@flusys/nestjs-iam 3.0.1 → 4.0.0-rc

package/fesm/services/permission-cache.service.js

@@ -25,9 +25,8 @@ function _ts_param(paramIndex, decorator) {
         decorator(target, key, paramIndex);
     };
 }
-import { HybridCache } from '@flusys/nestjs-shared';
-import { ErrorHandler } from '@flusys/nestjs-shared/utils';
-import { Inject, Injectable, Logger } from '@nestjs/common';
+import { HybridCache, LogAction } from '@flusys/nestjs-shared';
+import { Inject, Injectable } from '@nestjs/common';
 export class PermissionCacheService {
     // Cache Key Generation
     generateCacheKey(options) {
@@ -45,38 +44,20 @@ export class PermissionCacheService {
     }
     // Cache Operations
     async setPermissions(options, permissions) {
-        try {
-            const key = this.generateCacheKey(options);
-            await this.cacheManager.set(key, permissions, this.TTL);
-            this.logger.debug(`Cached ${permissions.length} permissions for key: ${key}`);
-        } catch (error) {
-            const errorMessage = ErrorHandler.getErrorMessage(error);
-            this.logger.error(`Failed to cache permissions: ${errorMessage}`);
-        // Don't throw - cache failure shouldn't break the operation
-        }
+        const key = this.generateCacheKey(options);
+        await this.cacheManager.set(key, permissions, this.TTL);
     }
     // My-Permissions Cache Operations
     async setMyPermissions(options, data) {
-        try {
-            const key = this.generateMyPermissionsCacheKey(options);
-            await this.cacheManager.set(key, data, this.TTL);
-            this.logger.debug(`Cached my-permissions for key: ${key} (${data.frontendActions.length} frontend, ${data.backendCodes.length} backend)`);
-        } catch (error) {
-            const errorMessage = ErrorHandler.getErrorMessage(error);
-            this.logger.error(`Failed to cache my-permissions: ${errorMessage}`);
-        }
+        const key = this.generateMyPermissionsCacheKey(options);
+        await this.cacheManager.set(key, data, this.TTL);
     }
     async getMyPermissions(options) {
         try {
             const key = this.generateMyPermissionsCacheKey(options);
             const result = await this.cacheManager.get(key);
-            if (result) {
-                this.logger.debug(`Cache hit for my-permissions: ${key}`);
-            }
             return result || null;
-        } catch (error) {
-            const errorMessage = ErrorHandler.getErrorMessage(error);
-            this.logger.error(`Failed to get my-permissions from cache: ${errorMessage}`);
+        } catch  {
             return null;
         }
     }
@@ -88,14 +69,8 @@ export class PermissionCacheService {
         return `${this.ACTION_CODE_PREFIX}:map`;
     }
     async setActionCodeMap(codeToIdMap, tenantId) {
-        try {
-            const key = this.generateActionCodeCacheKey(tenantId);
-            await this.cacheManager.set(key, codeToIdMap, this.ACTION_CODE_TTL);
-            this.logger.debug(`Cached ${Object.keys(codeToIdMap).length} action code mappings${tenantId ? ` for tenant ${tenantId}` : ''}`);
-        } catch (error) {
-            const errorMessage = ErrorHandler.getErrorMessage(error);
-            this.logger.error(`Failed to cache action code map: ${errorMessage}`);
-        }
+        const key = this.generateActionCodeCacheKey(tenantId);
+        await this.cacheManager.set(key, codeToIdMap, this.ACTION_CODE_TTL);
     }
     async getActionIdsByCodes(codes, tenantId) {
         try {
@@ -111,72 +86,47 @@ export class PermissionCacheService {
                 }
             }
             return Object.keys(result).length > 0 ? result : null;
-        } catch (error) {
-            const errorMessage = ErrorHandler.getErrorMessage(error);
-            this.logger.error(`Failed to get action IDs from cache: ${errorMessage}`);
+        } catch  {
             return null;
         }
     }
     // Cache Invalidation
     async invalidateUser(userId, companyId, branchIds) {
-        try {
-            const keysToDelete = [
-                // Permission codes cache (for PermissionGuard) - user-based key
-                `${this.CACHE_PREFIX}:user:${userId}`,
-                // My-permissions cache (full response) - user-based key
-                `${this.MY_PERMISSIONS_PREFIX}:user:${userId}`
+        const keysToDelete = [
+            `${this.CACHE_PREFIX}:user:${userId}`,
+            `${this.MY_PERMISSIONS_PREFIX}:user:${userId}`
+        ];
+        if (companyId) {
+            const branches = branchIds?.length ? branchIds : [
+                null
             ];
-            if (companyId) {
-                const branches = branchIds?.length ? branchIds : [
-                    null
-                ];
-                for (const branchId of branches){
-                    keysToDelete.push(`${this.CACHE_PREFIX}:company:${companyId}:branch:${branchId || 'null'}:user:${userId}`, `${this.MY_PERMISSIONS_PREFIX}:company:${companyId}:branch:${branchId || 'null'}:user:${userId}`);
-                }
+            for (const branchId of branches){
+                keysToDelete.push(`${this.CACHE_PREFIX}:company:${companyId}:branch:${branchId || 'null'}:user:${userId}`, `${this.MY_PERMISSIONS_PREFIX}:company:${companyId}:branch:${branchId || 'null'}:user:${userId}`);
             }
-            await Promise.all(keysToDelete.map((key)=>this.cacheManager.del(key)));
-            this.logger.debug(`Invalidated ${keysToDelete.length} cache keys for user ${userId}`);
-        } catch (error) {
-            const errorMessage = ErrorHandler.getErrorMessage(error);
-            this.logger.warn(`Failed to invalidate user cache for ${userId}: ${errorMessage}`);
         }
+        await Promise.all(keysToDelete.map((key)=>this.cacheManager.del(key)));
     }
     async invalidateUsers(userIds, companyId, branchIds) {
         if (userIds.length === 0) {
             return 0;
         }
         const results = await Promise.allSettled(userIds.map((userId)=>this.invalidateUser(userId, companyId, branchIds)));
-        const successCount = results.filter((r)=>r.status === 'fulfilled').length;
-        const failedCount = results.filter((r)=>r.status === 'rejected').length;
-        if (failedCount > 0) {
-            this.logger.warn(`Failed to invalidate cache for ${failedCount} users`);
-        }
-        if (successCount > 0) {
-            this.logger.log(`Invalidated cache for ${successCount} users`);
-        }
-        return successCount;
+        return results.filter((r)=>r.status === 'fulfilled').length;
     }
-    async invalidateRole(roleId, userIds, companyId, branchIds) {
+    async invalidateRole(_roleId, userIds, companyId, branchIds) {
         if (userIds.length === 0) {
-            this.logger.debug(`No users found for role ${roleId}`);
             return 0;
         }
-        const count = await this.invalidateUsers(userIds, companyId, branchIds);
-        if (count > 0) {
-            this.logger.log(`Invalidated cache for ${count} users with role ${roleId}`);
-        }
-        return count;
+        return await this.invalidateUsers(userIds, companyId, branchIds);
     }
     constructor(cacheManager){
         _define_property(this, "cacheManager", void 0);
-        _define_property(this, "logger", void 0);
         _define_property(this, "TTL", void 0); // 1 hour
         _define_property(this, "ACTION_CODE_TTL", void 0); // 2 hours for action codes (less frequent changes)
         _define_property(this, "CACHE_PREFIX", void 0);
         _define_property(this, "MY_PERMISSIONS_PREFIX", void 0);
         _define_property(this, "ACTION_CODE_PREFIX", void 0);
         this.cacheManager = cacheManager;
-        this.logger = new Logger(PermissionCacheService.name);
         this.TTL = 3600000;
         this.ACTION_CODE_TTL = 7200000;
         this.CACHE_PREFIX = 'permissions';
@@ -184,6 +134,82 @@ export class PermissionCacheService {
         this.ACTION_CODE_PREFIX = 'action-codes';
     }
 }
+_ts_decorate([
+    LogAction({
+        action: 'permissionCache.setPermissions',
+        module: 'iam'
+    }),
+    _ts_metadata("design:type", Function),
+    _ts_metadata("design:paramtypes", [
+        typeof PermissionCacheKeyOptions === "undefined" ? Object : PermissionCacheKeyOptions,
+        Array
+    ]),
+    _ts_metadata("design:returntype", Promise)
+], PermissionCacheService.prototype, "setPermissions", null);
+_ts_decorate([
+    LogAction({
+        action: 'permissionCache.setMyPermissions',
+        module: 'iam'
+    }),
+    _ts_metadata("design:type", Function),
+    _ts_metadata("design:paramtypes", [
+        typeof PermissionCacheKeyOptions === "undefined" ? Object : PermissionCacheKeyOptions,
+        typeof CachedMyPermissions === "undefined" ? Object : CachedMyPermissions
+    ]),
+    _ts_metadata("design:returntype", Promise)
+], PermissionCacheService.prototype, "setMyPermissions", null);
+_ts_decorate([
+    LogAction({
+        action: 'permissionCache.setActionCodeMap',
+        module: 'iam'
+    }),
+    _ts_metadata("design:type", Function),
+    _ts_metadata("design:paramtypes", [
+        typeof Record === "undefined" ? Object : Record,
+        String
+    ]),
+    _ts_metadata("design:returntype", Promise)
+], PermissionCacheService.prototype, "setActionCodeMap", null);
+_ts_decorate([
+    LogAction({
+        action: 'permissionCache.invalidateUser',
+        module: 'iam'
+    }),
+    _ts_metadata("design:type", Function),
+    _ts_metadata("design:paramtypes", [
+        String,
+        Object,
+        Array
+    ]),
+    _ts_metadata("design:returntype", Promise)
+], PermissionCacheService.prototype, "invalidateUser", null);
+_ts_decorate([
+    LogAction({
+        action: 'permissionCache.invalidateUsers',
+        module: 'iam'
+    }),
+    _ts_metadata("design:type", Function),
+    _ts_metadata("design:paramtypes", [
+        Array,
+        Object,
+        Array
+    ]),
+    _ts_metadata("design:returntype", Promise)
+], PermissionCacheService.prototype, "invalidateUsers", null);
+_ts_decorate([
+    LogAction({
+        action: 'permissionCache.invalidateRole',
+        module: 'iam'
+    }),
+    _ts_metadata("design:type", Function),
+    _ts_metadata("design:paramtypes", [
+        String,
+        Array,
+        Object,
+        Array
+    ]),
+    _ts_metadata("design:returntype", Promise)
+], PermissionCacheService.prototype, "invalidateRole", null);
 PermissionCacheService = _ts_decorate([
     Injectable(),
     _ts_param(0, Inject('CACHE_INSTANCE')),

package/fesm/services/permission.service.js

@@ -25,9 +25,11 @@ function _ts_param(paramIndex, decorator) {
         decorator(target, key, paramIndex);
     };
 }
-import { BadRequestException, ConflictException, Inject, Injectable, Logger, Scope } from '@nestjs/common';
+import { IAM_MODE_MESSAGES, PERMISSION_OPERATION_MESSAGES } from '../config';
+import { LogAction } from '@flusys/nestjs-shared';
+import { BadRequestException, ConflictException, Inject, Injectable, Scope } from '@nestjs/common';
 import { In, IsNull } from 'typeorm';
-import { PermissionAction } from '../dtos/permission.dto';
+import { AssignCompanyActionsDto, AssignRoleActionsDto, AssignUserActionsDto, AssignUserRolesDto, PermissionAction } from '../dtos/permission.dto';
 import { Action } from '../entities/action.entity';
 import { UserIamPermissionWithCompany } from '../entities/permission-with-company.entity';
 import { RoleWithCompany } from '../entities/role-with-company.entity';
@@ -56,7 +58,10 @@ export class PermissionService {
     // User-Action Permissions
     async assignUserActions(dto) {
         if (!this.iamConfigService.isDirectPermissionEnabled()) {
-            throw new BadRequestException('Direct permission assignment not available in RBAC-only mode. Use role-based permissions instead.');
+            throw new BadRequestException({
+                message: 'Direct permission assignment not available in RBAC-only mode. Use role-based permissions instead.',
+                messageKey: IAM_MODE_MESSAGES.DIRECT_MODE_UNAVAILABLE
+            });
         }
         const permissionRepo = await this.getPermissionRepository();
         const enableCompanyFeature = this.iamConfigService.isCompanyFeatureEnabled();
@@ -101,7 +106,10 @@ export class PermissionService {
                     added = newPermissions.length;
                 } catch (error) {
                     if (error?.code === 'ER_DUP_ENTRY' || error?.message?.includes('Duplicate entry')) {
-                        throw new ConflictException('Some permissions already exist for this user. Please refresh and try again.');
+                        throw new ConflictException({
+                            message: 'Some permissions already exist for this user. Please refresh and try again.',
+                            messageKey: PERMISSION_OPERATION_MESSAGES.ALREADY_EXISTS
+                        });
                     }
                     throw error;
                 }
@@ -172,7 +180,10 @@ export class PermissionService {
     // Role-Action Permissions
     async assignRoleActions(dto) {
         if (!this.iamConfigService.isRbacEnabled()) {
-            throw new BadRequestException('Role-based permission assignment not available in DIRECT-only mode. Use direct user permissions instead.');
+            throw new BadRequestException({
+                message: 'Role-based permission assignment not available in DIRECT-only mode. Use direct user permissions instead.',
+                messageKey: IAM_MODE_MESSAGES.RBAC_MODE_UNAVAILABLE
+            });
         }
         const permissionRepo = await this.getPermissionRepository();
         const enableCompanyFeature = this.iamConfigService.isCompanyFeatureEnabled();
@@ -224,7 +235,10 @@ export class PermissionService {
                     added = newPermissions.length;
                 } catch (error) {
                     if (error?.code === 'ER_DUP_ENTRY' || error?.message?.includes('Duplicate entry')) {
-                        throw new ConflictException('Some role-action permissions already exist. Please refresh and try again.');
+                        throw new ConflictException({
+                            message: 'Some role-action permissions already exist. Please refresh and try again.',
+                            messageKey: PERMISSION_OPERATION_MESSAGES.ALREADY_EXISTS
+                        });
                     }
                     throw error;
                 }
@@ -378,9 +392,6 @@ export class PermissionService {
             });
             removedUserActions = userResult.affected || 0;
         }
-        if (removedRoleActions > 0 || removedUserActions > 0) {
-            this.logger.log(`Cascade deleted for company ${companyId}: ${removedRoleActions} role actions, ${removedUserActions} user actions`);
-        }
         return {
             removedCompanyActions: companyResult.affected || 0,
             removedRoleActions,
@@ -439,7 +450,10 @@ export class PermissionService {
     // User-Role Permissions
     /** Assign user to roles (branch-scoped when company feature is enabled) */ async assignUserRoles(dto) {
         if (!this.iamConfigService.isRbacEnabled()) {
-            throw new BadRequestException('Role assignment not available in DIRECT-only mode. Use direct user permissions instead.');
+            throw new BadRequestException({
+                message: 'Role assignment not available in DIRECT-only mode. Use direct user permissions instead.',
+                messageKey: IAM_MODE_MESSAGES.ROLE_ASSIGNMENT_UNAVAILABLE
+            });
         }
         const permissionRepo = await this.getPermissionRepository();
         const enableCompanyFeature = this.iamConfigService.isCompanyFeatureEnabled();
@@ -484,7 +498,10 @@ export class PermissionService {
                     added = newPermissions.length;
                 } catch (error) {
                     if (error?.code === 'ER_DUP_ENTRY' || error?.message?.includes('Duplicate entry')) {
-                        throw new ConflictException('Some user-role permissions already exist. Please refresh and try again.');
+                        throw new ConflictException({
+                            message: 'Some user-role permissions already exist. Please refresh and try again.',
+                            messageKey: PERMISSION_OPERATION_MESSAGES.ALREADY_EXISTS
+                        });
                     }
                     throw error;
                 }
@@ -710,7 +727,8 @@ export class PermissionService {
             success: true,
             added,
             removed,
-            message: `Successfully processed ${totalItems} items: ${added} added, ${removed} removed${additionalMessage}`
+            message: `Successfully processed ${totalItems} items: ${added} added, ${removed} removed${additionalMessage}`,
+            messageKey: PERMISSION_OPERATION_MESSAGES.PROCESS_SUCCESS
         };
     }
     /** Get role IDs assigned to a user (merges company-wide + branch-specific roles) */ async getUserRoleIds(userId, branchId, companyId) {
@@ -887,13 +905,55 @@ export class PermissionService {
         _define_property(this, "permissionCacheService", void 0);
         _define_property(this, "iamConfigService", void 0);
         _define_property(this, "dataSourceProvider", void 0);
-        _define_property(this, "logger", void 0);
         this.permissionCacheService = permissionCacheService;
         this.iamConfigService = iamConfigService;
         this.dataSourceProvider = dataSourceProvider;
-        this.logger = new Logger(PermissionService.name);
     }
 }
+_ts_decorate([
+    LogAction({
+        action: 'iam.assignUserActions',
+        module: 'iam'
+    }),
+    _ts_metadata("design:type", Function),
+    _ts_metadata("design:paramtypes", [
+        typeof AssignUserActionsDto === "undefined" ? Object : AssignUserActionsDto
+    ]),
+    _ts_metadata("design:returntype", Promise)
+], PermissionService.prototype, "assignUserActions", null);
+_ts_decorate([
+    LogAction({
+        action: 'iam.assignRoleActions',
+        module: 'iam'
+    }),
+    _ts_metadata("design:type", Function),
+    _ts_metadata("design:paramtypes", [
+        typeof AssignRoleActionsDto === "undefined" ? Object : AssignRoleActionsDto
+    ]),
+    _ts_metadata("design:returntype", Promise)
+], PermissionService.prototype, "assignRoleActions", null);
+_ts_decorate([
+    LogAction({
+        action: 'iam.assignCompanyActions',
+        module: 'iam'
+    }),
+    _ts_metadata("design:type", Function),
+    _ts_metadata("design:paramtypes", [
+        typeof AssignCompanyActionsDto === "undefined" ? Object : AssignCompanyActionsDto
+    ]),
+    _ts_metadata("design:returntype", Promise)
+], PermissionService.prototype, "assignCompanyActions", null);
+_ts_decorate([
+    LogAction({
+        action: 'iam.assignUserRoles',
+        module: 'iam'
+    }),
+    _ts_metadata("design:type", Function),
+    _ts_metadata("design:paramtypes", [
+        typeof AssignUserRolesDto === "undefined" ? Object : AssignUserRolesDto
+    ]),
+    _ts_metadata("design:returntype", Promise)
+], PermissionService.prototype, "assignUserRoles", null);
 PermissionService = _ts_decorate([
     Injectable({
         scope: Scope.REQUEST

package/fesm/services/role.service.js

@@ -112,7 +112,7 @@ export class RoleService extends RequestScopedApiService {
         };
     }
     constructor(cacheManager, utilsService, iamConfigService, dataSourceProvider){
-        super('role', null, cacheManager, utilsService, RoleService.name, true), _define_property(this, "cacheManager", void 0), _define_property(this, "utilsService", void 0), _define_property(this, "iamConfigService", void 0), _define_property(this, "dataSourceProvider", void 0), this.cacheManager = cacheManager, this.utilsService = utilsService, this.iamConfigService = iamConfigService, this.dataSourceProvider = dataSourceProvider;
+        super('role', null, cacheManager, utilsService, RoleService.name, true, 'iam'), _define_property(this, "cacheManager", void 0), _define_property(this, "utilsService", void 0), _define_property(this, "iamConfigService", void 0), _define_property(this, "dataSourceProvider", void 0), this.cacheManager = cacheManager, this.utilsService = utilsService, this.iamConfigService = iamConfigService, this.dataSourceProvider = dataSourceProvider;
     }
 }
 RoleService = _ts_decorate([

package/helpers/company-access.helper.d.ts

@@ -1,3 +1,3 @@
 import { ILoggedUserInfo } from '@flusys/nestjs-shared';
 import { IAMConfigService } from '../services/iam-config.service';
-export declare function validateCompanyAccess(config: IAMConfigService, companyId: string | undefined, user: ILoggedUserInfo, errorMessage?: string): void;
+export declare function validateCompanyAccess(config: IAMConfigService, companyId: string | undefined, user: ILoggedUserInfo, errorMessage?: string, messageKey?: "auth.company.no.access"): void;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@flusys/nestjs-iam",
-  "version": "3.0.1",
+  "version": "4.0.0-rc",
   "description": "Identity and Access Management (IAM) module for NestJS applications",
   "main": "cjs/index.js",
   "module": "fesm/index.js",
@@ -89,7 +89,7 @@
     "typeorm": "^0.3.0"
   },
   "dependencies": {
-    "@flusys/nestjs-core": "3.0.1",
-    "@flusys/nestjs-shared": "3.0.1"
+    "@flusys/nestjs-core": "4.0.0-rc",
+    "@flusys/nestjs-shared": "4.0.0-rc"
   }
 }

package/services/iam-datasource.service.d.ts

@@ -1,12 +1,10 @@
 import { MultiTenantDataSourceService } from '@flusys/nestjs-shared/modules';
 import { IDatabaseConfig, ITenantDatabaseConfig } from '@flusys/nestjs-core';
-import { Logger } from '@nestjs/common';
 import { Request } from 'express';
 import { DataSource } from 'typeorm';
 import { IAMConfigService } from './iam-config.service';
 export declare class IAMDataSourceService extends MultiTenantDataSourceService {
     private readonly configService;
-    protected readonly logger: Logger;
     protected static readonly tenantConnections: Map<string, DataSource>;
     protected static singleDataSource: DataSource | null;
     protected static readonly tenantsRegistry: Map<string, ITenantDatabaseConfig>;

package/services/permission-cache.service.d.ts

@@ -17,7 +17,6 @@ export interface CachedMyPermissions {
 }
 export declare class PermissionCacheService {
     private readonly cacheManager;
-    private readonly logger;
     private readonly TTL;
     private readonly ACTION_CODE_TTL;
     private readonly CACHE_PREFIX;
@@ -35,5 +34,5 @@ export declare class PermissionCacheService {
     getActionIdsByCodes(codes: string[], tenantId?: string): Promise<Record<string, string> | null>;
     invalidateUser(userId: string, companyId?: string | null, branchIds?: (string | null)[]): Promise<void>;
     invalidateUsers(userIds: string[], companyId?: string | null, branchIds?: (string | null)[]): Promise<number>;
-    invalidateRole(roleId: string, userIds: string[], companyId?: string | null, branchIds?: (string | null)[]): Promise<number>;
+    invalidateRole(_roleId: string, userIds: string[], companyId?: string | null, branchIds?: (string | null)[]): Promise<number>;
 }

package/services/permission.service.d.ts

@@ -6,7 +6,6 @@ export declare class PermissionService {
     private readonly permissionCacheService;
     private readonly iamConfigService;
     private readonly dataSourceProvider;
-    private readonly logger;
     constructor(permissionCacheService: PermissionCacheService, iamConfigService: IAMConfigService, dataSourceProvider: IAMDataSourceService);
     private getPermissionRepository;
     private getActionRepository;