@flusys/nestjs-shared 1.1.0-beta → 2.0.0

package/cjs/classes/api-controller.class.js

@@ -8,10 +8,10 @@ Object.defineProperty(exports, "createApiController", {
         return createApiController;
     }
 });
-const _decorators = require("@flusys/nestjs-shared/decorators");
-const _dtos = require("@flusys/nestjs-shared/dtos");
-const _guards = require("@flusys/nestjs-shared/guards");
-const _interceptors = require("@flusys/nestjs-shared/interceptors");
+const _decorators = require("../decorators");
+const _dtos = require("../dtos");
+const _guards = require("../guards");
+const _interceptors = require("../interceptors");
 const _common = require("@nestjs/common");
 const _swagger = require("@nestjs/swagger");
 const _classtransformer = require("class-transformer");
@@ -104,8 +104,10 @@ function createApiController(createDtoClass, updateDtoClass, responseDtoClass, o
     // 2. It's an object with 'level' property but no endpoint keys
     const isGlobalSecurity = typeof securityConfig === 'string' || securityConfig && typeof securityConfig === 'object' && 'level' in securityConfig && !endpointKeys.some((key)=>key in securityConfig);
     // Normalize security config for each endpoint
+    // IMPORTANT: When per-endpoint security is specified, default to 'jwt' for unconfigured endpoints
+    // to prevent accidentally exposing endpoints without authentication
     const defaultSecurity = isGlobalSecurity ? normalizeSecurity(securityConfig) : {
-        level: 'public'
+        level: 'jwt'
     };
     const security = {
         insert: isGlobalSecurity ? defaultSecurity : normalizeSecurity(securityConfig?.insert),
@@ -347,16 +349,7 @@ function createApiController(createDtoClass, updateDtoClass, responseDtoClass, o
         (0, _common.HttpCode)(_common.HttpStatus.OK),
         (0, _swagger.ApiOperation)({
             summary: 'Get all items with filters and pagination',
-            description: `
-Retrieves items with support for:
-- **filter**: Apply field-based filters (e.g., \`{ "isActive": true }\`)
-- **pagination**: Control page and page size
-- **sort**: Order by any field (e.g., \`{ "createdAt": "DESC" }\`)
-- **select**: Choose specific fields to return
-- **withDeleted**: Include soft-deleted items
-- **extraKey**: Include additional relations
-- **q** (query param): Global text search
-      `
+            description: 'Supports filter, pagination, sort, select, withDeleted, and q (search) params'
         }),
         (0, _swagger.ApiQuery)({
             name: 'q',
@@ -385,15 +378,7 @@ Retrieves items with support for:
         (0, _common.HttpCode)(_common.HttpStatus.OK),
         (0, _swagger.ApiOperation)({
             summary: 'Delete, restore, or permanently remove items',
-            description: `
-Performs one of three actions:
-
-- **"delete"** (soft delete): Marks items as deleted but keeps in database
-- **"restore"**: Reverts soft-deleted items to active
-- **"permanent"**: Completely removes items from database
-
-Supports single ID or array of IDs for batch operations.
-      `
+            description: 'Types: delete (soft), restore, permanent. Supports batch IDs.'
         }),
         (0, _swagger.ApiResponse)({
             status: 200,

package/cjs/classes/api-service.class.js

@@ -26,116 +26,52 @@ function _define_property(obj, key, value) {
 }
 let ApiService = class ApiService {
     async insert(dto, user) {
-        await this.ensureRepositoryInitialized();
-        const qr = this.repository.manager.connection.createQueryRunner();
-        await qr.connect();
-        await qr.startTransaction();
-        try {
+        return this.executeInTransaction('insert', async (qr)=>{
             await this.beforeInsertOperation(dto, user, qr);
             const entities = await this.convertRequestDtoToEntity(dto, user);
             const saved = await qr.manager.save(this.repository.target, entities);
-            await this.afterInsertOperation(saved, user, qr);
-            await qr.commitTransaction();
-            if (this.isCacheable) await Promise.all([
-                this.clearCacheForAll(),
-                this.clearCacheForId(Array.isArray(saved) ? saved : [
-                    saved
-                ])
-            ]);
-            const first = Array.isArray(saved) ? saved[0] : saved;
-            return this.convertEntityToResponseDto(first, false);
-        } catch (error) {
-            await qr.rollbackTransaction();
-            this.handleError(error, 'insert');
-        } finally{
-            await qr.release();
-        }
+            await this.afterInsertOperation(this.ensureArray(saved), user, qr);
+            return {
+                saved,
+                returnFirst: true
+            };
+        });
     }
     async insertMany(dtos, user) {
-        await this.ensureRepositoryInitialized();
-        const qr = this.repository.manager.connection.createQueryRunner();
-        await qr.connect();
-        await qr.startTransaction();
-        try {
+        return this.executeInTransaction('insertMany', async (qr)=>{
             await this.beforeInsertOperation(dtos, user, qr);
             const entities = await this.convertRequestDtoToEntity(dtos, user);
             const saved = await qr.manager.save(this.repository.target, entities);
-            await this.afterInsertOperation(Array.isArray(saved) ? saved : [
-                saved
-            ], user, qr);
-            await qr.commitTransaction();
-            if (this.isCacheable) await Promise.all([
-                this.clearCacheForAll(),
-                this.clearCacheForId(Array.isArray(saved) ? saved : [
-                    saved
-                ])
-            ]);
-            const list = (Array.isArray(saved) ? saved : [
-                saved
-            ]).map((e)=>this.convertEntityToResponseDto(e, false));
-            return list;
-        } catch (error) {
-            await qr.rollbackTransaction();
-            this.handleError(error, 'insertMany');
-        } finally{
-            await qr.release();
-        }
+            await this.afterInsertOperation(this.ensureArray(saved), user, qr);
+            return {
+                saved,
+                returnFirst: false
+            };
+        });
     }
     async update(dto, user) {
-        await this.ensureRepositoryInitialized();
-        const qr = this.repository.manager.connection.createQueryRunner();
-        await qr.connect();
-        await qr.startTransaction();
-        try {
+        return this.executeInTransaction('update', async (qr)=>{
             await this.beforeUpdateOperation(dto, user, qr);
             const entities = await this.convertRequestDtoToEntity(dto, user);
             const saved = await qr.manager.save(this.repository.target, entities);
-            await this.afterUpdateOperation(saved, user, qr);
-            await qr.commitTransaction();
-            if (this.isCacheable) await Promise.all([
-                this.clearCacheForAll(),
-                this.clearCacheForId(Array.isArray(saved) ? saved : [
-                    saved
-                ])
-            ]);
-            const first = Array.isArray(saved) ? saved[0] : saved;
-            return this.convertEntityToResponseDto(first, false);
-        } catch (error) {
-            await qr.rollbackTransaction();
-            this.handleError(error, 'update');
-        } finally{
-            await qr.release();
-        }
+            await this.afterUpdateOperation(this.ensureArray(saved), user, qr);
+            return {
+                saved,
+                returnFirst: true
+            };
+        });
     }
     async updateMany(dtos, user) {
-        await this.ensureRepositoryInitialized();
-        const qr = this.repository.manager.connection.createQueryRunner();
-        await qr.connect();
-        await qr.startTransaction();
-        try {
+        return this.executeInTransaction('updateMany', async (qr)=>{
             await this.beforeUpdateOperation(dtos, user, qr);
             const entities = await this.convertRequestDtoToEntity(dtos, user);
             const saved = await qr.manager.save(this.repository.target, entities);
-            await this.afterUpdateOperation(Array.isArray(saved) ? saved : [
-                saved
-            ], user, qr);
-            await qr.commitTransaction();
-            if (this.isCacheable) await Promise.all([
-                this.clearCacheForAll(),
-                this.clearCacheForId(Array.isArray(saved) ? saved : [
-                    saved
-                ])
-            ]);
-            const list = (Array.isArray(saved) ? saved : [
-                saved
-            ]).map((e)=>this.convertEntityToResponseDto(e, false));
-            return list;
-        } catch (error) {
-            await qr.rollbackTransaction();
-            this.handleError(error, 'updateMany');
-        } finally{
-            await qr.release();
-        }
+            await this.afterUpdateOperation(this.ensureArray(saved), user, qr);
+            return {
+                saved,
+                returnFirst: false
+            };
+        });
     }
     async findByIds(ids, user) {
         await this.ensureRepositoryInitialized();
@@ -354,6 +290,37 @@ let ApiService = class ApiService {
         });
         _errorhandlerutil.ErrorHandler.rethrowError(error);
     }
+    /** Ensures value is always an array */ ensureArray(value) {
+        return Array.isArray(value) ? value : [
+            value
+        ];
+    }
+    /** Executes operation in transaction with automatic cache clearing */ async executeInTransaction(operation, fn) {
+        await this.ensureRepositoryInitialized();
+        const qr = this.repository.manager.connection.createQueryRunner();
+        await qr.connect();
+        await qr.startTransaction();
+        try {
+            const { saved, returnFirst } = await fn(qr);
+            await qr.commitTransaction();
+            const savedArray = this.ensureArray(saved);
+            if (this.isCacheable) {
+                await Promise.all([
+                    this.clearCacheForAll(),
+                    this.clearCacheForId(savedArray)
+                ]);
+            }
+            if (returnFirst) {
+                return this.convertEntityToResponseDto(savedArray[0], false);
+            }
+            return savedArray.map((e)=>this.convertEntityToResponseDto(e, false));
+        } catch (error) {
+            await qr.rollbackTransaction();
+            this.handleError(error, operation);
+        } finally{
+            await qr.release();
+        }
+    }
     // Hooks (override in child classes)
     async ensureRepositoryInitialized() {}
     async beforeInsertOperation(_dto, _user, _queryRunner) {}

package/cjs/classes/index.js

@@ -8,6 +8,7 @@ _export_star(require("./request-scoped-api.service"), exports);
 _export_star(require("./hybrid-cache.class"), exports);
 _export_star(require("./winston-logger-adapter.class"), exports);
 _export_star(require("./winston.logger.class"), exports);
+_export_star(require("../constants/permissions"), exports);
 function _export_star(from, to) {
     Object.keys(from).forEach(function(k) {
         if (k !== "default" && !Object.prototype.hasOwnProperty.call(to, k)) {

package/cjs/classes/winston-logger-adapter.class.js

@@ -47,46 +47,31 @@ function _define_property(obj, key, value) {
     return meta;
 }
 let WinstonLoggerAdapter = class WinstonLoggerAdapter {
-    log(message, context, ...args) {
-        const meta = args.length > 0 && typeof args[0] === 'object' ? args[0] : {};
-        _winstonloggerclass.instance.info(message, {
+    buildLogMeta(context, args, extra) {
+        const meta = args?.length && typeof args[0] === 'object' ? args[0] : {};
+        return {
             context: context || this.context,
             ...getCorrelationMeta(),
-            ...meta
-        });
+            ...meta,
+            ...extra
+        };
+    }
+    log(message, context, ...args) {
+        _winstonloggerclass.instance.info(message, this.buildLogMeta(context, args));
     }
     error(message, trace, context, ...args) {
-        const meta = args.length > 0 && typeof args[0] === 'object' ? args[0] : {};
-        _winstonloggerclass.instance.error(message, {
-            context: context || this.context,
-            stack: trace,
-            ...getCorrelationMeta(),
-            ...meta
-        });
+        _winstonloggerclass.instance.error(message, this.buildLogMeta(context, args, {
+            stack: trace
+        }));
     }
     warn(message, context, ...args) {
-        const meta = args.length > 0 && typeof args[0] === 'object' ? args[0] : {};
-        _winstonloggerclass.instance.warn(message, {
-            context: context || this.context,
-            ...getCorrelationMeta(),
-            ...meta
-        });
+        _winstonloggerclass.instance.warn(message, this.buildLogMeta(context, args));
     }
     debug(message, context, ...args) {
-        const meta = args.length > 0 && typeof args[0] === 'object' ? args[0] : {};
-        _winstonloggerclass.instance.debug(message, {
-            context: context || this.context,
-            ...getCorrelationMeta(),
-            ...meta
-        });
+        _winstonloggerclass.instance.debug(message, this.buildLogMeta(context, args));
     }
     verbose(message, context, ...args) {
-        const meta = args.length > 0 && typeof args[0] === 'object' ? args[0] : {};
-        _winstonloggerclass.instance.verbose(message, {
-            context: context || this.context,
-            ...getCorrelationMeta(),
-            ...meta
-        });
+        _winstonloggerclass.instance.verbose(message, this.buildLogMeta(context, args));
     }
     constructor(context){
         _define_property(this, "context", void 0);
@@ -94,25 +79,23 @@ let WinstonLoggerAdapter = class WinstonLoggerAdapter {
     }
 };
 let NestLoggerAdapter = class NestLoggerAdapter {
+    formatMessage(message, args) {
+        return args?.length ? `${message} ${JSON.stringify(args)}` : message;
+    }
     log(message, context, ...args) {
-        const logMessage = args.length > 0 ? `${message} ${JSON.stringify(args)}` : message;
-        this.logger.log(logMessage, context);
+        this.logger.log(this.formatMessage(message, args), context);
     }
     error(message, trace, context, ...args) {
-        const logMessage = args.length > 0 ? `${message} ${JSON.stringify(args)}` : message;
-        this.logger.error(logMessage, trace, context);
+        this.logger.error(this.formatMessage(message, args), trace, context);
     }
     warn(message, context, ...args) {
-        const logMessage = args.length > 0 ? `${message} ${JSON.stringify(args)}` : message;
-        this.logger.warn(logMessage, context);
+        this.logger.warn(this.formatMessage(message, args), context);
     }
     debug(message, context, ...args) {
-        const logMessage = args.length > 0 ? `${message} ${JSON.stringify(args)}` : message;
-        this.logger.debug(logMessage, context);
+        this.logger.debug(this.formatMessage(message, args), context);
     }
     verbose(message, context, ...args) {
-        const logMessage = args.length > 0 ? `${message} ${JSON.stringify(args)}` : message;
-        this.logger.verbose(logMessage, context);
+        this.logger.verbose(this.formatMessage(message, args), context);
     }
     constructor(logger){
         _define_property(this, "logger", void 0);

package/cjs/constants/index.js

@@ -41,6 +41,20 @@ _export(exports, {
         return REQUEST_ID_HEADER;
     }
 });
+_export_star(require("./permissions"), exports);
+function _export_star(from, to) {
+    Object.keys(from).forEach(function(k) {
+        if (k !== "default" && !Object.prototype.hasOwnProperty.call(to, k)) {
+            Object.defineProperty(to, k, {
+                enumerable: true,
+                get: function() {
+                    return from[k];
+                }
+            });
+        }
+    });
+    return from;
+}
 const IS_PUBLIC_KEY = 'isPublic';
 const PERMISSIONS_KEY = 'permissions';
 const CACHE_INSTANCE = 'CACHE_INSTANCE';

package/cjs/constants/permissions.js

@@ -0,0 +1,184 @@
+/**
+ * Centralized Permission Codes
+ *
+ * Single source of truth for all permission codes used across the application.
+ * Use these constants instead of hardcoded strings to prevent typos and enable easy refactoring.
+ *
+ * Naming Convention: <entity>.<action>
+ * - entity: The resource being accessed (e.g., user, role, company)
+ * - action: The operation being performed (create, read, update, delete, assign)
+ */ // ==================== AUTH MODULE ====================
+"use strict";
+Object.defineProperty(exports, "__esModule", {
+    value: true
+});
+function _export(target, all) {
+    for(var name in all)Object.defineProperty(target, name, {
+        enumerable: true,
+        get: Object.getOwnPropertyDescriptor(all, name).get
+    });
+}
+_export(exports, {
+    get ACTION_PERMISSIONS () {
+        return ACTION_PERMISSIONS;
+    },
+    get BRANCH_PERMISSIONS () {
+        return BRANCH_PERMISSIONS;
+    },
+    get COMPANY_ACTION_PERMISSIONS () {
+        return COMPANY_ACTION_PERMISSIONS;
+    },
+    get COMPANY_PERMISSIONS () {
+        return COMPANY_PERMISSIONS;
+    },
+    get EMAIL_CONFIG_PERMISSIONS () {
+        return EMAIL_CONFIG_PERMISSIONS;
+    },
+    get EMAIL_TEMPLATE_PERMISSIONS () {
+        return EMAIL_TEMPLATE_PERMISSIONS;
+    },
+    get FILE_PERMISSIONS () {
+        return FILE_PERMISSIONS;
+    },
+    get FOLDER_PERMISSIONS () {
+        return FOLDER_PERMISSIONS;
+    },
+    get FORM_PERMISSIONS () {
+        return FORM_PERMISSIONS;
+    },
+    get FORM_RESULT_PERMISSIONS () {
+        return FORM_RESULT_PERMISSIONS;
+    },
+    get PERMISSIONS () {
+        return PERMISSIONS;
+    },
+    get ROLE_ACTION_PERMISSIONS () {
+        return ROLE_ACTION_PERMISSIONS;
+    },
+    get ROLE_PERMISSIONS () {
+        return ROLE_PERMISSIONS;
+    },
+    get STORAGE_CONFIG_PERMISSIONS () {
+        return STORAGE_CONFIG_PERMISSIONS;
+    },
+    get USER_ACTION_PERMISSIONS () {
+        return USER_ACTION_PERMISSIONS;
+    },
+    get USER_PERMISSIONS () {
+        return USER_PERMISSIONS;
+    },
+    get USER_ROLE_PERMISSIONS () {
+        return USER_ROLE_PERMISSIONS;
+    }
+});
+const USER_PERMISSIONS = {
+    CREATE: 'user.create',
+    READ: 'user.read',
+    UPDATE: 'user.update',
+    DELETE: 'user.delete'
+};
+const COMPANY_PERMISSIONS = {
+    CREATE: 'company.create',
+    READ: 'company.read',
+    UPDATE: 'company.update',
+    DELETE: 'company.delete'
+};
+const BRANCH_PERMISSIONS = {
+    CREATE: 'branch.create',
+    READ: 'branch.read',
+    UPDATE: 'branch.update',
+    DELETE: 'branch.delete'
+};
+const ACTION_PERMISSIONS = {
+    CREATE: 'action.create',
+    READ: 'action.read',
+    UPDATE: 'action.update',
+    DELETE: 'action.delete'
+};
+const ROLE_PERMISSIONS = {
+    CREATE: 'role.create',
+    READ: 'role.read',
+    UPDATE: 'role.update',
+    DELETE: 'role.delete'
+};
+const ROLE_ACTION_PERMISSIONS = {
+    READ: 'role-action.read',
+    ASSIGN: 'role-action.assign'
+};
+const USER_ROLE_PERMISSIONS = {
+    READ: 'user-role.read',
+    ASSIGN: 'user-role.assign'
+};
+const USER_ACTION_PERMISSIONS = {
+    READ: 'user-action.read',
+    ASSIGN: 'user-action.assign'
+};
+const COMPANY_ACTION_PERMISSIONS = {
+    READ: 'company-action.read',
+    ASSIGN: 'company-action.assign'
+};
+const FILE_PERMISSIONS = {
+    CREATE: 'file.create',
+    READ: 'file.read',
+    UPDATE: 'file.update',
+    DELETE: 'file.delete'
+};
+const FOLDER_PERMISSIONS = {
+    CREATE: 'folder.create',
+    READ: 'folder.read',
+    UPDATE: 'folder.update',
+    DELETE: 'folder.delete'
+};
+const STORAGE_CONFIG_PERMISSIONS = {
+    CREATE: 'storage-config.create',
+    READ: 'storage-config.read',
+    UPDATE: 'storage-config.update',
+    DELETE: 'storage-config.delete'
+};
+const EMAIL_CONFIG_PERMISSIONS = {
+    CREATE: 'email-config.create',
+    READ: 'email-config.read',
+    UPDATE: 'email-config.update',
+    DELETE: 'email-config.delete'
+};
+const EMAIL_TEMPLATE_PERMISSIONS = {
+    CREATE: 'email-template.create',
+    READ: 'email-template.read',
+    UPDATE: 'email-template.update',
+    DELETE: 'email-template.delete'
+};
+const FORM_PERMISSIONS = {
+    CREATE: 'form.create',
+    READ: 'form.read',
+    UPDATE: 'form.update',
+    DELETE: 'form.delete'
+};
+const FORM_RESULT_PERMISSIONS = {
+    CREATE: 'form-result.create',
+    READ: 'form-result.read',
+    UPDATE: 'form-result.update',
+    DELETE: 'form-result.delete'
+};
+const PERMISSIONS = {
+    // Auth
+    USER: USER_PERMISSIONS,
+    COMPANY: COMPANY_PERMISSIONS,
+    BRANCH: BRANCH_PERMISSIONS,
+    // IAM
+    ACTION: ACTION_PERMISSIONS,
+    ROLE: ROLE_PERMISSIONS,
+    ROLE_ACTION: ROLE_ACTION_PERMISSIONS,
+    USER_ROLE: USER_ROLE_PERMISSIONS,
+    USER_ACTION: USER_ACTION_PERMISSIONS,
+    COMPANY_ACTION: COMPANY_ACTION_PERMISSIONS,
+    // Storage
+    FILE: FILE_PERMISSIONS,
+    FOLDER: FOLDER_PERMISSIONS,
+    STORAGE_CONFIG: STORAGE_CONFIG_PERMISSIONS,
+    // Email
+    EMAIL_CONFIG: EMAIL_CONFIG_PERMISSIONS,
+    EMAIL_TEMPLATE: EMAIL_TEMPLATE_PERMISSIONS,
+    // Form Builder
+    FORM: FORM_PERMISSIONS,
+    FORM_RESULT: FORM_RESULT_PERMISSIONS
+};

package/cjs/decorators/api-response.decorator.js

@@ -8,7 +8,7 @@ Object.defineProperty(exports, "ApiResponseDto", {
         return ApiResponseDto;
     }
 });
-const _dtos = require("@flusys/nestjs-shared/dtos");
+const _dtos = require("../dtos");
 const _common = require("@nestjs/common");
 const _swagger = require("@nestjs/swagger");
 const ApiResponseDto = (dto, isArray = false, arrayType = 'list')=>{

package/cjs/decorators/index.js

@@ -6,6 +6,7 @@ _export_star(require("./api-response.decorator"), exports);
 _export_star(require("./current-user.decorator"), exports);
 _export_star(require("./public.decorator"), exports);
 _export_star(require("./require-permission.decorator"), exports);
+_export_star(require("./sanitize-html.decorator"), exports);
 function _export_star(from, to) {
     Object.keys(from).forEach(function(k) {
         if (k !== "default" && !Object.prototype.hasOwnProperty.call(to, k)) {

package/cjs/decorators/sanitize-html.decorator.js

@@ -0,0 +1,36 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", {
+    value: true
+});
+function _export(target, all) {
+    for(var name in all)Object.defineProperty(target, name, {
+        enumerable: true,
+        get: Object.getOwnPropertyDescriptor(all, name).get
+    });
+}
+_export(exports, {
+    get SanitizeAndTrim () {
+        return SanitizeAndTrim;
+    },
+    get SanitizeHtml () {
+        return SanitizeHtml;
+    }
+});
+const _classtransformer = require("class-transformer");
+const _htmlsanitizerutil = require("../utils/html-sanitizer.util");
+function SanitizeHtml() {
+    return (0, _classtransformer.Transform)(({ value })=>{
+        if (typeof value === 'string') {
+            return (0, _htmlsanitizerutil.escapeHtml)(value);
+        }
+        return value;
+    });
+}
+function SanitizeAndTrim() {
+    return (0, _classtransformer.Transform)(({ value })=>{
+        if (typeof value === 'string') {
+            return (0, _htmlsanitizerutil.escapeHtml)(value.trim());
+        }
+        return value;
+    });
+}

package/cjs/dtos/delete.dto.js

@@ -36,6 +36,7 @@ let DeleteDto = class DeleteDto {
     constructor(){
         _define_property(this, "id", void 0);
         _define_property(this, "type", void 0);
+        _define_property(this, "deletedById", void 0);
     }
 };
 _ts_decorate([
@@ -80,3 +81,12 @@ _ts_decorate([
     ]),
     _ts_metadata("design:type", String)
 ], DeleteDto.prototype, "type", void 0);
+_ts_decorate([
+    (0, _swagger.ApiPropertyOptional)({
+        description: 'User ID who initiated the deletion (auto-set by interceptor)',
+        example: 'f2e9c8d0-7a2a-11eb-9439-0242ac130002'
+    }),
+    (0, _classvalidator.IsOptional)(),
+    (0, _classvalidator.IsUUID)(),
+    _ts_metadata("design:type", String)
+], DeleteDto.prototype, "deletedById", void 0);