@goplusvn/core 0.1.0 → 0.1.1

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@goplusvn/core",
   "description": "GoPlusVN Platform Kit - ERP kernel: layout, RBAC, CRUD, multi-tenant, system pages",
-  "version": "0.1.0",
+  "version": "0.1.1",
   "private": false,
   "publishConfig": {
     "registry": "https://registry.npmjs.org",
@@ -13,6 +13,7 @@
   "sideEffects": false,
   "files": [
     "dist",
+    "src",
     "README.md",
     "CHANGELOG.md"
   ],

package/src/audit/audit-manager.ts

@@ -0,0 +1,139 @@
+import type {
+  AuditLog,
+  AuditLogger,
+  AuditManagerOptions,
+  CreateAuditInput,
+} from "./types";
+import { createLogger } from "../infrastructure/logger";
+import { MemoryAuditLogger } from "./memory-audit-logger";
+
+const logger = createLogger("AuditManager");
+
+/**
+ * Console-based audit logger (default)
+ * In production, replace with database or external service
+ */
+class ConsoleAuditLogger implements AuditLogger {
+  async log(entry: AuditLog): Promise<void> {
+    logger.info(`AUDIT: ${entry.action} ${entry.resource}`, {
+      id: entry.id,
+      resourceId: entry.resourceId,
+      userId: entry.userId,
+      changes: entry.changes,
+    });
+  }
+}
+
+/**
+ * AuditManager - tracks actions for compliance and debugging
+ *
+ * @example
+ * ```typescript
+ * import { auditManager } from '@goerp/core/audit';
+ *
+ * // Log an action
+ * await auditManager.log({
+ *   action: 'update',
+ *   resource: 'purchase-order',
+ *   resourceId: '123',
+ *   userId: session.user.id,
+ *   changes: { status: { old: 'pending', new: 'approved' } }
+ * });
+ * ```
+ */
+class AuditManagerImpl {
+  private auditLogger: AuditLogger;
+  private registeredActions: Set<string>;
+
+  constructor(options: AuditManagerOptions = {}) {
+    this.auditLogger = options.logger || new MemoryAuditLogger();
+    this.registeredActions = new Set(
+      options.actions || ["create", "update", "delete", "login", "logout"],
+    );
+  }
+
+  /** Set custom audit logger */
+  setLogger(auditLogger: AuditLogger): void {
+    this.auditLogger = auditLogger;
+  }
+
+  /** Register action for automatic auditing */
+  registerAction(action: string): void {
+    this.registeredActions.add(action);
+  }
+
+  /** Check if action is registered for auditing */
+  isRegistered(action: string): boolean {
+    return this.registeredActions.has(action);
+  }
+
+  /** Log an audit entry */
+  async log(input: CreateAuditInput): Promise<void> {
+    const entry: AuditLog = {
+      id: crypto.randomUUID(),
+      ...input,
+      createdAt: new Date(),
+    };
+
+    try {
+      await this.auditLogger.log(entry);
+    } catch (error) {
+      logger.error("Failed to log audit entry", { error: String(error) });
+    }
+  }
+
+  /**
+   * Get logs if the logger supports it (specifically MemoryAuditLogger)
+   */
+  getLogs(filter: any = {}): AuditLog[] {
+    if ("getLogs" in this.auditLogger) {
+      return (this.auditLogger as any).getLogs(filter);
+    }
+    return [];
+  }
+
+  /** Create middleware for automatic API route auditing */
+  middleware() {
+    return async (
+      ctx: {
+        action?: { actionName: string; resourceName: string };
+        state?: { currentUser?: { id: string }; currentRole?: string };
+        request?: { ip?: string; header?: Record<string, string> };
+        status?: number;
+      },
+      next: () => Promise<void>,
+    ): Promise<void> => {
+      const startTime = Date.now();
+      let error: Error | null = null;
+
+      try {
+        await next();
+      } catch (e) {
+        error = e as Error;
+        throw e;
+      } finally {
+        if (ctx.action && this.isRegistered(ctx.action.actionName)) {
+          await this.log({
+            action: ctx.action.actionName,
+            resource: ctx.action.resourceName,
+            userId: ctx.state?.currentUser?.id,
+            roleName: ctx.state?.currentRole,
+            ip: ctx.request?.ip,
+            userAgent: ctx.request?.header?.["user-agent"],
+            status: ctx.status || (error ? 500 : 200),
+            metadata: {
+              duration: Date.now() - startTime,
+              ...(error && { error: error.message }),
+            },
+          });
+        }
+      }
+    };
+  }
+}
+
+// Singleton instance
+export const auditManager = new AuditManagerImpl();
+
+// Export class for testing
+export { AuditManagerImpl, ConsoleAuditLogger, MemoryAuditLogger };

package/src/audit/index.ts

@@ -0,0 +1,11 @@
+export {
+  auditManager,
+  AuditManagerImpl,
+  ConsoleAuditLogger,
+} from "./audit-manager";
+export type {
+  AuditLog,
+  AuditLogger,
+  AuditManagerOptions,
+  CreateAuditInput,
+} from "./types";

package/src/audit/memory-audit-logger.ts

@@ -0,0 +1,86 @@
+import type { AuditLog, AuditLogger } from "./types";
+
+/**
+ * Filter options for retrieving audit logs
+ */
+export interface AuditLogFilter {
+  fromDate?: Date;
+  toDate?: Date;
+  userId?: string;
+  action?: string;
+  resource?: string;
+  type?: "info" | "warning" | "error";
+  limit?: number;
+  offset?: number;
+}
+
+/**
+ * In-memory audit logger that supports retrieval
+ */
+export class MemoryAuditLogger implements AuditLogger {
+  private logs: AuditLog[] = [];
+  private readonly maxLogs: number;
+
+  constructor(maxLogs = 1000) {
+    this.maxLogs = maxLogs;
+  }
+
+  async log(entry: AuditLog): Promise<void> {
+    // Add to beginning of array
+    this.logs.unshift(entry);
+
+    // Trim if exceeds max size
+    if (this.logs.length > this.maxLogs) {
+      this.logs = this.logs.slice(0, this.maxLogs);
+    }
+  }
+
+  /**
+   * Get logs with filtering
+   */
+  getLogs(filter: AuditLogFilter = {}): AuditLog[] {
+    let filtered = this.logs;
+
+    if (filter.fromDate) {
+      filtered = filtered.filter((log) => log.createdAt >= filter.fromDate!);
+    }
+
+    if (filter.toDate) {
+      filtered = filtered.filter((log) => log.createdAt <= filter.toDate!);
+    }
+
+    if (filter.userId) {
+      filtered = filtered.filter((log) => log.userId === filter.userId);
+    }
+
+    if (filter.action) {
+      filtered = filtered.filter((log) => log.action === filter.action);
+    }
+
+    if (filter.resource) {
+      filtered = filtered.filter((log) => log.resource === filter.resource);
+    }
+
+    // "type" filter is a fuzzy mapping based on status code or action name for demo purposes
+    if (filter.type) {
+      filtered = filtered.filter((log) => {
+        if (filter.type === "error") return (log.status || 200) >= 400;
+        if (filter.type === "warning")
+          return (log.status || 200) >= 300 && (log.status || 200) < 400;
+        return (log.status || 200) < 300;
+      });
+    }
+
+    const offset = filter.offset || 0;
+    const limit = filter.limit || 50;
+
+    return filtered.slice(offset, offset + limit);
+  }
+
+  /**
+   * Clear all logs
+   */
+  clear(): void {
+    this.logs = [];
+  }
+}

package/src/audit/types.ts

@@ -0,0 +1,50 @@
+// Audit Types
+export interface AuditLog {
+  id: string;
+  /** Action type: create, update, delete, login, logout, custom */
+  action: string;
+  /** Resource/entity name (e.g., 'purchase-order', 'user') */
+  resource: string;
+  /** Resource ID */
+  resourceId?: string;
+  /** User who performed the action */
+  userId?: string;
+  /** User's role at time of action */
+  roleName?: string;
+  /** Changes made (for update actions) */
+  changes?: Record<string, { old: unknown; new: unknown }>;
+  /** Additional metadata */
+  metadata?: Record<string, unknown>;
+  /** Request IP address */
+  ip?: string;
+  /** User agent */
+  userAgent?: string;
+  /** HTTP status code */
+  status?: number;
+  /** Timestamp */
+  createdAt: Date;
+}
+
+export interface CreateAuditInput {
+  action: string;
+  resource: string;
+  resourceId?: string;
+  userId?: string;
+  roleName?: string;
+  changes?: Record<string, { old: unknown; new: unknown }>;
+  metadata?: Record<string, unknown>;
+  ip?: string;
+  userAgent?: string;
+  status?: number;
+}
+
+export interface AuditLogger {
+  log(entry: AuditLog): Promise<void>;
+}
+
+export interface AuditManagerOptions {
+  /** Custom logger implementation */
+  logger?: AuditLogger;
+  /** Actions to automatically audit */
+  actions?: string[];
+}

package/src/auth/auth-service.ts

@@ -0,0 +1,97 @@
+// Define the shape of the Prisma Client required by this service
+export interface AuthPrismaClient {
+  user: any;
+}
+
+// Dynamic import bcryptjs to avoid Edge Runtime issues
+export async function verifyPassword(
+  password: string,
+  hash: string,
+): Promise<boolean> {
+  try {
+    const bcrypt = await import("bcryptjs");
+    return bcrypt.compareSync(password, hash);
+  } catch (error) {
+    console.error("Error verifying password", error);
+    return false;
+  }
+}
+
+export interface AuthenticatedUser {
+  id: string;
+  email: string | null;
+  name: string;
+  avatar: string | null;
+  status: string;
+}
+
+export interface AuthError {
+  message: string;
+  email?: string;
+}
+
+/**
+ * Authenticate user with email and password
+ * Returns user data if successful, throws error if failed
+ */
+export async function authenticateUser(
+  db: AuthPrismaClient,
+  email: string,
+  password: string,
+): Promise<AuthenticatedUser> {
+  try {
+    // Query user from database by email
+    const user = await db.user.findUnique({
+      where: { email: email.toLowerCase().trim() },
+      select: {
+        id: true,
+        email: true,
+        name: true,
+        avatar: true,
+        password: true,
+        isActive: true,
+      },
+    });
+
+    // Check if user exists
+    if (!user) {
+      throw new Error("Invalid email or password");
+    }
+
+    // Check if user account is suspended/inactive
+    if (!user.isActive) {
+      throw new Error("ACCOUNT_SUSPENDED");
+    }
+
+    // Verify password
+    if (!user.password) {
+      throw new Error("Invalid email or password");
+    }
+
+    const isPasswordValid = await verifyPassword(password, user.password);
+    if (!isPasswordValid) {
+      throw new Error("Invalid email or password");
+    }
+
+    // Update last login time
+    await db.user.update({
+      where: { id: user.id },
+      data: { lastLoginAt: new Date() },
+    });
+
+    // Return user data (without password)
+    return {
+      id: user.id,
+      name: user.name || "",
+      email: user.email,
+      avatar: user.avatar || null,
+      status: "ONLINE",
+    };
+  } catch (error) {
+    // Re-throw error with proper message
+    if (error instanceof Error) {
+      throw error;
+    }
+    throw new Error("Error signing in");
+  }
+}

package/src/auth/index.ts

@@ -0,0 +1,266 @@
+// @goerp/core/auth
+// Authentication and RBAC utilities for GoERP
+
+import type { Session } from "next-auth";
+
+export * from "./auth-service";
+
+// ============================================================================
+// Types
+// ============================================================================
+
+export interface Permission {
+  resourceCode: string;
+  actionCode: string;
+}
+
+export interface ExtendedUser {
+  id: string;
+  name?: string | null;
+  email?: string | null;
+  image?: string | null;
+  roles?: string[];
+  permissions?: Permission[];
+}
+
+export interface UserSession {
+  user: ExtendedUser;
+}
+
+export interface CrudPermissionResult {
+  create: boolean;
+  view: boolean;
+  update: boolean;
+  delete: boolean;
+  export: boolean;
+  import: boolean;
+  approve: boolean;
+  reject: boolean;
+}
+
+// ============================================================================
+// Constants
+// ============================================================================
+
+const ADMIN_ROLE_CODE = "admin";
+const BYPASS_AUTH =
+  process.env.BYPASS_AUTH === "true" || process.env.BYPASS_AUTH === "1";
+
+// Action code mapping
+const ACTION_CODES: Record<string, string> = {
+  create: "create",
+  view: "view",
+  update: "update",
+  delete: "delete",
+  export: "export",
+  import: "import",
+  approve: "approve",
+  reject: "reject",
+};
+
+/**
+ * Get action code from action name
+ */
+export function getActionCode(action: string): string {
+  return ACTION_CODES[action] || action;
+}
+
+// ============================================================================
+// Permission Functions
+// ============================================================================
+
+/**
+ * Get all permissions from session
+ */
+export function getUserPermissions(session: Session | null): Permission[] {
+  if (!session?.user) return [];
+  const user = session.user as ExtendedUser;
+
+  if (!user.permissions) {
+    return [];
+  }
+  return user.permissions;
+}
+
+/**
+ * Get CRUD permissions from session for a specific entity
+ */
+export function getCrudPermissionsFromSession(
+  session: Session | null,
+  entity: string,
+): CrudPermissionResult {
+  // TEMPORARY: Return all permissions as true if bypass is enabled
+  if (BYPASS_AUTH) {
+    return {
+      create: true,
+      view: true,
+      update: true,
+      delete: true,
+      export: true,
+      import: true,
+      approve: true,
+      reject: true,
+    };
+  }
+
+  if (!session?.user) {
+    return {
+      create: false,
+      view: false,
+      update: false,
+      delete: false,
+      export: false,
+      import: false,
+      approve: false,
+      reject: false,
+    };
+  }
+
+  const user = session.user as ExtendedUser;
+
+  if (!user.id) {
+    return {
+      create: false,
+      view: false,
+      update: false,
+      delete: false,
+      export: false,
+      import: false,
+      approve: false,
+      reject: false,
+    };
+  }
+
+  // Check admin role first (fastest check)
+  const isAdmin =
+    user.roles?.includes(ADMIN_ROLE_CODE) ||
+    user.roles?.includes("SUPER_ADMIN");
+  if (isAdmin) {
+    return {
+      create: true,
+      view: true,
+      update: true,
+      delete: true,
+      export: true,
+      import: true,
+      approve: true,
+      reject: true,
+    };
+  }
+
+  // Pre-compute permission keys for fast lookup
+  const permissions = user.permissions || [];
+  const permissionKeys = new Set(
+    permissions.map((p) => `${p.resourceCode}:${p.actionCode}`),
+  );
+
+  const hasPermission = (action: string) => {
+    const key = `${entity}:${action}`;
+    return permissionKeys.has(key);
+  };
+
+  return {
+    create: hasPermission(getActionCode("create")),
+    view: hasPermission(getActionCode("view")),
+    update: hasPermission(getActionCode("update")),
+    delete: hasPermission(getActionCode("delete")),
+    export: hasPermission(getActionCode("export")),
+    import: hasPermission(getActionCode("import")),
+    approve: hasPermission(getActionCode("approve")),
+    reject: hasPermission(getActionCode("reject")),
+  };
+}
+
+/**
+ * Check if user has a specific permission
+ */
+export function checkPermission(
+  session: Session | null,
+  resourceCode: string,
+  actionCode: string,
+): boolean {
+  if (BYPASS_AUTH) {
+    return true;
+  }
+
+  if (!session?.user) return false;
+  const user = session.user as ExtendedUser;
+
+  if (!user.permissions || user.permissions.length === 0) {
+    return false;
+  }
+
+  // Admin role bypass
+  if (
+    user.roles?.includes(ADMIN_ROLE_CODE) ||
+    user.roles?.includes("SUPER_ADMIN")
+  ) {
+    return true;
+  }
+
+  return user.permissions.some(
+    (p) => p.resourceCode === resourceCode && p.actionCode === actionCode,
+  );
+}
+
+/**
+ * Alias for checkPermission
+ */
+export function hasPermission(
+  session: Session | null,
+  resourceCode: string,
+  actionCode: string,
+): boolean {
+  return checkPermission(session, resourceCode, actionCode);
+}
+
+/**
+ * Require permission - throw error if not authorized
+ */
+export function requirePermission(
+  session: Session | null,
+  resourceCode: string,
+  actionCode: string,
+): void {
+  if (!checkPermission(session, resourceCode, actionCode)) {
+    throw new Error(
+      `Unauthorized: User does not have permission ${actionCode} on ${resourceCode}`,
+    );
+  }
+}
+
+/**
+ * Check if user has a specific role
+ */
+export function hasRole(session: Session | null, roleCode: string): boolean {
+  if (!session?.user) return false;
+  const user = session.user as ExtendedUser;
+
+  if (!user.roles) {
+    return false;
+  }
+  return user.roles.includes(roleCode);
+}
+
+/**
+ * Check if user has any of the specified roles
+ */
+export function hasAnyRole(
+  session: Session | null,
+  roleCodes: string[],
+): boolean {
+  if (!session?.user) return false;
+  const user = session.user as ExtendedUser;
+
+  if (!user.roles) {
+    return false;
+  }
+  return roleCodes.some((role) => user.roles!.includes(role));
+}
+
+/**
+ * Check if user is admin
+ */
+export function isAdmin(session: Session | null): boolean {
+  return hasRole(session, ADMIN_ROLE_CODE);
+}