    evaluateAction(actionId: string, context: UserPermissionContext): boolean;
-    private evaluateGroup;
-    batchEvaluate(logics: Array<{
-        id: string;
-        logic: LogicNode | null;
-    }>, context: UserPermissionContext): Map<string, boolean>;
-    hasAnyAction(actionIds: string[], context: UserPermissionContext): boolean;
-    hasAllActions(actionIds: string[], context: UserPermissionContext): boolean;
-    hasAnyRole(roleIds: string[], context: UserPermissionContext): boolean;
-    hasAllRoles(roleIds: string[], context: UserPermissionContext): boolean;
-    evaluateLogicNode(logic: LogicNode | null, actionCodes: Set<string>): boolean;
-    private evaluateNodeSimple;
-    private evaluateGroupSimple;
-}

package/interfaces/iam-module-async-options.interface.d.ts

@@ -1,11 +0,0 @@
-import { IBootstrapAppConfig, IDynamicModuleConfig } from '@flusys/nestjs-core';
-import { ModuleMetadata, Type } from '@nestjs/common';
-import { IIAMModuleConfig, IAMOptionsFactory } from './iam-module-options.interface';
-export interface IAMModuleAsyncOptions extends Pick<ModuleMetadata, 'imports'>, IDynamicModuleConfig {
-    bootstrapAppConfig?: IBootstrapAppConfig;
-    config?: IIAMModuleConfig;
-    useFactory?: (...args: any[]) => Promise<IIAMModuleConfig> | IIAMModuleConfig;
-    inject?: any[];
-    useClass?: Type<IAMOptionsFactory>;
-    useExisting?: Type<IAMOptionsFactory>;
-}