@ftisindia/create-app 0.1.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/LICENSE +144 -0
- package/bin/index.mjs +2 -0
- package/package.json +36 -0
- package/src/copy.mjs +45 -0
- package/src/log.mjs +23 -0
- package/src/main.mjs +221 -0
- package/src/run.mjs +52 -0
- package/src/substitute.mjs +40 -0
- package/template/.env.example +36 -0
- package/template/.github/workflows/ci.yml +36 -0
- package/template/.husky/pre-commit +1 -0
- package/template/README.md +146 -0
- package/template/_editorconfig +8 -0
- package/template/_gitignore +7 -0
- package/template/_nvmrc +1 -0
- package/template/_package.json +107 -0
- package/template/_prettierignore +5 -0
- package/template/_prettierrc +6 -0
- package/template/docs/API_REFERENCE.md +123 -0
- package/template/docs/GETTING_STARTED.md +65 -0
- package/template/docs/MODULE_COMPLETION_CHECKLIST.md +40 -0
- package/template/docs/OAUTH.md +46 -0
- package/template/docs/SAMPLE_MODULE.md +23 -0
- package/template/docs/api.http +269 -0
- package/template/eslint.config.mjs +51 -0
- package/template/nest-cli.json +8 -0
- package/template/prisma/migrations/20260530000000_init/migration.sql +248 -0
- package/template/prisma/schema.prisma +299 -0
- package/template/prisma/seed.ts +44 -0
- package/template/scripts/db-create.mjs +126 -0
- package/template/scripts/gen-module.mjs +217 -0
- package/template/scripts/seed-test-user-org.ts +264 -0
- package/template/scripts/setup-local.mjs +224 -0
- package/template/scripts/test-db.mjs +69 -0
- package/template/src/app.module.ts +58 -0
- package/template/src/common/decorators/.gitkeep +1 -0
- package/template/src/common/dto/error-response.dto.ts +17 -0
- package/template/src/common/dto/membership-response.dto.ts +51 -0
- package/template/src/common/dto/mutation-response.dto.ts +11 -0
- package/template/src/common/dto/role-summary.dto.ts +18 -0
- package/template/src/common/dto/user-summary.dto.ts +23 -0
- package/template/src/common/enums/.gitkeep +1 -0
- package/template/src/common/filters/.gitkeep +1 -0
- package/template/src/common/filters/http-exception.filter.ts +78 -0
- package/template/src/common/guards/.gitkeep +1 -0
- package/template/src/common/interceptors/.gitkeep +1 -0
- package/template/src/common/pipes/.gitkeep +1 -0
- package/template/src/common/swagger/api-error-responses.ts +54 -0
- package/template/src/common/types/.gitkeep +1 -0
- package/template/src/config/app.config.ts +7 -0
- package/template/src/config/auth.config.ts +33 -0
- package/template/src/config/database.config.ts +6 -0
- package/template/src/config/env.validation.ts +131 -0
- package/template/src/config/index.ts +5 -0
- package/template/src/config/rbac.config.ts +6 -0
- package/template/src/database/prisma/prisma-transaction.ts +22 -0
- package/template/src/database/prisma/prisma.module.ts +9 -0
- package/template/src/database/prisma/prisma.service.ts +16 -0
- package/template/src/main.ts +42 -0
- package/template/src/modules/access-control/access-control.module.ts +24 -0
- package/template/src/modules/access-control/application/route-registry.validator.ts +289 -0
- package/template/src/modules/access-control/application/services/ability.factory.ts +28 -0
- package/template/src/modules/access-control/application/services/access-control.service.ts +478 -0
- package/template/src/modules/access-control/application/services/permission.guard.ts +77 -0
- package/template/src/modules/access-control/application/services/rbac-cache.service.ts +148 -0
- package/template/src/modules/access-control/dto/access-control-response.dto.ts +79 -0
- package/template/src/modules/access-control/dto/create-role.dto.ts +18 -0
- package/template/src/modules/access-control/dto/update-role-permissions.dto.ts +23 -0
- package/template/src/modules/access-control/dto/update-role.dto.ts +19 -0
- package/template/src/modules/access-control/presentation/access-control.controller.ts +157 -0
- package/template/src/modules/access-control/presentation/permissions.decorator.ts +8 -0
- package/template/src/modules/access-control/presentation/public.decorator.ts +7 -0
- package/template/src/modules/access-control/types/permission-key.ts +37 -0
- package/template/src/modules/access-control/types/rbac-context.ts +11 -0
- package/template/src/modules/access-control/types/route-permission-registry.ts +129 -0
- package/template/src/modules/audit/application/services/audit.service.ts +97 -0
- package/template/src/modules/audit/audit.module.ts +13 -0
- package/template/src/modules/audit/dto/audit-response.dto.ts +75 -0
- package/template/src/modules/audit/dto/list-audit-logs-query.dto.ts +75 -0
- package/template/src/modules/audit/presentation/audit.controller.ts +37 -0
- package/template/src/modules/auth/application/services/auth.service.ts +509 -0
- package/template/src/modules/auth/application/services/password.service.ts +15 -0
- package/template/src/modules/auth/application/services/token.service.ts +95 -0
- package/template/src/modules/auth/auth.module.ts +73 -0
- package/template/src/modules/auth/dto/auth-response.dto.ts +29 -0
- package/template/src/modules/auth/dto/login.dto.ts +15 -0
- package/template/src/modules/auth/dto/logout.dto.ts +3 -0
- package/template/src/modules/auth/dto/oauth-exchange.dto.ts +15 -0
- package/template/src/modules/auth/dto/refresh-token.dto.ts +14 -0
- package/template/src/modules/auth/dto/signup.dto.ts +27 -0
- package/template/src/modules/auth/infrastructure/passport/google-auth.guard.ts +27 -0
- package/template/src/modules/auth/infrastructure/passport/google.strategy.ts +56 -0
- package/template/src/modules/auth/infrastructure/passport/jwt-auth.guard.ts +5 -0
- package/template/src/modules/auth/infrastructure/passport/jwt.strategy.ts +43 -0
- package/template/src/modules/auth/presentation/auth.controller.ts +148 -0
- package/template/src/modules/auth/presentation/current-user.decorator.ts +11 -0
- package/template/src/modules/auth/presentation/google-oauth-exception.filter.ts +33 -0
- package/template/src/modules/auth/types/authenticated-user.ts +7 -0
- package/template/src/modules/auth/types/google-auth-profile.ts +6 -0
- package/template/src/modules/auth/types/jwt-payload.ts +5 -0
- package/template/src/modules/health/dto/health-response.dto.ts +9 -0
- package/template/src/modules/health/health.module.ts +7 -0
- package/template/src/modules/health/presentation/health.controller.ts +33 -0
- package/template/src/modules/invitations/application/services/invitations.service.ts +967 -0
- package/template/src/modules/invitations/dto/accept-invitation.dto.ts +24 -0
- package/template/src/modules/invitations/dto/create-invitation.dto.ts +100 -0
- package/template/src/modules/invitations/dto/invitation-response.dto.ts +108 -0
- package/template/src/modules/invitations/dto/invitation-token.dto.ts +15 -0
- package/template/src/modules/invitations/invitations.module.ts +12 -0
- package/template/src/modules/invitations/presentation/invitations.controller.ts +149 -0
- package/template/src/modules/memberships/application/services/memberships.service.ts +455 -0
- package/template/src/modules/memberships/dto/transfer-owner.dto.ts +11 -0
- package/template/src/modules/memberships/dto/update-billing-contact.dto.ts +8 -0
- package/template/src/modules/memberships/dto/update-membership-owner.dto.ts +8 -0
- package/template/src/modules/memberships/dto/update-membership-role.dto.ts +11 -0
- package/template/src/modules/memberships/dto/update-membership-status.dto.ts +9 -0
- package/template/src/modules/memberships/memberships.module.ts +12 -0
- package/template/src/modules/memberships/presentation/memberships.controller.ts +193 -0
- package/template/src/modules/organisations/application/services/organisations.service.ts +147 -0
- package/template/src/modules/organisations/dto/create-organisation.dto.ts +32 -0
- package/template/src/modules/organisations/dto/organisation-response.dto.ts +62 -0
- package/template/src/modules/organisations/infrastructure/repositories/organisations.repository.ts +24 -0
- package/template/src/modules/organisations/organisations.module.ts +12 -0
- package/template/src/modules/organisations/presentation/organisations.controller.ts +37 -0
- package/template/src/modules/organisations/types/default-organisation-data.ts +18 -0
- package/template/src/modules/platform-admin/.gitkeep +1 -0
- package/template/src/modules/request-context/application/services/request-context.service.ts +79 -0
- package/template/src/modules/request-context/presentation/org-scope.guard.ts +26 -0
- package/template/src/modules/request-context/presentation/request-context.interceptor.ts +26 -0
- package/template/src/modules/request-context/presentation/request-context.middleware.ts +31 -0
- package/template/src/modules/request-context/request-context.module.ts +25 -0
- package/template/src/modules/request-context/types/request-context.ts +29 -0
- package/template/src/modules/sample/application/services/sample.service.ts +67 -0
- package/template/src/modules/sample/dto/sample-echo.dto.ts +10 -0
- package/template/src/modules/sample/dto/sample-response.dto.ts +41 -0
- package/template/src/modules/sample/presentation/sample.controller.ts +63 -0
- package/template/src/modules/sample/sample.module.ts +11 -0
- package/template/src/modules/settings/application/services/settings.service.ts +139 -0
- package/template/src/modules/settings/dto/setting-response.dto.ts +27 -0
- package/template/src/modules/settings/dto/update-setting.dto.ts +16 -0
- package/template/src/modules/settings/presentation/settings.controller.ts +66 -0
- package/template/src/modules/settings/settings.module.ts +12 -0
- package/template/src/modules/settings/types/setting-definitions.ts +104 -0
- package/template/src/modules/users/.gitkeep +1 -0
- package/template/test/.gitkeep +1 -0
- package/template/test/jest-e2e.json +9 -0
- package/template/test/permission.guard.spec.ts +22 -0
- package/template/test/route-registry.validator.spec.ts +90 -0
- package/template/test/security.e2e-spec.ts +102 -0
- package/template/tsconfig.build.json +4 -0
- package/template/tsconfig.json +18 -0
|
@@ -0,0 +1,79 @@
|
|
|
1
|
+
import { ApiProperty, ApiPropertyOptional } from "@nestjs/swagger";
|
|
2
|
+
|
|
3
|
+
export class PermissionResponseDto {
|
|
4
|
+
@ApiProperty({
|
|
5
|
+
example: "47bf2e11-6849-49cf-9138-f57c4e7ec0ac",
|
|
6
|
+
format: "uuid",
|
|
7
|
+
})
|
|
8
|
+
id!: string;
|
|
9
|
+
|
|
10
|
+
@ApiProperty({ example: "memberships.read" })
|
|
11
|
+
key!: string;
|
|
12
|
+
|
|
13
|
+
@ApiProperty({ example: "memberships" })
|
|
14
|
+
module!: string;
|
|
15
|
+
|
|
16
|
+
@ApiProperty({ example: "read" })
|
|
17
|
+
action!: string;
|
|
18
|
+
|
|
19
|
+
@ApiProperty({ example: "Membership" })
|
|
20
|
+
subject!: string;
|
|
21
|
+
|
|
22
|
+
@ApiPropertyOptional({
|
|
23
|
+
example: "Read organisation memberships.",
|
|
24
|
+
nullable: true,
|
|
25
|
+
})
|
|
26
|
+
description?: string | null;
|
|
27
|
+
|
|
28
|
+
@ApiProperty({ example: "2026-06-01T10:30:00.000Z", format: "date-time" })
|
|
29
|
+
createdAt!: string;
|
|
30
|
+
}
|
|
31
|
+
|
|
32
|
+
export class RoutePermissionResponseDto {
|
|
33
|
+
@ApiProperty({ example: "GET" })
|
|
34
|
+
method!: string;
|
|
35
|
+
|
|
36
|
+
@ApiProperty({ example: "/organisations/:orgId/memberships" })
|
|
37
|
+
path!: string;
|
|
38
|
+
|
|
39
|
+
@ApiProperty({ example: ["memberships.read"], type: [String] })
|
|
40
|
+
permissions!: string[];
|
|
41
|
+
}
|
|
42
|
+
|
|
43
|
+
export class RoleResponseDto {
|
|
44
|
+
@ApiProperty({
|
|
45
|
+
example: "f602c057-04f4-4ef8-8c84-1b7c62fbf8c5",
|
|
46
|
+
format: "uuid",
|
|
47
|
+
})
|
|
48
|
+
id!: string;
|
|
49
|
+
|
|
50
|
+
@ApiProperty({
|
|
51
|
+
example: "2c67399d-670c-4025-a5fd-1ea9a211891e",
|
|
52
|
+
format: "uuid",
|
|
53
|
+
})
|
|
54
|
+
orgId!: string;
|
|
55
|
+
|
|
56
|
+
@ApiProperty({ example: "Support" })
|
|
57
|
+
name!: string;
|
|
58
|
+
|
|
59
|
+
@ApiPropertyOptional({
|
|
60
|
+
example: "Can review support-facing records.",
|
|
61
|
+
nullable: true,
|
|
62
|
+
})
|
|
63
|
+
description?: string | null;
|
|
64
|
+
|
|
65
|
+
@ApiProperty({ example: false })
|
|
66
|
+
isSystemSeeded!: boolean;
|
|
67
|
+
|
|
68
|
+
@ApiProperty({ example: 3 })
|
|
69
|
+
membershipCount!: number;
|
|
70
|
+
|
|
71
|
+
@ApiProperty({ type: [PermissionResponseDto] })
|
|
72
|
+
permissions!: PermissionResponseDto[];
|
|
73
|
+
|
|
74
|
+
@ApiProperty({ example: "2026-06-01T10:30:00.000Z", format: "date-time" })
|
|
75
|
+
createdAt!: string;
|
|
76
|
+
|
|
77
|
+
@ApiProperty({ example: "2026-06-01T10:30:00.000Z", format: "date-time" })
|
|
78
|
+
updatedAt!: string;
|
|
79
|
+
}
|
|
@@ -0,0 +1,18 @@
|
|
|
1
|
+
import { ApiProperty, ApiPropertyOptional } from "@nestjs/swagger";
|
|
2
|
+
import { Transform } from "class-transformer";
|
|
3
|
+
import { IsOptional, IsString, MaxLength, MinLength } from "class-validator";
|
|
4
|
+
|
|
5
|
+
export class CreateRoleDto {
|
|
6
|
+
@ApiProperty({ example: "Support" })
|
|
7
|
+
@Transform(({ value }) => (typeof value === "string" ? value.trim() : value))
|
|
8
|
+
@IsString()
|
|
9
|
+
@MinLength(2)
|
|
10
|
+
@MaxLength(80)
|
|
11
|
+
name!: string;
|
|
12
|
+
|
|
13
|
+
@ApiPropertyOptional({ example: "Can review support-facing records." })
|
|
14
|
+
@IsOptional()
|
|
15
|
+
@IsString()
|
|
16
|
+
@MaxLength(240)
|
|
17
|
+
description?: string;
|
|
18
|
+
}
|
|
@@ -0,0 +1,23 @@
|
|
|
1
|
+
import { ApiProperty } from "@nestjs/swagger";
|
|
2
|
+
import {
|
|
3
|
+
ArrayMaxSize,
|
|
4
|
+
ArrayUnique,
|
|
5
|
+
IsArray,
|
|
6
|
+
IsString,
|
|
7
|
+
Matches,
|
|
8
|
+
MaxLength,
|
|
9
|
+
} from "class-validator";
|
|
10
|
+
|
|
11
|
+
export class UpdateRolePermissionsDto {
|
|
12
|
+
@ApiProperty({
|
|
13
|
+
example: ["memberships.read", "settings.read"],
|
|
14
|
+
isArray: true,
|
|
15
|
+
})
|
|
16
|
+
@IsArray()
|
|
17
|
+
@ArrayUnique()
|
|
18
|
+
@ArrayMaxSize(100)
|
|
19
|
+
@IsString({ each: true })
|
|
20
|
+
@MaxLength(120, { each: true })
|
|
21
|
+
@Matches(/^[a-z][a-z0-9_-]*\.[a-z][a-z0-9_-]*$/, { each: true })
|
|
22
|
+
permissionKeys!: string[];
|
|
23
|
+
}
|
|
@@ -0,0 +1,19 @@
|
|
|
1
|
+
import { ApiPropertyOptional } from "@nestjs/swagger";
|
|
2
|
+
import { Transform } from "class-transformer";
|
|
3
|
+
import { IsOptional, IsString, MaxLength, MinLength } from "class-validator";
|
|
4
|
+
|
|
5
|
+
export class UpdateRoleDto {
|
|
6
|
+
@ApiPropertyOptional({ example: "Support Lead" })
|
|
7
|
+
@IsOptional()
|
|
8
|
+
@Transform(({ value }) => (typeof value === "string" ? value.trim() : value))
|
|
9
|
+
@IsString()
|
|
10
|
+
@MinLength(2)
|
|
11
|
+
@MaxLength(80)
|
|
12
|
+
name?: string;
|
|
13
|
+
|
|
14
|
+
@ApiPropertyOptional({ example: "Can manage support-facing records." })
|
|
15
|
+
@IsOptional()
|
|
16
|
+
@IsString()
|
|
17
|
+
@MaxLength(240)
|
|
18
|
+
description?: string;
|
|
19
|
+
}
|
|
@@ -0,0 +1,157 @@
|
|
|
1
|
+
import {
|
|
2
|
+
Body,
|
|
3
|
+
Controller,
|
|
4
|
+
Delete,
|
|
5
|
+
Get,
|
|
6
|
+
Param,
|
|
7
|
+
Patch,
|
|
8
|
+
Post,
|
|
9
|
+
Put,
|
|
10
|
+
UseGuards,
|
|
11
|
+
} from "@nestjs/common";
|
|
12
|
+
import {
|
|
13
|
+
ApiBearerAuth,
|
|
14
|
+
ApiCreatedResponse,
|
|
15
|
+
ApiOkResponse,
|
|
16
|
+
ApiOperation,
|
|
17
|
+
ApiParam,
|
|
18
|
+
ApiTags,
|
|
19
|
+
} from "@nestjs/swagger";
|
|
20
|
+
import { DeletedResponseDto } from "../../../common/dto/mutation-response.dto";
|
|
21
|
+
import { ApiProtectedErrorResponses } from "../../../common/swagger/api-error-responses";
|
|
22
|
+
import { JwtAuthGuard } from "../../auth/infrastructure/passport/jwt-auth.guard";
|
|
23
|
+
import { CurrentUser } from "../../auth/presentation/current-user.decorator";
|
|
24
|
+
import { AuthenticatedUser } from "../../auth/types/authenticated-user";
|
|
25
|
+
import { OrgScopeGuard } from "../../request-context/presentation/org-scope.guard";
|
|
26
|
+
import { AccessControlService } from "../application/services/access-control.service";
|
|
27
|
+
import { PermissionGuard } from "../application/services/permission.guard";
|
|
28
|
+
import {
|
|
29
|
+
PermissionResponseDto,
|
|
30
|
+
RoleResponseDto,
|
|
31
|
+
RoutePermissionResponseDto,
|
|
32
|
+
} from "../dto/access-control-response.dto";
|
|
33
|
+
import { CreateRoleDto } from "../dto/create-role.dto";
|
|
34
|
+
import { UpdateRolePermissionsDto } from "../dto/update-role-permissions.dto";
|
|
35
|
+
import { UpdateRoleDto } from "../dto/update-role.dto";
|
|
36
|
+
import { RequirePermissions } from "./permissions.decorator";
|
|
37
|
+
|
|
38
|
+
@ApiTags("Access control")
|
|
39
|
+
@ApiBearerAuth()
|
|
40
|
+
@ApiParam({ name: "orgId", description: "Organisation ID.", format: "uuid" })
|
|
41
|
+
@ApiProtectedErrorResponses(404, 409)
|
|
42
|
+
@Controller("organisations/:orgId/access-control")
|
|
43
|
+
@UseGuards(JwtAuthGuard, OrgScopeGuard, PermissionGuard)
|
|
44
|
+
export class AccessControlController {
|
|
45
|
+
constructor(private readonly accessControlService: AccessControlService) {}
|
|
46
|
+
|
|
47
|
+
@Get("permissions")
|
|
48
|
+
@RequirePermissions("roles.read")
|
|
49
|
+
@ApiOperation({ summary: "List the seeded permission catalogue." })
|
|
50
|
+
@ApiOkResponse({
|
|
51
|
+
description: "Available permissions.",
|
|
52
|
+
type: [PermissionResponseDto],
|
|
53
|
+
})
|
|
54
|
+
listPermissions() {
|
|
55
|
+
return this.accessControlService.listPermissions();
|
|
56
|
+
}
|
|
57
|
+
|
|
58
|
+
@Get("route-permissions")
|
|
59
|
+
@RequirePermissions("roles.read")
|
|
60
|
+
@ApiOperation({
|
|
61
|
+
summary: "List permission requirements for protected routes.",
|
|
62
|
+
})
|
|
63
|
+
@ApiOkResponse({
|
|
64
|
+
description: "Protected route permission registry.",
|
|
65
|
+
type: [RoutePermissionResponseDto],
|
|
66
|
+
})
|
|
67
|
+
listRoutePermissions() {
|
|
68
|
+
return this.accessControlService.listRoutePermissions();
|
|
69
|
+
}
|
|
70
|
+
|
|
71
|
+
@Get("roles")
|
|
72
|
+
@RequirePermissions("roles.read")
|
|
73
|
+
@ApiOperation({ summary: "List organisation roles." })
|
|
74
|
+
@ApiOkResponse({
|
|
75
|
+
description: "Organisation roles.",
|
|
76
|
+
type: [RoleResponseDto],
|
|
77
|
+
})
|
|
78
|
+
listRoles(@Param("orgId") orgId: string) {
|
|
79
|
+
return this.accessControlService.listRoles(orgId);
|
|
80
|
+
}
|
|
81
|
+
|
|
82
|
+
@Post("roles")
|
|
83
|
+
@RequirePermissions("roles.manage")
|
|
84
|
+
@ApiOperation({ summary: "Create an organisation role." })
|
|
85
|
+
@ApiCreatedResponse({ description: "Role created.", type: RoleResponseDto })
|
|
86
|
+
createRole(
|
|
87
|
+
@CurrentUser() user: AuthenticatedUser,
|
|
88
|
+
@Param("orgId") orgId: string,
|
|
89
|
+
@Body() dto: CreateRoleDto,
|
|
90
|
+
) {
|
|
91
|
+
return this.accessControlService.createRole(user, orgId, dto);
|
|
92
|
+
}
|
|
93
|
+
|
|
94
|
+
@Patch("roles/:roleId")
|
|
95
|
+
@RequirePermissions("roles.manage")
|
|
96
|
+
@ApiParam({ name: "roleId", description: "Role ID.", format: "uuid" })
|
|
97
|
+
@ApiOperation({ summary: "Update role name or description." })
|
|
98
|
+
@ApiOkResponse({ description: "Role updated.", type: RoleResponseDto })
|
|
99
|
+
updateRole(
|
|
100
|
+
@CurrentUser() user: AuthenticatedUser,
|
|
101
|
+
@Param("orgId") orgId: string,
|
|
102
|
+
@Param("roleId") roleId: string,
|
|
103
|
+
@Body() dto: UpdateRoleDto,
|
|
104
|
+
) {
|
|
105
|
+
return this.accessControlService.updateRole(user, orgId, roleId, dto);
|
|
106
|
+
}
|
|
107
|
+
|
|
108
|
+
@Delete("roles/:roleId")
|
|
109
|
+
@RequirePermissions("roles.manage")
|
|
110
|
+
@ApiParam({ name: "roleId", description: "Role ID.", format: "uuid" })
|
|
111
|
+
@ApiOperation({ summary: "Delete an unused non-system role." })
|
|
112
|
+
@ApiOkResponse({ description: "Role deleted.", type: DeletedResponseDto })
|
|
113
|
+
deleteRole(
|
|
114
|
+
@CurrentUser() user: AuthenticatedUser,
|
|
115
|
+
@Param("orgId") orgId: string,
|
|
116
|
+
@Param("roleId") roleId: string,
|
|
117
|
+
) {
|
|
118
|
+
return this.accessControlService.deleteRole(user, orgId, roleId);
|
|
119
|
+
}
|
|
120
|
+
|
|
121
|
+
@Get("roles/:roleId/permissions")
|
|
122
|
+
@RequirePermissions("roles.read")
|
|
123
|
+
@ApiParam({ name: "roleId", description: "Role ID.", format: "uuid" })
|
|
124
|
+
@ApiOperation({ summary: "Return role permissions." })
|
|
125
|
+
@ApiOkResponse({
|
|
126
|
+
description: "Role with assigned permissions.",
|
|
127
|
+
type: RoleResponseDto,
|
|
128
|
+
})
|
|
129
|
+
listRolePermissions(
|
|
130
|
+
@Param("orgId") orgId: string,
|
|
131
|
+
@Param("roleId") roleId: string,
|
|
132
|
+
) {
|
|
133
|
+
return this.accessControlService.listRolePermissions(orgId, roleId);
|
|
134
|
+
}
|
|
135
|
+
|
|
136
|
+
@Put("roles/:roleId/permissions")
|
|
137
|
+
@RequirePermissions("permissions.assign")
|
|
138
|
+
@ApiParam({ name: "roleId", description: "Role ID.", format: "uuid" })
|
|
139
|
+
@ApiOperation({ summary: "Replace all permissions assigned to a role." })
|
|
140
|
+
@ApiOkResponse({
|
|
141
|
+
description: "Role with replacement permissions.",
|
|
142
|
+
type: RoleResponseDto,
|
|
143
|
+
})
|
|
144
|
+
replaceRolePermissions(
|
|
145
|
+
@CurrentUser() user: AuthenticatedUser,
|
|
146
|
+
@Param("orgId") orgId: string,
|
|
147
|
+
@Param("roleId") roleId: string,
|
|
148
|
+
@Body() dto: UpdateRolePermissionsDto,
|
|
149
|
+
) {
|
|
150
|
+
return this.accessControlService.replaceRolePermissions(
|
|
151
|
+
user,
|
|
152
|
+
orgId,
|
|
153
|
+
roleId,
|
|
154
|
+
dto,
|
|
155
|
+
);
|
|
156
|
+
}
|
|
157
|
+
}
|
|
@@ -0,0 +1,8 @@
|
|
|
1
|
+
import { SetMetadata } from "@nestjs/common";
|
|
2
|
+
import { PermissionKey } from "../types/permission-key";
|
|
3
|
+
|
|
4
|
+
export const REQUIRED_PERMISSIONS_KEY = "requiredPermissions";
|
|
5
|
+
|
|
6
|
+
export function RequirePermissions(...permissions: PermissionKey[]) {
|
|
7
|
+
return SetMetadata(REQUIRED_PERMISSIONS_KEY, permissions);
|
|
8
|
+
}
|
|
@@ -0,0 +1,37 @@
|
|
|
1
|
+
export const permissionKeys = [
|
|
2
|
+
"users.read",
|
|
3
|
+
"users.create",
|
|
4
|
+
"users.update",
|
|
5
|
+
"users.suspend",
|
|
6
|
+
"organisations.read",
|
|
7
|
+
"organisations.update",
|
|
8
|
+
"memberships.read",
|
|
9
|
+
"memberships.invite",
|
|
10
|
+
"memberships.revoke",
|
|
11
|
+
"roles.read",
|
|
12
|
+
"roles.manage",
|
|
13
|
+
"permissions.assign",
|
|
14
|
+
"billing.read",
|
|
15
|
+
"billing.manage",
|
|
16
|
+
"settings.read",
|
|
17
|
+
"settings.update",
|
|
18
|
+
"audit.read",
|
|
19
|
+
"platform.admin",
|
|
20
|
+
] as const;
|
|
21
|
+
|
|
22
|
+
export type PermissionKey = (typeof permissionKeys)[number];
|
|
23
|
+
|
|
24
|
+
export type RoutePermissionEntry = {
|
|
25
|
+
method: string;
|
|
26
|
+
path: string;
|
|
27
|
+
permissions: PermissionKey[];
|
|
28
|
+
};
|
|
29
|
+
|
|
30
|
+
export function permissionKeyToRule(key: string) {
|
|
31
|
+
const [subject, action] = key.split(".", 2);
|
|
32
|
+
if (!subject || !action) {
|
|
33
|
+
throw new Error(`Invalid permission key: ${key}`);
|
|
34
|
+
}
|
|
35
|
+
|
|
36
|
+
return { action, subject };
|
|
37
|
+
}
|
|
@@ -0,0 +1,129 @@
|
|
|
1
|
+
import { RoutePermissionEntry } from "./permission-key";
|
|
2
|
+
|
|
3
|
+
export const routePermissionRegistry: RoutePermissionEntry[] = [
|
|
4
|
+
{
|
|
5
|
+
method: "GET",
|
|
6
|
+
path: "/organisations/:orgId/memberships/me",
|
|
7
|
+
permissions: ["memberships.read"],
|
|
8
|
+
},
|
|
9
|
+
{
|
|
10
|
+
method: "GET",
|
|
11
|
+
path: "/organisations/:orgId/memberships",
|
|
12
|
+
permissions: ["memberships.read"],
|
|
13
|
+
},
|
|
14
|
+
{
|
|
15
|
+
method: "PATCH",
|
|
16
|
+
path: "/organisations/:orgId/memberships/:membershipId/status",
|
|
17
|
+
permissions: ["memberships.revoke"],
|
|
18
|
+
},
|
|
19
|
+
{
|
|
20
|
+
method: "PATCH",
|
|
21
|
+
path: "/organisations/:orgId/memberships/:membershipId/role",
|
|
22
|
+
permissions: ["roles.manage"],
|
|
23
|
+
},
|
|
24
|
+
{
|
|
25
|
+
method: "PATCH",
|
|
26
|
+
path: "/organisations/:orgId/memberships/:membershipId/owner",
|
|
27
|
+
permissions: ["roles.manage"],
|
|
28
|
+
},
|
|
29
|
+
{
|
|
30
|
+
method: "PATCH",
|
|
31
|
+
path: "/organisations/:orgId/memberships/:membershipId/billing-contact",
|
|
32
|
+
permissions: ["billing.manage"],
|
|
33
|
+
},
|
|
34
|
+
{
|
|
35
|
+
method: "POST",
|
|
36
|
+
path: "/organisations/:orgId/memberships/transfer-owner",
|
|
37
|
+
permissions: ["roles.manage"],
|
|
38
|
+
},
|
|
39
|
+
{
|
|
40
|
+
method: "POST",
|
|
41
|
+
path: "/organisations/:orgId/invitations",
|
|
42
|
+
permissions: ["memberships.invite"],
|
|
43
|
+
},
|
|
44
|
+
{
|
|
45
|
+
method: "GET",
|
|
46
|
+
path: "/organisations/:orgId/invitations",
|
|
47
|
+
permissions: ["memberships.read"],
|
|
48
|
+
},
|
|
49
|
+
{
|
|
50
|
+
method: "POST",
|
|
51
|
+
path: "/organisations/:orgId/invitations/:invitationId/revoke",
|
|
52
|
+
permissions: ["memberships.revoke"],
|
|
53
|
+
},
|
|
54
|
+
{
|
|
55
|
+
method: "POST",
|
|
56
|
+
path: "/organisations/:orgId/invitations/:invitationId/resend",
|
|
57
|
+
permissions: ["memberships.invite"],
|
|
58
|
+
},
|
|
59
|
+
{
|
|
60
|
+
method: "GET",
|
|
61
|
+
path: "/organisations/:orgId/access-control/permissions",
|
|
62
|
+
permissions: ["roles.read"],
|
|
63
|
+
},
|
|
64
|
+
{
|
|
65
|
+
method: "GET",
|
|
66
|
+
path: "/organisations/:orgId/access-control/roles",
|
|
67
|
+
permissions: ["roles.read"],
|
|
68
|
+
},
|
|
69
|
+
{
|
|
70
|
+
method: "POST",
|
|
71
|
+
path: "/organisations/:orgId/access-control/roles",
|
|
72
|
+
permissions: ["roles.manage"],
|
|
73
|
+
},
|
|
74
|
+
{
|
|
75
|
+
method: "PATCH",
|
|
76
|
+
path: "/organisations/:orgId/access-control/roles/:roleId",
|
|
77
|
+
permissions: ["roles.manage"],
|
|
78
|
+
},
|
|
79
|
+
{
|
|
80
|
+
method: "DELETE",
|
|
81
|
+
path: "/organisations/:orgId/access-control/roles/:roleId",
|
|
82
|
+
permissions: ["roles.manage"],
|
|
83
|
+
},
|
|
84
|
+
{
|
|
85
|
+
method: "GET",
|
|
86
|
+
path: "/organisations/:orgId/access-control/roles/:roleId/permissions",
|
|
87
|
+
permissions: ["roles.read"],
|
|
88
|
+
},
|
|
89
|
+
{
|
|
90
|
+
method: "PUT",
|
|
91
|
+
path: "/organisations/:orgId/access-control/roles/:roleId/permissions",
|
|
92
|
+
permissions: ["permissions.assign"],
|
|
93
|
+
},
|
|
94
|
+
{
|
|
95
|
+
method: "GET",
|
|
96
|
+
path: "/organisations/:orgId/access-control/route-permissions",
|
|
97
|
+
permissions: ["roles.read"],
|
|
98
|
+
},
|
|
99
|
+
{
|
|
100
|
+
method: "GET",
|
|
101
|
+
path: "/organisations/:orgId/audit",
|
|
102
|
+
permissions: ["audit.read"],
|
|
103
|
+
},
|
|
104
|
+
{
|
|
105
|
+
method: "GET",
|
|
106
|
+
path: "/organisations/:orgId/settings",
|
|
107
|
+
permissions: ["settings.read"],
|
|
108
|
+
},
|
|
109
|
+
{
|
|
110
|
+
method: "GET",
|
|
111
|
+
path: "/organisations/:orgId/settings/:key",
|
|
112
|
+
permissions: ["settings.read"],
|
|
113
|
+
},
|
|
114
|
+
{
|
|
115
|
+
method: "PATCH",
|
|
116
|
+
path: "/organisations/:orgId/settings",
|
|
117
|
+
permissions: ["settings.update"],
|
|
118
|
+
},
|
|
119
|
+
{
|
|
120
|
+
method: "GET",
|
|
121
|
+
path: "/organisations/:orgId/sample/status",
|
|
122
|
+
permissions: ["organisations.read"],
|
|
123
|
+
},
|
|
124
|
+
{
|
|
125
|
+
method: "POST",
|
|
126
|
+
path: "/organisations/:orgId/sample/echo",
|
|
127
|
+
permissions: ["organisations.update"],
|
|
128
|
+
},
|
|
129
|
+
];
|
|
@@ -0,0 +1,97 @@
|
|
|
1
|
+
import { BadRequestException, Injectable } from "@nestjs/common";
|
|
2
|
+
import { Prisma } from "@prisma/client";
|
|
3
|
+
import { PrismaService } from "../../../../database/prisma/prisma.service";
|
|
4
|
+
import { RequestContextService } from "../../../request-context/application/services/request-context.service";
|
|
5
|
+
import { ListAuditLogsQueryDto } from "../../dto/list-audit-logs-query.dto";
|
|
6
|
+
|
|
7
|
+
type PrismaClient = Prisma.TransactionClient | PrismaService;
|
|
8
|
+
|
|
9
|
+
export type AuditWriteInput = {
|
|
10
|
+
orgId?: string | null;
|
|
11
|
+
actorUserId?: string | null;
|
|
12
|
+
action: string;
|
|
13
|
+
targetType: string;
|
|
14
|
+
targetId?: string | null;
|
|
15
|
+
metadata?: Prisma.InputJsonValue;
|
|
16
|
+
};
|
|
17
|
+
|
|
18
|
+
const DEFAULT_LIMIT = 50;
|
|
19
|
+
const MAX_LIMIT = 100;
|
|
20
|
+
|
|
21
|
+
@Injectable()
|
|
22
|
+
export class AuditService {
|
|
23
|
+
constructor(
|
|
24
|
+
private readonly prisma: PrismaService,
|
|
25
|
+
private readonly requestContext: RequestContextService,
|
|
26
|
+
) {}
|
|
27
|
+
|
|
28
|
+
async write(client: PrismaClient, data: AuditWriteInput) {
|
|
29
|
+
const context = this.requestContext.get();
|
|
30
|
+
|
|
31
|
+
await client.auditLog.create({
|
|
32
|
+
data: {
|
|
33
|
+
orgId: data.orgId ?? null,
|
|
34
|
+
actorUserId: data.actorUserId ?? context?.userId ?? null,
|
|
35
|
+
action: data.action,
|
|
36
|
+
targetType: data.targetType,
|
|
37
|
+
targetId: data.targetId ?? null,
|
|
38
|
+
metadata: data.metadata === undefined ? Prisma.JsonNull : data.metadata,
|
|
39
|
+
ipAddress: context?.ipAddress,
|
|
40
|
+
userAgent: context?.userAgent,
|
|
41
|
+
},
|
|
42
|
+
});
|
|
43
|
+
}
|
|
44
|
+
|
|
45
|
+
async listOrgLogs(orgId: string, query: ListAuditLogsQueryDto) {
|
|
46
|
+
this.requestContext.assertOrgScope(orgId);
|
|
47
|
+
|
|
48
|
+
const limit = Math.min(query.limit ?? DEFAULT_LIMIT, MAX_LIMIT);
|
|
49
|
+
if (query.from && query.to && new Date(query.from) > new Date(query.to)) {
|
|
50
|
+
throw new BadRequestException("from must be before or equal to to.");
|
|
51
|
+
}
|
|
52
|
+
|
|
53
|
+
const createdAt: Prisma.DateTimeFilter =
|
|
54
|
+
query.from || query.to
|
|
55
|
+
? {
|
|
56
|
+
gte: query.from ? new Date(query.from) : undefined,
|
|
57
|
+
lte: query.to ? new Date(query.to) : undefined,
|
|
58
|
+
}
|
|
59
|
+
: {};
|
|
60
|
+
const where: Prisma.AuditLogWhereInput = {
|
|
61
|
+
orgId,
|
|
62
|
+
action: query.action,
|
|
63
|
+
actorUserId: query.actorUserId,
|
|
64
|
+
targetType: query.targetType,
|
|
65
|
+
targetId: query.targetId,
|
|
66
|
+
...(query.from || query.to ? { createdAt } : {}),
|
|
67
|
+
};
|
|
68
|
+
|
|
69
|
+
const rows = await this.prisma.auditLog.findMany({
|
|
70
|
+
where,
|
|
71
|
+
include: {
|
|
72
|
+
actorUser: {
|
|
73
|
+
select: {
|
|
74
|
+
id: true,
|
|
75
|
+
displayName: true,
|
|
76
|
+
},
|
|
77
|
+
},
|
|
78
|
+
},
|
|
79
|
+
orderBy: [{ createdAt: "desc" }, { id: "desc" }],
|
|
80
|
+
take: limit + 1,
|
|
81
|
+
...(query.cursor
|
|
82
|
+
? {
|
|
83
|
+
cursor: { id: query.cursor },
|
|
84
|
+
skip: 1,
|
|
85
|
+
}
|
|
86
|
+
: {}),
|
|
87
|
+
});
|
|
88
|
+
|
|
89
|
+
const hasMore = rows.length > limit;
|
|
90
|
+
const items = rows.slice(0, limit);
|
|
91
|
+
|
|
92
|
+
return {
|
|
93
|
+
items,
|
|
94
|
+
nextCursor: hasMore ? items[items.length - 1]?.id : null,
|
|
95
|
+
};
|
|
96
|
+
}
|
|
97
|
+
}
|
|
@@ -0,0 +1,13 @@
|
|
|
1
|
+
import { Global, Module } from "@nestjs/common";
|
|
2
|
+
import { AuthModule } from "../auth/auth.module";
|
|
3
|
+
import { AuditService } from "./application/services/audit.service";
|
|
4
|
+
import { AuditController } from "./presentation/audit.controller";
|
|
5
|
+
|
|
6
|
+
@Global()
|
|
7
|
+
@Module({
|
|
8
|
+
imports: [AuthModule],
|
|
9
|
+
controllers: [AuditController],
|
|
10
|
+
providers: [AuditService],
|
|
11
|
+
exports: [AuditService],
|
|
12
|
+
})
|
|
13
|
+
export class AuditModule {}
|
|
@@ -0,0 +1,75 @@
|
|
|
1
|
+
import { ApiProperty, ApiPropertyOptional } from "@nestjs/swagger";
|
|
2
|
+
|
|
3
|
+
class AuditActorResponseDto {
|
|
4
|
+
@ApiProperty({
|
|
5
|
+
example: "4a4f0d8a-4bd2-469f-a6a9-3e1cb6a2b456",
|
|
6
|
+
format: "uuid",
|
|
7
|
+
})
|
|
8
|
+
id!: string;
|
|
9
|
+
|
|
10
|
+
@ApiPropertyOptional({ example: "Starter Owner", nullable: true })
|
|
11
|
+
displayName?: string | null;
|
|
12
|
+
}
|
|
13
|
+
|
|
14
|
+
export class AuditLogResponseDto {
|
|
15
|
+
@ApiProperty({
|
|
16
|
+
example: "df6537c4-f58b-452e-a67e-18ec528d0f0f",
|
|
17
|
+
format: "uuid",
|
|
18
|
+
})
|
|
19
|
+
id!: string;
|
|
20
|
+
|
|
21
|
+
@ApiPropertyOptional({
|
|
22
|
+
example: "2c67399d-670c-4025-a5fd-1ea9a211891e",
|
|
23
|
+
format: "uuid",
|
|
24
|
+
nullable: true,
|
|
25
|
+
})
|
|
26
|
+
orgId?: string | null;
|
|
27
|
+
|
|
28
|
+
@ApiPropertyOptional({
|
|
29
|
+
example: "4a4f0d8a-4bd2-469f-a6a9-3e1cb6a2b456",
|
|
30
|
+
format: "uuid",
|
|
31
|
+
nullable: true,
|
|
32
|
+
})
|
|
33
|
+
actorUserId?: string | null;
|
|
34
|
+
|
|
35
|
+
@ApiProperty({ example: "membership.status.update" })
|
|
36
|
+
action!: string;
|
|
37
|
+
|
|
38
|
+
@ApiProperty({ example: "Membership" })
|
|
39
|
+
targetType!: string;
|
|
40
|
+
|
|
41
|
+
@ApiPropertyOptional({
|
|
42
|
+
example: "0a57fb4a-95c6-4f7e-bd5a-f96dbe0599e3",
|
|
43
|
+
nullable: true,
|
|
44
|
+
})
|
|
45
|
+
targetId?: string | null;
|
|
46
|
+
|
|
47
|
+
@ApiPropertyOptional({
|
|
48
|
+
example: { previousStatus: "ACTIVE", nextStatus: "SUSPENDED" },
|
|
49
|
+
nullable: true,
|
|
50
|
+
})
|
|
51
|
+
metadata?: Record<string, unknown> | null;
|
|
52
|
+
|
|
53
|
+
@ApiPropertyOptional({ example: "127.0.0.1", nullable: true })
|
|
54
|
+
ipAddress?: string | null;
|
|
55
|
+
|
|
56
|
+
@ApiPropertyOptional({ example: "Mozilla/5.0", nullable: true })
|
|
57
|
+
userAgent?: string | null;
|
|
58
|
+
|
|
59
|
+
@ApiProperty({ example: "2026-06-01T10:30:00.000Z", format: "date-time" })
|
|
60
|
+
createdAt!: string;
|
|
61
|
+
|
|
62
|
+
@ApiPropertyOptional({ type: AuditActorResponseDto, nullable: true })
|
|
63
|
+
actorUser?: AuditActorResponseDto | null;
|
|
64
|
+
}
|
|
65
|
+
|
|
66
|
+
export class AuditLogListResponseDto {
|
|
67
|
+
@ApiProperty({ type: [AuditLogResponseDto] })
|
|
68
|
+
items!: AuditLogResponseDto[];
|
|
69
|
+
|
|
70
|
+
@ApiPropertyOptional({
|
|
71
|
+
example: "df6537c4-f58b-452e-a67e-18ec528d0f0f",
|
|
72
|
+
nullable: true,
|
|
73
|
+
})
|
|
74
|
+
nextCursor?: string | null;
|
|
75
|
+
}
|