@goplusvn/core 0.1.0 → 0.1.1

package/src/rbac/index.ts

@@ -0,0 +1,297 @@
+// @goerp/core/rbac
+// Core RBAC (Role-Based Access Control) utilities for GoERP platform
+// Consolidated from packages/shared/rbac
+
+import type { Permission } from "../types";
+import type { Session } from "next-auth";
+import { logger } from "../utils";
+
+// ============================================================================
+// Action Mapping
+// ============================================================================
+
+export const CRUD_ACTIONS = {
+  create: "create",
+  view: "view",
+  update: "update",
+  delete: "delete",
+  export: "export",
+  import: "import",
+  approve: "approve",
+  reject: "reject",
+} as const;
+
+export type CrudAction = keyof typeof CRUD_ACTIONS;
+
+export function getActionCode(operation: CrudAction): string {
+  return CRUD_ACTIONS[operation];
+}
+
+export function getAllCrudActionCodes(): string[] {
+  return Object.values(CRUD_ACTIONS);
+}
+
+export function isCrudAction(actionCode: string): boolean {
+  return Object.values(CRUD_ACTIONS).includes(actionCode as CrudAction);
+}
+
+// ============================================================================
+// Permission Cache
+// ============================================================================
+
+import { cacheManager } from "../infrastructure/cache/cache-manager";
+
+// ... (keep PERMISSIONS_TTL_MS logic if needed, but CacheManager uses seconds usually? No, CacheManager options usually take seconds? 
+// MemoryCache implementation (checked in step 448) uses seconds for TTL in constructor? 
+// L20: this.defaultTtl = options.ttl || 3600; 
+// L74: expireAt: ttlSeconds > 0 ? Date.now() + ttlSeconds * 1000 : null
+// So CacheManager expects SECONDS.
+// PERMISSIONS_TTL_MS is in MS (5 * 60 * 1000).
+// So I should pass 5 * 60 (300) seconds.
+
+const DEFAULT_PERMISSIONS_CACHE_TTL_SECONDS = 5 * 60; // 5 minutes
+
+const PERMISSIONS_TTL_SECONDS = (() => {
+  const ttlEnv = process.env.PERMISSIONS_CACHE_TTL_MS; // Metric used MS in env
+  if (!ttlEnv) {
+    return DEFAULT_PERMISSIONS_CACHE_TTL_SECONDS;
+  }
+
+  const parsedTtlMs = Number.parseInt(ttlEnv, 10);
+  if (Number.isNaN(parsedTtlMs) || parsedTtlMs <= 0) {
+    logger.warn(
+      `Invalid PERMISSIONS_CACHE_TTL_MS="${ttlEnv}". Falling back to default ${DEFAULT_PERMISSIONS_CACHE_TTL_SECONDS}s`,
+    );
+    return DEFAULT_PERMISSIONS_CACHE_TTL_SECONDS;
+  }
+
+  return Math.floor(parsedTtlMs / 1000);
+})();
+
+// Create cache instance
+const permissionCache = cacheManager.create({
+  name: "rbac-permissions",
+  ttl: PERMISSIONS_TTL_SECONDS,
+  max: 10000, 
+});
+
+async function getFromCache(userId: string): Promise<Permission[] | undefined> {
+  return permissionCache.get<Permission[]>(userId);
+}
+
+async function setToCache(userId: string, data: Permission[]) {
+  // Use default TTL configured in cache instance
+  await permissionCache.set(userId, data); 
+}
+
+const pendingQueries = new Map<string, Promise<Permission[]>>();
+
+export async function clearAllPermissionsCache() {
+  await permissionCache.reset();
+  pendingQueries.clear();
+}
+
+export async function clearUserPermissionsCache(userId: string) {
+  await permissionCache.del(userId);
+  pendingQueries.delete(userId);
+}
+
+export async function invalidateUserPermissions(userId: string) {
+  await permissionCache.del(userId);
+  pendingQueries.delete(userId);
+}
+
+export { getFromCache, setToCache, pendingQueries };
+
+// ============================================================================
+// Permissions
+// ============================================================================
+
+interface ExtendedUser {
+  id: string;
+  name?: string | null;
+  email?: string | null;
+  image?: string | null;
+  roles?: string[];
+  permissions?: Permission[];
+}
+
+export function getUserPermissions(session: Session | null): Permission[] {
+  if (!session?.user) return [];
+  const user = session.user as ExtendedUser;
+
+  if (!user.permissions) {
+    return [];
+  }
+  return user.permissions;
+}
+
+const BYPASS_AUTH =
+  process.env.BYPASS_AUTH === "true" || process.env.BYPASS_AUTH === "1";
+
+const ADMIN_ROLE_CODES = ["admin", "SUPER_ADMIN"];
+
+export function getCrudPermissionsFromSession(
+  session: Session | null,
+  entity: string,
+): {
+  create: boolean;
+  view: boolean;
+  update: boolean;
+  delete: boolean;
+  export: boolean;
+  import: boolean;
+  approve: boolean;
+  reject: boolean;
+} {
+  if (BYPASS_AUTH) {
+    return {
+      create: true,
+      view: true,
+      update: true,
+      delete: true,
+      export: true,
+      import: true,
+      approve: true,
+      reject: true,
+    };
+  }
+
+  if (!session?.user) {
+    return {
+      create: false,
+      view: false,
+      update: false,
+      delete: false,
+      export: false,
+      import: false,
+      approve: false,
+      reject: false,
+    };
+  }
+
+  const user = session.user as ExtendedUser;
+
+  if (!user.id) {
+    return {
+      create: false,
+      view: false,
+      update: false,
+      delete: false,
+      export: false,
+      import: false,
+      approve: false,
+      reject: false,
+    };
+  }
+
+  const isAdmin = user.roles?.some((role) => ADMIN_ROLE_CODES.includes(role));
+  if (isAdmin) {
+    return {
+      create: true,
+      view: true,
+      update: true,
+      delete: true,
+      export: true,
+      import: true,
+      approve: true,
+      reject: true,
+    };
+  }
+
+  const permissions = user.permissions || [];
+  const permissionKeys = new Set(
+    permissions.map((p) => `${p.resourceCode}:${p.actionCode}`),
+  );
+
+  const hasPermission = (action: string) => {
+    const key = `${entity}:${action}`;
+    return permissionKeys.has(key);
+  };
+
+  return {
+    create: hasPermission(getActionCode("create")),
+    view: hasPermission(getActionCode("view")),
+    update: hasPermission(getActionCode("update")),
+    delete: hasPermission(getActionCode("delete")),
+    export: hasPermission(getActionCode("export")),
+    import: hasPermission(getActionCode("import")),
+    approve: hasPermission(getActionCode("approve")),
+    reject: hasPermission(getActionCode("reject")),
+  };
+}
+
+export function checkPermission(
+  session: Session | null,
+  resourceCode: string,
+  actionCode: string,
+): boolean {
+  if (BYPASS_AUTH) {
+    return true;
+  }
+
+  if (!session?.user) return false;
+  const user = session.user as ExtendedUser;
+
+  if (!user.permissions || user.permissions.length === 0) {
+    return false;
+  }
+
+  if (user.roles?.some((role) => ADMIN_ROLE_CODES.includes(role))) {
+    return true;
+  }
+
+  const permissionKey = `${resourceCode}:${actionCode}`;
+  return user.permissions.some(
+    (p) => p.resourceCode === resourceCode && p.actionCode === actionCode,
+  );
+}
+
+export function hasPermission(
+  session: Session | null,
+  resourceCode: string,
+  actionCode: string,
+): boolean {
+  return checkPermission(session, resourceCode, actionCode);
+}
+
+export function requirePermission(
+  session: Session | null,
+  resourceCode: string,
+  actionCode: string,
+): void {
+  if (!checkPermission(session, resourceCode, actionCode)) {
+    throw new Error(
+      `Unauthorized: User does not have permission ${actionCode} on ${resourceCode}`,
+    );
+  }
+}
+
+export function hasRole(session: Session | null, roleCode: string): boolean {
+  if (!session?.user) return false;
+  const user = session.user as ExtendedUser;
+
+  if (!user.roles) {
+    return false;
+  }
+  return user.roles.includes(roleCode);
+}
+
+export function hasAnyRole(
+  session: Session | null,
+  roleCodes: string[],
+): boolean {
+  if (!session?.user) return false;
+  const user = session.user as ExtendedUser;
+
+  if (!user.roles) {
+    return false;
+  }
+  return roleCodes.some((role) => user.roles!.includes(role));
+}
+export * from "./permission-service";
+export * from "./role-service";
+export * from "./resource-service";
+export * from "./resource-validator";
+export { RoleListPage } from "./pages/role-list-page";
+

package/src/rbac/lib/permission-helpers.ts

@@ -0,0 +1,63 @@
+import type { Role } from "../types";
+
+/**
+ * Helper function to get permission description
+ */
+export function getPermissionDescription(permission: string): string {
+  const descriptions: Record<string, string> = {
+    "dashboard:view": "Xem bảng điều khiển",
+    "users:view": "Xem danh sách người dùng",
+    "users:create": "Tạo người dùng mới",
+    "users:update": "Cập nhật thông tin người dùng",
+    "users:delete": "Xóa người dùng",
+    "roles:view": "Xem danh sách vai trò",
+    "roles:create": "Tạo vai trò mới",
+    "roles:update": "Cập nhật vai trò",
+    "roles:delete": "Xóa vai trò",
+    "reports:view": "Xem báo cáo",
+    "reconciliation:view": "Xem đối soát",
+    "reconciliation:manage": "Quản lý đối soát",
+    "payment:approve": "Duyệt thanh toán",
+    "supplier-pricing:view": "Xem giá nhà cung cấp",
+    "supplier-pricing:approve": "Duyệt giá nhà cung cấp",
+    "purchase-request:view": "Xem yêu cầu mua hàng",
+    "purchase-request:create": "Tạo yêu cầu mua hàng",
+    "purchase-request:update": "Cập nhật yêu cầu mua hàng",
+    "purchase-request:approve": "Duyệt yêu cầu mua hàng",
+    "purchase-order:view": "Xem đơn hàng mua",
+    "purchase-order:create": "Tạo đơn hàng mua",
+    "purchase-order:update": "Cập nhật đơn hàng mua",
+    "purchase-order:approve": "Duyệt đơn hàng mua",
+    "supplier:view": "Xem nhà cung cấp",
+    "supplier-pricing:update": "Cập nhật giá nhà cung cấp",
+    "material:view": "Xem nguyên vật liệu",
+    "material-category:view": "Xem nhóm nguyên vật liệu",
+    "warehouse:view": "Xem kho",
+    "goods-receipt:view": "Xem phiếu nhập kho",
+    "goods-receipt:create": "Tạo phiếu nhập kho",
+    "goods-receipt:update": "Cập nhật phiếu nhập kho",
+  };
+
+  return descriptions[permission] || `Quyền ${permission}`;
+}
+
+/**
+ * Get users who have a specific permission
+ */
+export function getUsersWithPermission(
+  permission: string,
+  roles: Role[],
+): Array<{ id: string; [key: string]: any }> {
+  const usersWithPermission: Array<{ id: string; [key: string]: any }> = [];
+
+  roles.forEach((role) => {
+    if (role.permissions.includes(permission)) {
+      usersWithPermission.push(...role.users);
+    }
+  });
+
+  // Remove duplicates by id
+  return Array.from(
+    new Map(usersWithPermission.map((u) => [u.id, u])).values(),
+  );
+}

package/src/rbac/pages/action-list-page.tsx

@@ -0,0 +1,25 @@
+import { EntityCrudPage } from "../../crud/pages/entity-crud-page";
+
+interface ActionListPageProps {
+  lang: string;
+  session: any;
+  dictionary: any;
+  config: any;
+}
+
+export function ActionListPage({
+  lang,
+  session,
+  dictionary,
+  config,
+}: ActionListPageProps) {
+  return (
+    <EntityCrudPage
+      entity="actions"
+      lang={lang}
+      session={session}
+      dictionary={dictionary}
+      config={config}
+    />
+  );
+}

package/src/rbac/pages/resource-list-page.tsx

@@ -0,0 +1,25 @@
+import { EntityCrudPage } from "../../crud/pages/entity-crud-page";
+
+interface ResourceListPageProps {
+  lang: string;
+  session: any;
+  dictionary: any;
+  config: any;
+}
+
+export function ResourceListPage({
+  lang,
+  session,
+  dictionary,
+  config,
+}: ResourceListPageProps) {
+  return (
+    <EntityCrudPage
+      entity="resources"
+      lang={lang}
+      session={session}
+      dictionary={dictionary}
+      config={config}
+    />
+  );
+}