@lenne.tech/nest-server 11.20.0 → 11.21.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/core/common/decorators/restricted.decorator.d.ts +1 -0
- package/dist/core/common/decorators/restricted.decorator.js +4 -1
- package/dist/core/common/decorators/restricted.decorator.js.map +1 -1
- package/dist/core/common/helpers/db.helper.d.ts +1 -1
- package/dist/core/common/helpers/db.helper.js +10 -4
- package/dist/core/common/helpers/db.helper.js.map +1 -1
- package/dist/core/common/helpers/input.helper.d.ts +1 -1
- package/dist/core/common/helpers/input.helper.js +6 -2
- package/dist/core/common/helpers/input.helper.js.map +1 -1
- package/dist/core/common/interceptors/check-security.interceptor.js +13 -1
- package/dist/core/common/interceptors/check-security.interceptor.js.map +1 -1
- package/dist/core/common/interfaces/server-options.interface.d.ts +4 -1
- package/dist/core/common/middleware/request-context.middleware.js +10 -6
- package/dist/core/common/middleware/request-context.middleware.js.map +1 -1
- package/dist/core/common/plugins/mongoose-tenant.plugin.js +40 -24
- package/dist/core/common/plugins/mongoose-tenant.plugin.js.map +1 -1
- package/dist/core/common/services/request-context.service.d.ts +3 -0
- package/dist/core/common/services/request-context.service.js.map +1 -1
- package/dist/core/modules/auth/guards/roles.guard.js +6 -10
- package/dist/core/modules/auth/guards/roles.guard.js.map +1 -1
- package/dist/core/modules/better-auth/better-auth-roles.guard.js +5 -6
- package/dist/core/modules/better-auth/better-auth-roles.guard.js.map +1 -1
- package/dist/core/modules/tenant/core-tenant-member.model.d.ts +11 -0
- package/dist/core/modules/tenant/core-tenant-member.model.js +106 -0
- package/dist/core/modules/tenant/core-tenant-member.model.js.map +1 -0
- package/dist/core/modules/tenant/core-tenant.decorators.d.ts +3 -0
- package/dist/core/modules/tenant/core-tenant.decorators.js +12 -0
- package/dist/core/modules/tenant/core-tenant.decorators.js.map +1 -0
- package/dist/core/modules/tenant/core-tenant.enums.d.ts +13 -0
- package/dist/core/modules/tenant/core-tenant.enums.js +25 -0
- package/dist/core/modules/tenant/core-tenant.enums.js.map +1 -0
- package/dist/core/modules/tenant/core-tenant.guard.d.ts +13 -0
- package/dist/core/modules/tenant/core-tenant.guard.js +162 -0
- package/dist/core/modules/tenant/core-tenant.guard.js.map +1 -0
- package/dist/core/modules/tenant/core-tenant.helpers.d.ts +7 -0
- package/dist/core/modules/tenant/core-tenant.helpers.js +60 -0
- package/dist/core/modules/tenant/core-tenant.helpers.js.map +1 -0
- package/dist/core/modules/tenant/core-tenant.module.d.ts +12 -0
- package/dist/core/modules/tenant/core-tenant.module.js +58 -0
- package/dist/core/modules/tenant/core-tenant.module.js.map +1 -0
- package/dist/core/modules/tenant/core-tenant.service.d.ts +17 -0
- package/dist/core/modules/tenant/core-tenant.service.js +160 -0
- package/dist/core/modules/tenant/core-tenant.service.js.map +1 -0
- package/dist/core.module.js +11 -0
- package/dist/core.module.js.map +1 -1
- package/dist/index.d.ts +7 -0
- package/dist/index.js +7 -0
- package/dist/index.js.map +1 -1
- package/dist/tsconfig.build.tsbuildinfo +1 -1
- package/package.json +12 -10
- package/src/core/common/decorators/restricted.decorator.ts +12 -2
- package/src/core/common/helpers/db.helper.ts +13 -6
- package/src/core/common/helpers/input.helper.ts +6 -2
- package/src/core/common/interceptors/check-security.interceptor.ts +17 -2
- package/src/core/common/interfaces/server-options.interface.ts +63 -30
- package/src/core/common/middleware/request-context.middleware.ts +12 -5
- package/src/core/common/plugins/mongoose-tenant.plugin.ts +78 -45
- package/src/core/common/services/request-context.service.ts +7 -1
- package/src/core/modules/auth/guards/roles.guard.ts +10 -10
- package/src/core/modules/better-auth/better-auth-roles.guard.ts +9 -6
- package/src/core/modules/tenant/INTEGRATION-CHECKLIST.md +165 -0
- package/src/core/modules/tenant/README.md +232 -0
- package/src/core/modules/tenant/core-tenant-member.model.ts +121 -0
- package/src/core/modules/tenant/core-tenant.decorators.ts +46 -0
- package/src/core/modules/tenant/core-tenant.enums.ts +77 -0
- package/src/core/modules/tenant/core-tenant.guard.ts +240 -0
- package/src/core/modules/tenant/core-tenant.helpers.ts +103 -0
- package/src/core/modules/tenant/core-tenant.module.ts +102 -0
- package/src/core/modules/tenant/core-tenant.service.ts +235 -0
- package/src/core.module.ts +15 -0
- package/src/index.ts +12 -0
|
@@ -22,6 +22,7 @@ const role_enum_1 = require("../../../common/enums/role.enum");
|
|
|
22
22
|
const better_auth_token_service_1 = require("../../better-auth/better-auth-token.service");
|
|
23
23
|
const core_better_auth_service_1 = require("../../better-auth/core-better-auth.service");
|
|
24
24
|
const error_code_1 = require("../../error-code");
|
|
25
|
+
const core_tenant_helpers_1 = require("../../tenant/core-tenant.helpers");
|
|
25
26
|
const auth_guard_strategy_enum_1 = require("../auth-guard-strategy.enum");
|
|
26
27
|
const expired_token_exception_1 = require("../exceptions/expired-token.exception");
|
|
27
28
|
const invalid_token_exception_1 = require("../exceptions/invalid-token.exception");
|
|
@@ -78,11 +79,7 @@ let RolesGuard = RolesGuard_1 = class RolesGuard extends (0, auth_guard_1.AuthGu
|
|
|
78
79
|
context.getHandler(),
|
|
79
80
|
context.getClass(),
|
|
80
81
|
]);
|
|
81
|
-
const roles = reflectorRoles
|
|
82
|
-
? reflectorRoles[1]
|
|
83
|
-
? [...reflectorRoles[0], ...reflectorRoles[1]]
|
|
84
|
-
: reflectorRoles[0]
|
|
85
|
-
: reflectorRoles[1];
|
|
82
|
+
const roles = (0, core_tenant_helpers_1.mergeRolesMetadata)(reflectorRoles);
|
|
86
83
|
if (roles && roles.includes(role_enum_1.RoleEnum.S_NO_ONE)) {
|
|
87
84
|
throw new common_1.UnauthorizedException(error_code_1.ErrorCode.UNAUTHORIZED);
|
|
88
85
|
}
|
|
@@ -174,11 +171,7 @@ let RolesGuard = RolesGuard_1 = class RolesGuard extends (0, auth_guard_1.AuthGu
|
|
|
174
171
|
context.getHandler(),
|
|
175
172
|
context.getClass(),
|
|
176
173
|
]);
|
|
177
|
-
const roles = reflectorRoles
|
|
178
|
-
? reflectorRoles[1]
|
|
179
|
-
? [...reflectorRoles[0], ...reflectorRoles[1]]
|
|
180
|
-
: reflectorRoles[0]
|
|
181
|
-
: reflectorRoles[1];
|
|
174
|
+
const roles = (0, core_tenant_helpers_1.mergeRolesMetadata)(reflectorRoles);
|
|
182
175
|
if (roles && roles.includes(role_enum_1.RoleEnum.S_NO_ONE)) {
|
|
183
176
|
throw new common_1.UnauthorizedException(error_code_1.ErrorCode.UNAUTHORIZED);
|
|
184
177
|
}
|
|
@@ -189,6 +182,9 @@ let RolesGuard = RolesGuard_1 = class RolesGuard extends (0, auth_guard_1.AuthGu
|
|
|
189
182
|
if ((user && roles.includes(role_enum_1.RoleEnum.S_USER)) || roles.includes(role_enum_1.RoleEnum.S_EVERYONE)) {
|
|
190
183
|
return user;
|
|
191
184
|
}
|
|
185
|
+
if (user && (0, core_tenant_helpers_1.isMultiTenancyActive)() && roles.some((r) => !(0, core_tenant_helpers_1.isSystemRole)(r))) {
|
|
186
|
+
return user;
|
|
187
|
+
}
|
|
192
188
|
if (!user) {
|
|
193
189
|
if (err) {
|
|
194
190
|
throw new invalid_token_exception_1.InvalidTokenException();
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"roles.guard.js","sourceRoot":"","sources":["../../../../../src/core/modules/auth/guards/roles.guard.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,2CAQwB;AACxB,uCAAoD;AACpD,6CAAsD;AACtD,+BAAoD;AAEpD,+DAA2D;AAC3D,2FAAqF;AAErF,yFAAmF;AACnF,iDAA6C;AAC7C,0EAAgE;AAChE,mFAA8E;AAC9E,mFAA8E;AAC9E,6CAAyC;AAuBlC,IAAM,UAAU,kBAAhB,MAAM,UAAW,SAAQ,IAAA,sBAAS,EAAC,4CAAiB,CAAC,GAAG,CAAC;IAmBtB;IACU;IAnBjC,MAAM,GAAG,IAAI,eAAM,CAAC,YAAU,CAAC,IAAI,CAAC,CAAC;IAC9C,iBAAiB,GAAiC,IAAI,CAAC;IACvD,YAAY,GAAkC,IAAI,CAAC;IACnD,gBAAgB,GAAG,KAAK,CAAC;IACzB,iBAAiB,GAAqB,IAAI,CAAC;IAanD,YACwC,SAAoB,EACV,SAAqB;QAErE,KAAK,EAAE,CAAC;QAH8B,cAAS,GAAT,SAAS,CAAW;QACV,cAAS,GAAT,SAAS,CAAY;IAGvE,CAAC;IAOO,eAAe;QACrB,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;YACnB,OAAO,IAAI,CAAC,SAAS,CAAC;QACxB,CAAC;QAED,IAAI,IAAI,CAAC,iBAAiB,EAAE,CAAC;YAC3B,OAAO,IAAI,CAAC,iBAAiB,CAAC;QAChC,CAAC;QAED,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;YACnB,IAAI,CAAC;gBACH,IAAI,CAAC,iBAAiB,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,gBAAS,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;gBAC1E,OAAO,IAAI,CAAC,iBAAiB,CAAC;YAChC,CAAC;YAAC,MAAM,CAAC;gBACP,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,4CAA4C,CAAC,CAAC;YAClE,CAAC;QACH,CAAC;QAED,MAAM,IAAI,KAAK,CAAC,iEAAiE,CAAC,CAAC;IACrF,CAAC;IAKO,eAAe;QACrB,IAAI,IAAI,CAAC,gBAAgB,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC;YAC7C,OAAO;QACT,CAAC;QAED,IAAI,CAAC;YACH,IAAI,CAAC,iBAAiB,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,gDAAqB,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;QACxF,CAAC;QAAC,MAAM,CAAC;QAET,CAAC;QAED,IAAI,CAAC;YACH,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,kDAAsB,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;QACpF,CAAC;QAAC,MAAM,CAAC;QAET,CAAC;QAED,IAAI,CAAC,gBAAgB,GAAG,IAAI,CAAC;IAC/B,CAAC;IAcQ,KAAK,CAAC,WAAW,CAAC,OAAyB;QAElD,MAAM,cAAc,GAAG,IAAI,CAAC,eAAe,EAAE,CAAC,MAAM,CAAa,OAAO,EAAE;YACxE,OAAO,CAAC,UAAU,EAAE;YACpB,OAAO,CAAC,QAAQ,EAAE;SACnB,CAAC,CAAC;QACH,MAAM,KAAK,
|
|
1
|
+
{"version":3,"file":"roles.guard.js","sourceRoot":"","sources":["../../../../../src/core/modules/auth/guards/roles.guard.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,2CAQwB;AACxB,uCAAoD;AACpD,6CAAsD;AACtD,+BAAoD;AAEpD,+DAA2D;AAC3D,2FAAqF;AAErF,yFAAmF;AACnF,iDAA6C;AAC7C,0EAA0G;AAC1G,0EAAgE;AAChE,mFAA8E;AAC9E,mFAA8E;AAC9E,6CAAyC;AAuBlC,IAAM,UAAU,kBAAhB,MAAM,UAAW,SAAQ,IAAA,sBAAS,EAAC,4CAAiB,CAAC,GAAG,CAAC;IAmBtB;IACU;IAnBjC,MAAM,GAAG,IAAI,eAAM,CAAC,YAAU,CAAC,IAAI,CAAC,CAAC;IAC9C,iBAAiB,GAAiC,IAAI,CAAC;IACvD,YAAY,GAAkC,IAAI,CAAC;IACnD,gBAAgB,GAAG,KAAK,CAAC;IACzB,iBAAiB,GAAqB,IAAI,CAAC;IAanD,YACwC,SAAoB,EACV,SAAqB;QAErE,KAAK,EAAE,CAAC;QAH8B,cAAS,GAAT,SAAS,CAAW;QACV,cAAS,GAAT,SAAS,CAAY;IAGvE,CAAC;IAOO,eAAe;QACrB,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;YACnB,OAAO,IAAI,CAAC,SAAS,CAAC;QACxB,CAAC;QAED,IAAI,IAAI,CAAC,iBAAiB,EAAE,CAAC;YAC3B,OAAO,IAAI,CAAC,iBAAiB,CAAC;QAChC,CAAC;QAED,IAAI,IAAI,CAAC,SAAS,EAAE,CAAC;YACnB,IAAI,CAAC;gBACH,IAAI,CAAC,iBAAiB,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,gBAAS,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;gBAC1E,OAAO,IAAI,CAAC,iBAAiB,CAAC;YAChC,CAAC;YAAC,MAAM,CAAC;gBACP,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,4CAA4C,CAAC,CAAC;YAClE,CAAC;QACH,CAAC;QAED,MAAM,IAAI,KAAK,CAAC,iEAAiE,CAAC,CAAC;IACrF,CAAC;IAKO,eAAe;QACrB,IAAI,IAAI,CAAC,gBAAgB,IAAI,CAAC,IAAI,CAAC,SAAS,EAAE,CAAC;YAC7C,OAAO;QACT,CAAC;QAED,IAAI,CAAC;YACH,IAAI,CAAC,iBAAiB,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,gDAAqB,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;QACxF,CAAC;QAAC,MAAM,CAAC;QAET,CAAC;QAED,IAAI,CAAC;YACH,IAAI,CAAC,YAAY,GAAG,IAAI,CAAC,SAAS,CAAC,GAAG,CAAC,kDAAsB,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE,CAAC,CAAC;QACpF,CAAC;QAAC,MAAM,CAAC;QAET,CAAC;QAED,IAAI,CAAC,gBAAgB,GAAG,IAAI,CAAC;IAC/B,CAAC;IAcQ,KAAK,CAAC,WAAW,CAAC,OAAyB;QAElD,MAAM,cAAc,GAAG,IAAI,CAAC,eAAe,EAAE,CAAC,MAAM,CAAa,OAAO,EAAE;YACxE,OAAO,CAAC,UAAU,EAAE;YACpB,OAAO,CAAC,QAAQ,EAAE;SACnB,CAAC,CAAC;QACH,MAAM,KAAK,GAAG,IAAA,wCAAkB,EAAC,cAAc,CAAC,CAAC;QAGjD,IAAI,KAAK,IAAI,KAAK,CAAC,QAAQ,CAAC,oBAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC/C,MAAM,IAAI,8BAAqB,CAAC,sBAAS,CAAC,YAAY,CAAC,CAAC;QAC1D,CAAC;QAID,IAAI,CAAC,KAAK,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,oBAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;YACrF,OAAO,IAAI,CAAC;QACd,CAAC;QAGD,IAAI,CAAC,eAAe,EAAE,CAAC;QAGvB,MAAM,OAAO,GAAG,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;QACzC,MAAM,YAAY,GAAG,OAAO,EAAE,IAAI,CAAC;QAGnC,IAAI,YAAY,IAAI,YAAY,CAAC,2BAA2B,KAAK,IAAI,EAAE,CAAC;YACtE,IAAI,CAAC,aAAa,CAAC,IAAI,EAAE,YAAY,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC;YACtD,OAAO,IAAI,CAAC;QACd,CAAC;QAID,IAAI,IAAI,CAAC,iBAAiB,EAAE,SAAS,EAAE,EAAE,CAAC;YACxC,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,gCAAgC,CAAC,OAAO,CAAC,CAAC;YAClE,IAAI,IAAI,EAAE,CAAC;gBAET,IAAI,OAAO,EAAE,CAAC;oBACZ,OAAO,CAAC,IAAI,GAAG,IAAI,CAAC;gBACtB,CAAC;gBAED,IAAI,CAAC,aAAa,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC;gBAC9C,OAAO,IAAI,CAAC;YACd,CAAC;QACH,CAAC;QAGD,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,KAAK,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;YAC1C,OAAO,IAAA,mBAAY,EAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,IAAA,qBAAc,EAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,MAAM,CAAC;QAC5E,CAAC;QAAC,OAAO,aAAa,EAAE,CAAC;YAGvB,MAAM,YAAY,GAAG,aAAa,YAAY,KAAK,CAAC,CAAC,CAAC,aAAa,CAAC,OAAO,CAAC,CAAC,CAAC,MAAM,CAAC,aAAa,CAAC,CAAC;YACpG,MAAM,eAAe,GAAG,YAAY,CAAC,QAAQ,CAAC,iCAAiC,CAAC,CAAC;YAGjF,IAAI,IAAI,CAAC,iBAAiB,EAAE,SAAS,EAAE,EAAE,CAAC;gBAGxC,IAAI,eAAe,EAAE,CAAC;oBACpB,MAAM,IAAI,+CAAqB,EAAE,CAAC;gBACpC,CAAC;gBAGD,MAAM,IAAI,GAAG,MAAM,IAAI,CAAC,gCAAgC,CAAC,OAAO,CAAC,CAAC;gBAClE,IAAI,IAAI,EAAE,CAAC;oBACT,IAAI,OAAO,EAAE,CAAC;wBACZ,OAAO,CAAC,IAAI,GAAG,IAAI,CAAC;oBACtB,CAAC;oBACD,IAAI,CAAC,aAAa,CAAC,IAAI,EAAE,IAAI,EAAE,IAAI,EAAE,OAAO,CAAC,CAAC;oBAC9C,OAAO,IAAI,CAAC;gBACd,CAAC;YACH,CAAC;YAGD,MAAM,aAAa,CAAC;QACtB,CAAC;IACH,CAAC;IAWO,KAAK,CAAC,gCAAgC,CAAC,OAAyB;QACtE,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC;YACvB,OAAO,IAAI,CAAC;QACd,CAAC;QAED,IAAI,CAAC;YAEH,MAAM,OAAO,GAAG,IAAI,CAAC,yBAAyB,CAAC,OAAO,CAAC,CAAC;YACxD,IAAI,CAAC,OAAO,EAAE,CAAC;gBACb,OAAO,IAAI,CAAC;YACd,CAAC;YAGD,MAAM,EAAE,KAAK,EAAE,GAAG,IAAI,CAAC,YAAY,CAAC,uBAAuB,CAAC,OAAO,CAAC,CAAC;YACrE,IAAI,CAAC,KAAK,EAAE,CAAC;gBACX,OAAO,IAAI,CAAC;YACd,CAAC;YAGD,OAAO,MAAM,IAAI,CAAC,YAAY,CAAC,iBAAiB,CAAC,KAAK,CAAC,CAAC;QAC1D,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,MAAM,CAAC,KAAK,CACf,yCAAyC,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,EAAE,CACpG,CAAC;YACF,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IASO,yBAAyB,CAAC,OAAyB;QAKzD,IAAI,CAAC;YACH,MAAM,UAAU,GAAG,6BAAmB,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;YACvD,MAAM,GAAG,GAAG,UAAU,CAAC,UAAU,EAAE,CAAC;YACpC,IAAI,GAAG,EAAE,GAAG,EAAE,CAAC;gBACb,OAAO,GAAG,CAAC,GAAG,CAAC;YACjB,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;QAET,CAAC;QAGD,IAAI,CAAC;YACH,MAAM,WAAW,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC,UAAU,EAAE,CAAC;YACxD,IAAI,WAAW,EAAE,CAAC;gBAChB,OAAO,WAAW,CAAC;YACrB,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;QAET,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC;IAKQ,aAAa,CAAC,GAAiB,EAAE,IAAS,EAAE,IAAS,EAAE,OAAyB;QAEvF,MAAM,cAAc,GAAG,IAAI,CAAC,eAAe,EAAE,CAAC,MAAM,CAAa,OAAO,EAAE;YACxE,OAAO,CAAC,UAAU,EAAE;YACpB,OAAO,CAAC,QAAQ,EAAE;SACnB,CAAC,CAAC;QACH,MAAM,KAAK,GAAG,IAAA,wCAAkB,EAAC,cAAc,CAAC,CAAC;QAGjD,IAAI,KAAK,IAAI,KAAK,CAAC,QAAQ,CAAC,oBAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC/C,MAAM,IAAI,8BAAqB,CAAC,sBAAS,CAAC,YAAY,CAAC,CAAC;QAC1D,CAAC;QAGD,IAAI,CAAC,KAAK,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,EAAE,CAAC;YAC9C,OAAO,IAAI,CAAC;QACd,CAAC;QAGD,IAAI,CAAC,IAAI,EAAE,OAAO,EAAE,CAAC,KAAK,CAAC,EAAE,CAAC;YAE5B,IAAI,CAAC,IAAI,IAAI,KAAK,CAAC,QAAQ,CAAC,oBAAQ,CAAC,MAAM,CAAC,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,oBAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;gBACrF,OAAO,IAAI,CAAC;YACd,CAAC;YAKD,IAAI,IAAI,IAAI,IAAA,0CAAoB,GAAE,IAAI,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAA,kCAAY,EAAC,CAAC,CAAC,CAAC,EAAE,CAAC;gBAC1E,OAAO,IAAI,CAAC;YACd,CAAC;YAGD,IAAI,CAAC,IAAI,EAAE,CAAC;gBACV,IAAI,GAAG,EAAE,CAAC;oBACR,MAAM,IAAI,+CAAqB,EAAE,CAAC;gBACpC,CAAC;gBACD,IAAI,IAAI,EAAE,IAAI,KAAK,mBAAmB,EAAE,CAAC;oBACvC,MAAM,IAAI,+CAAqB,EAAE,CAAC;gBACpC,CAAC;gBACD,MAAM,IAAI,8BAAqB,CAAC,sBAAS,CAAC,YAAY,CAAC,CAAC;YAC1D,CAAC;YAGD,MAAM,IAAI,2BAAkB,CAAC,sBAAS,CAAC,aAAa,CAAC,CAAC;QACxD,CAAC;QAGD,OAAO,IAAI,CAAC;IACd,CAAC;IAKD,UAAU,CAAC,OAAyB;QAClC,MAAM,GAAG,GAAG,6BAAmB,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;QAIhD,OAAO,GAAG,CAAC,UAAU,EAAE,EAAE,GAAG,IAAI,OAAO,CAAC,YAAY,EAAE,CAAC,UAAU,EAAE,CAAC;IACtE,CAAC;CACF,CAAA;AA/SY,gCAAU;qBAAV,UAAU;IADtB,IAAA,mBAAU,GAAE;IAoBR,WAAA,IAAA,eAAM,EAAC,gBAAS,CAAC,CAAA;IACjB,WAAA,IAAA,iBAAQ,GAAE,CAAA;IAAE,WAAA,IAAA,eAAM,EAAC,gBAAS,CAAC,CAAA;qCADmB,gBAAS;QACE,gBAAS;GApB5D,UAAU,CA+StB"}
|
|
@@ -12,6 +12,7 @@ const common_1 = require("@nestjs/common");
|
|
|
12
12
|
const graphql_1 = require("@nestjs/graphql");
|
|
13
13
|
const role_enum_1 = require("../../common/enums/role.enum");
|
|
14
14
|
const error_code_1 = require("../error-code");
|
|
15
|
+
const core_tenant_helpers_1 = require("../tenant/core-tenant.helpers");
|
|
15
16
|
const core_better_auth_module_1 = require("./core-better-auth.module");
|
|
16
17
|
let BetterAuthRolesGuard = BetterAuthRolesGuard_1 = class BetterAuthRolesGuard {
|
|
17
18
|
logger = new common_1.Logger(BetterAuthRolesGuard_1.name);
|
|
@@ -42,12 +43,7 @@ let BetterAuthRolesGuard = BetterAuthRolesGuard_1 = class BetterAuthRolesGuard {
|
|
|
42
43
|
async canActivate(context) {
|
|
43
44
|
const handlerRoles = Reflect.getMetadata('roles', context.getHandler());
|
|
44
45
|
const classRoles = Reflect.getMetadata('roles', context.getClass());
|
|
45
|
-
const
|
|
46
|
-
const roles = reflectorRoles[0]
|
|
47
|
-
? reflectorRoles[1]
|
|
48
|
-
? [...reflectorRoles[0], ...reflectorRoles[1]]
|
|
49
|
-
: reflectorRoles[0]
|
|
50
|
-
: reflectorRoles[1];
|
|
46
|
+
const roles = (0, core_tenant_helpers_1.mergeRolesMetadata)([handlerRoles, classRoles]);
|
|
51
47
|
if (roles && roles.includes(role_enum_1.RoleEnum.S_NO_ONE)) {
|
|
52
48
|
throw new common_1.UnauthorizedException(error_code_1.ErrorCode.UNAUTHORIZED);
|
|
53
49
|
}
|
|
@@ -68,6 +64,9 @@ let BetterAuthRolesGuard = BetterAuthRolesGuard_1 = class BetterAuthRolesGuard {
|
|
|
68
64
|
if (roles.includes(role_enum_1.RoleEnum.S_USER)) {
|
|
69
65
|
return true;
|
|
70
66
|
}
|
|
67
|
+
if ((0, core_tenant_helpers_1.isMultiTenancyActive)() && roles.some((r) => !(0, core_tenant_helpers_1.isSystemRole)(r))) {
|
|
68
|
+
return true;
|
|
69
|
+
}
|
|
71
70
|
if (roles.includes(role_enum_1.RoleEnum.S_SELF)) {
|
|
72
71
|
const targetId = this.getTargetId(context);
|
|
73
72
|
if (targetId && user.id === targetId) {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"better-auth-roles.guard.js","sourceRoot":"","sources":["../../../../src/core/modules/better-auth/better-auth-roles.guard.ts"],"names":[],"mappings":";;;;;;;;;;AAAA,2CAOwB;AACxB,6CAAsD;AAEtD,4DAAwD;AACxD,8CAA0C;
|
|
1
|
+
{"version":3,"file":"better-auth-roles.guard.js","sourceRoot":"","sources":["../../../../src/core/modules/better-auth/better-auth-roles.guard.ts"],"names":[],"mappings":";;;;;;;;;;AAAA,2CAOwB;AACxB,6CAAsD;AAEtD,4DAAwD;AACxD,8CAA0C;AAC1C,uEAAuG;AAGvG,uEAAiE;AAuB1D,IAAM,oBAAoB,4BAA1B,MAAM,oBAAoB;IACd,MAAM,GAAG,IAAI,eAAM,CAAC,sBAAoB,CAAC,IAAI,CAAC,CAAC;IACxD,YAAY,GAAkC,IAAI,CAAC;IAMnD,eAAe;QACrB,IAAI,CAAC,IAAI,CAAC,YAAY,EAAE,CAAC;YACvB,IAAI,CAAC,YAAY,GAAG,8CAAoB,CAAC,uBAAuB,EAAE,CAAC;QACrE,CAAC;QACD,OAAO,IAAI,CAAC,YAAY,CAAC;IAC3B,CAAC;IAMO,KAAK,CAAC,WAAW,CAAC,OAAY;QACpC,MAAM,YAAY,GAAG,IAAI,CAAC,eAAe,EAAE,CAAC;QAC5C,IAAI,CAAC,YAAY,EAAE,CAAC;YAClB,OAAO,IAAI,CAAC;QACd,CAAC;QAED,IAAI,CAAC;YACH,MAAM,EAAE,KAAK,EAAE,GAAG,YAAY,CAAC,uBAAuB,CAAC,OAAO,CAAC,CAAC;YAChE,IAAI,CAAC,KAAK,EAAE,CAAC;gBACX,OAAO,IAAI,CAAC;YACd,CAAC;YACD,OAAO,MAAM,YAAY,CAAC,iBAAiB,CAAC,KAAK,CAAC,CAAC;QACrD,CAAC;QAAC,OAAO,KAAK,EAAE,CAAC;YACf,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,8BAA8B,KAAK,YAAY,KAAK,CAAC,CAAC,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC,CAAC,eAAe,EAAE,CAAC,CAAC;YAC5G,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;IAED,KAAK,CAAC,WAAW,CAAC,OAAyB;QAGzC,MAAM,YAAY,GAAG,OAAO,CAAC,WAAW,CAAC,OAAO,EAAE,OAAO,CAAC,UAAU,EAAE,CAAyB,CAAC;QAChG,MAAM,UAAU,GAAG,OAAO,CAAC,WAAW,CAAC,OAAO,EAAE,OAAO,CAAC,QAAQ,EAAE,CAAyB,CAAC;QAG5F,MAAM,KAAK,GAAG,IAAA,wCAAkB,EAAC,CAAC,YAAY,EAAE,UAAU,CAAC,CAAC,CAAC;QAG7D,IAAI,KAAK,IAAI,KAAK,CAAC,QAAQ,CAAC,oBAAQ,CAAC,QAAQ,CAAC,EAAE,CAAC;YAC/C,MAAM,IAAI,8BAAqB,CAAC,sBAAS,CAAC,YAAY,CAAC,CAAC;QAC1D,CAAC;QAGD,IAAI,CAAC,KAAK,IAAI,CAAC,KAAK,CAAC,IAAI,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,oBAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;YACrF,OAAO,IAAI,CAAC;QACd,CAAC;QAGD,MAAM,OAAO,GAAG,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;QACzC,IAAI,IAAI,GAAG,OAAO,EAAE,IAAI,CAAC;QAIzB,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,IAAI,GAAG,MAAM,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;YACvC,IAAI,IAAI,IAAI,OAAO,EAAE,CAAC;gBAEpB,OAAO,CAAC,IAAI,GAAG,IAAI,CAAC;YACtB,CAAC;QACH,CAAC;QAGD,IAAI,CAAC,IAAI,EAAE,CAAC;YACV,MAAM,IAAI,8BAAqB,CAAC,sBAAS,CAAC,YAAY,CAAC,CAAC;QAC1D,CAAC;QAGD,IAAI,KAAK,CAAC,QAAQ,CAAC,oBAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;YACpC,OAAO,IAAI,CAAC;QACd,CAAC;QAKD,IAAI,IAAA,0CAAoB,GAAE,IAAI,KAAK,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAA,kCAAY,EAAC,CAAC,CAAC,CAAC,EAAE,CAAC;YAClE,OAAO,IAAI,CAAC;QACd,CAAC;QAGD,IAAI,KAAK,CAAC,QAAQ,CAAC,oBAAQ,CAAC,MAAM,CAAC,EAAE,CAAC;YAEpC,MAAM,QAAQ,GAAG,IAAI,CAAC,WAAW,CAAC,OAAO,CAAC,CAAC;YAC3C,IAAI,QAAQ,IAAI,IAAI,CAAC,EAAE,KAAK,QAAQ,EAAE,CAAC;gBACrC,OAAO,IAAI,CAAC;YACd,CAAC;QACH,CAAC;QAGD,IAAI,KAAK,CAAC,QAAQ,CAAC,oBAAQ,CAAC,SAAS,CAAC,EAAE,CAAC;YAIvC,IAAI,CAAC,MAAM,CAAC,KAAK,CAAC,2CAA2C,CAAC,CAAC;QACjE,CAAC;QAGD,IAAI,KAAK,CAAC,QAAQ,CAAC,oBAAQ,CAAC,UAAU,CAAC,EAAE,CAAC;YACxC,IAAI,CAAC,IAAI,CAAC,QAAQ,IAAI,CAAC,IAAI,CAAC,UAAU,IAAI,CAAC,IAAI,CAAC,aAAa,EAAE,CAAC;gBAC9D,MAAM,IAAI,2BAAkB,CAAC,sBAAS,CAAC,aAAa,CAAC,CAAC;YACxD,CAAC;YACD,OAAO,IAAI,CAAC;QACd,CAAC;QAGD,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC,KAAK,CAAC,EAAE,CAAC;YAC1B,OAAO,IAAI,CAAC;QACd,CAAC;QAGD,IAAI,IAAI,CAAC,KAAK,IAAI,KAAK,CAAC,OAAO,CAAC,IAAI,CAAC,KAAK,CAAC,EAAE,CAAC;YAC5C,MAAM,eAAe,GAAG,KAAK,CAAC,IAAI,CAAC,CAAC,IAAI,EAAE,EAAE,CAAC,IAAI,CAAC,KAAK,CAAC,QAAQ,CAAC,IAAI,CAAC,CAAC,CAAC;YACxE,IAAI,eAAe,EAAE,CAAC;gBACpB,OAAO,IAAI,CAAC;YACd,CAAC;QACH,CAAC;QAGD,MAAM,IAAI,2BAAkB,CAAC,sBAAS,CAAC,aAAa,CAAC,CAAC;IACxD,CAAC;IAMO,UAAU,CAAC,OAAyB;QAE1C,IAAI,CAAC;YACH,MAAM,UAAU,GAAG,6BAAmB,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;YACvD,MAAM,GAAG,GAAG,UAAU,CAAC,UAAU,EAAE,CAAC;YACpC,IAAI,GAAG,EAAE,GAAG,EAAE,CAAC;gBACb,OAAO,GAAG,CAAC,GAAG,CAAC;YACjB,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;QAET,CAAC;QAGD,OAAO,OAAO,CAAC,YAAY,EAAE,CAAC,UAAU,EAAE,CAAC;IAC7C,CAAC;IAKO,WAAW,CAAC,OAAyB;QAE3C,IAAI,CAAC;YACH,MAAM,UAAU,GAAG,6BAAmB,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;YACvD,MAAM,IAAI,GAAG,UAAU,CAAC,OAAO,EAAE,CAAC;YAClC,IAAI,IAAI,EAAE,EAAE,EAAE,CAAC;gBACb,OAAO,IAAI,CAAC,EAAE,CAAC;YACjB,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;QAET,CAAC;QAGD,IAAI,CAAC;YACH,MAAM,OAAO,GAAG,OAAO,CAAC,YAAY,EAAE,CAAC,UAAU,EAAE,CAAC;YACpD,IAAI,OAAO,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC;gBACxB,OAAO,OAAO,CAAC,MAAM,CAAC,EAAE,CAAC;YAC3B,CAAC;QACH,CAAC;QAAC,MAAM,CAAC;QAET,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC;CACF,CAAA;AAhLY,oDAAoB;+BAApB,oBAAoB;IADhC,IAAA,mBAAU,GAAE;GACA,oBAAoB,CAgLhC"}
|
|
@@ -0,0 +1,11 @@
|
|
|
1
|
+
import { CorePersistenceModel } from '../../common/models/core-persistence.model';
|
|
2
|
+
import { TenantMemberStatus } from './core-tenant.enums';
|
|
3
|
+
export declare class CoreTenantMemberModel extends CorePersistenceModel {
|
|
4
|
+
invitedBy: string;
|
|
5
|
+
joinedAt: Date;
|
|
6
|
+
role: string;
|
|
7
|
+
status: TenantMemberStatus;
|
|
8
|
+
tenant: string;
|
|
9
|
+
user: string;
|
|
10
|
+
securityCheck(user: any, force?: boolean): this;
|
|
11
|
+
}
|
|
@@ -0,0 +1,106 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
|
|
3
|
+
var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
|
|
4
|
+
if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
|
|
5
|
+
else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
|
|
6
|
+
return c > 3 && r && Object.defineProperty(target, key, r), r;
|
|
7
|
+
};
|
|
8
|
+
var __metadata = (this && this.__metadata) || function (k, v) {
|
|
9
|
+
if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
|
|
10
|
+
};
|
|
11
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
12
|
+
exports.CoreTenantMemberModel = void 0;
|
|
13
|
+
const common_1 = require("@nestjs/common");
|
|
14
|
+
const graphql_1 = require("@nestjs/graphql");
|
|
15
|
+
const mongoose_1 = require("@nestjs/mongoose");
|
|
16
|
+
const restricted_decorator_1 = require("../../common/decorators/restricted.decorator");
|
|
17
|
+
const unified_field_decorator_1 = require("../../common/decorators/unified-field.decorator");
|
|
18
|
+
const role_enum_1 = require("../../common/enums/role.enum");
|
|
19
|
+
const core_persistence_model_1 = require("../../common/models/core-persistence.model");
|
|
20
|
+
const request_context_service_1 = require("../../common/services/request-context.service");
|
|
21
|
+
const core_tenant_enums_1 = require("./core-tenant.enums");
|
|
22
|
+
const core_tenant_helpers_1 = require("./core-tenant.helpers");
|
|
23
|
+
let CoreTenantMemberModel = class CoreTenantMemberModel extends core_persistence_model_1.CorePersistenceModel {
|
|
24
|
+
invitedBy = undefined;
|
|
25
|
+
joinedAt = undefined;
|
|
26
|
+
role = undefined;
|
|
27
|
+
status = undefined;
|
|
28
|
+
tenant = undefined;
|
|
29
|
+
user = undefined;
|
|
30
|
+
securityCheck(user, force) {
|
|
31
|
+
if (force)
|
|
32
|
+
return this;
|
|
33
|
+
if (!user)
|
|
34
|
+
throw new common_1.UnauthorizedException('Access to tenant membership denied');
|
|
35
|
+
if (user.id === this.user || user.hasRole?.(role_enum_1.RoleEnum.ADMIN))
|
|
36
|
+
return this;
|
|
37
|
+
const context = request_context_service_1.RequestContext.get();
|
|
38
|
+
const tenantRole = context?.tenantRole;
|
|
39
|
+
if (tenantRole &&
|
|
40
|
+
(0, core_tenant_helpers_1.checkRoleAccess)([core_tenant_enums_1.DefaultHR.MANAGER], undefined, tenantRole) &&
|
|
41
|
+
context?.tenantId === this.tenant) {
|
|
42
|
+
return this;
|
|
43
|
+
}
|
|
44
|
+
throw new common_1.UnauthorizedException('Access to tenant membership denied');
|
|
45
|
+
}
|
|
46
|
+
};
|
|
47
|
+
exports.CoreTenantMemberModel = CoreTenantMemberModel;
|
|
48
|
+
__decorate([
|
|
49
|
+
(0, unified_field_decorator_1.UnifiedField)({
|
|
50
|
+
description: 'ID of the inviting user',
|
|
51
|
+
isOptional: true,
|
|
52
|
+
mongoose: { type: String },
|
|
53
|
+
roles: role_enum_1.RoleEnum.S_USER,
|
|
54
|
+
}),
|
|
55
|
+
__metadata("design:type", String)
|
|
56
|
+
], CoreTenantMemberModel.prototype, "invitedBy", void 0);
|
|
57
|
+
__decorate([
|
|
58
|
+
(0, unified_field_decorator_1.UnifiedField)({
|
|
59
|
+
description: 'Date when the user joined',
|
|
60
|
+
isOptional: true,
|
|
61
|
+
mongoose: { type: Date },
|
|
62
|
+
roles: role_enum_1.RoleEnum.S_USER,
|
|
63
|
+
type: Date,
|
|
64
|
+
}),
|
|
65
|
+
__metadata("design:type", Date)
|
|
66
|
+
], CoreTenantMemberModel.prototype, "joinedAt", void 0);
|
|
67
|
+
__decorate([
|
|
68
|
+
(0, unified_field_decorator_1.UnifiedField)({
|
|
69
|
+
description: 'Tenant role',
|
|
70
|
+
mongoose: { default: 'member', type: String },
|
|
71
|
+
roles: role_enum_1.RoleEnum.S_USER,
|
|
72
|
+
type: () => String,
|
|
73
|
+
}),
|
|
74
|
+
__metadata("design:type", String)
|
|
75
|
+
], CoreTenantMemberModel.prototype, "role", void 0);
|
|
76
|
+
__decorate([
|
|
77
|
+
(0, unified_field_decorator_1.UnifiedField)({
|
|
78
|
+
description: 'Membership status',
|
|
79
|
+
mongoose: { default: core_tenant_enums_1.TenantMemberStatus.ACTIVE, enum: Object.values(core_tenant_enums_1.TenantMemberStatus), type: String },
|
|
80
|
+
roles: role_enum_1.RoleEnum.S_USER,
|
|
81
|
+
type: () => String,
|
|
82
|
+
}),
|
|
83
|
+
__metadata("design:type", String)
|
|
84
|
+
], CoreTenantMemberModel.prototype, "status", void 0);
|
|
85
|
+
__decorate([
|
|
86
|
+
(0, unified_field_decorator_1.UnifiedField)({
|
|
87
|
+
description: 'Tenant ID',
|
|
88
|
+
mongoose: { index: true, type: String },
|
|
89
|
+
roles: role_enum_1.RoleEnum.S_USER,
|
|
90
|
+
}),
|
|
91
|
+
__metadata("design:type", String)
|
|
92
|
+
], CoreTenantMemberModel.prototype, "tenant", void 0);
|
|
93
|
+
__decorate([
|
|
94
|
+
(0, unified_field_decorator_1.UnifiedField)({
|
|
95
|
+
description: 'User ID',
|
|
96
|
+
mongoose: { index: true, type: String },
|
|
97
|
+
roles: role_enum_1.RoleEnum.S_USER,
|
|
98
|
+
}),
|
|
99
|
+
__metadata("design:type", String)
|
|
100
|
+
], CoreTenantMemberModel.prototype, "user", void 0);
|
|
101
|
+
exports.CoreTenantMemberModel = CoreTenantMemberModel = __decorate([
|
|
102
|
+
(0, graphql_1.ObjectType)({ description: 'Tenant membership', isAbstract: true }),
|
|
103
|
+
(0, restricted_decorator_1.Restricted)(role_enum_1.RoleEnum.S_USER),
|
|
104
|
+
(0, mongoose_1.Schema)({ timestamps: true })
|
|
105
|
+
], CoreTenantMemberModel);
|
|
106
|
+
//# sourceMappingURL=core-tenant-member.model.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"core-tenant-member.model.js","sourceRoot":"","sources":["../../../../src/core/modules/tenant/core-tenant-member.model.ts"],"names":[],"mappings":";;;;;;;;;;;;AAAA,2CAAuD;AACvD,6CAA6C;AAC7C,+CAA0C;AAE1C,uFAA0E;AAC1E,6FAA+E;AAC/E,4DAAwD;AACxD,uFAAkF;AAClF,2FAA+E;AAC/E,2DAAoE;AACpE,+DAAwD;AAajD,IAAM,qBAAqB,GAA3B,MAAM,qBAAsB,SAAQ,6CAAoB;IAU7D,SAAS,GAAW,SAAS,CAAC;IAY9B,QAAQ,GAAS,SAAS,CAAC;IAW3B,IAAI,GAAW,SAAS,CAAC;IAWzB,MAAM,GAAuB,SAAS,CAAC;IAUvC,MAAM,GAAW,SAAS,CAAC;IAU3B,IAAI,GAAW,SAAS,CAAC;IAWhB,aAAa,CAAC,IAAS,EAAE,KAAe;QAC/C,IAAI,KAAK;YAAE,OAAO,IAAI,CAAC;QACvB,IAAI,CAAC,IAAI;YAAE,MAAM,IAAI,8BAAqB,CAAC,oCAAoC,CAAC,CAAC;QAGjF,IAAI,IAAI,CAAC,EAAE,KAAK,IAAI,CAAC,IAAI,IAAI,IAAI,CAAC,OAAO,EAAE,CAAC,oBAAQ,CAAC,KAAK,CAAC;YAAE,OAAO,IAAI,CAAC;QAKzE,MAAM,OAAO,GAAG,wCAAc,CAAC,GAAG,EAAE,CAAC;QACrC,MAAM,UAAU,GAAG,OAAO,EAAE,UAAU,CAAC;QACvC,IACE,UAAU;YACV,IAAA,qCAAe,EAAC,CAAC,6BAAS,CAAC,OAAO,CAAC,EAAE,SAAS,EAAE,UAAU,CAAC;YAC3D,OAAO,EAAE,QAAQ,KAAK,IAAI,CAAC,MAAM,EACjC,CAAC;YACD,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,IAAI,8BAAqB,CAAC,oCAAoC,CAAC,CAAC;IACxE,CAAC;CACF,CAAA;AAjGY,sDAAqB;AAUhC;IANC,IAAA,sCAAY,EAAC;QACZ,WAAW,EAAE,yBAAyB;QACtC,UAAU,EAAE,IAAI;QAChB,QAAQ,EAAE,EAAE,IAAI,EAAE,MAAM,EAAE;QAC1B,KAAK,EAAE,oBAAQ,CAAC,MAAM;KACvB,CAAC;;wDAC4B;AAY9B;IAPC,IAAA,sCAAY,EAAC;QACZ,WAAW,EAAE,2BAA2B;QACxC,UAAU,EAAE,IAAI;QAChB,QAAQ,EAAE,EAAE,IAAI,EAAE,IAAI,EAAE;QACxB,KAAK,EAAE,oBAAQ,CAAC,MAAM;QACtB,IAAI,EAAE,IAAI;KACX,CAAC;8BACQ,IAAI;uDAAa;AAW3B;IANC,IAAA,sCAAY,EAAC;QACZ,WAAW,EAAE,aAAa;QAC1B,QAAQ,EAAE,EAAE,OAAO,EAAE,QAAQ,EAAE,IAAI,EAAE,MAAM,EAAE;QAC7C,KAAK,EAAE,oBAAQ,CAAC,MAAM;QACtB,IAAI,EAAE,GAAG,EAAE,CAAC,MAAM;KACnB,CAAC;;mDACuB;AAWzB;IANC,IAAA,sCAAY,EAAC;QACZ,WAAW,EAAE,mBAAmB;QAChC,QAAQ,EAAE,EAAE,OAAO,EAAE,sCAAkB,CAAC,MAAM,EAAE,IAAI,EAAE,MAAM,CAAC,MAAM,CAAC,sCAAkB,CAAC,EAAE,IAAI,EAAE,MAAM,EAAE;QACvG,KAAK,EAAE,oBAAQ,CAAC,MAAM;QACtB,IAAI,EAAE,GAAG,EAAE,CAAC,MAAM;KACnB,CAAC;;qDACqC;AAUvC;IALC,IAAA,sCAAY,EAAC;QACZ,WAAW,EAAE,WAAW;QACxB,QAAQ,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE;QACvC,KAAK,EAAE,oBAAQ,CAAC,MAAM;KACvB,CAAC;;qDACyB;AAU3B;IALC,IAAA,sCAAY,EAAC;QACZ,WAAW,EAAE,SAAS;QACtB,QAAQ,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,IAAI,EAAE,MAAM,EAAE;QACvC,KAAK,EAAE,oBAAQ,CAAC,MAAM;KACvB,CAAC;;mDACuB;gCAhEd,qBAAqB;IAHjC,IAAA,oBAAU,EAAC,EAAE,WAAW,EAAE,mBAAmB,EAAE,UAAU,EAAE,IAAI,EAAE,CAAC;IAClE,IAAA,iCAAU,EAAC,oBAAQ,CAAC,MAAM,CAAC;IAC3B,IAAA,iBAAM,EAAC,EAAE,UAAU,EAAE,IAAI,EAAE,CAAC;GAChB,qBAAqB,CAiGjC"}
|
|
@@ -0,0 +1,12 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
+
exports.CurrentTenant = exports.SkipTenantCheck = exports.SKIP_TENANT_CHECK_KEY = void 0;
|
|
4
|
+
const common_1 = require("@nestjs/common");
|
|
5
|
+
const request_context_service_1 = require("../../common/services/request-context.service");
|
|
6
|
+
exports.SKIP_TENANT_CHECK_KEY = 'skipTenantCheck';
|
|
7
|
+
const SkipTenantCheck = () => (0, common_1.SetMetadata)(exports.SKIP_TENANT_CHECK_KEY, true);
|
|
8
|
+
exports.SkipTenantCheck = SkipTenantCheck;
|
|
9
|
+
exports.CurrentTenant = (0, common_1.createParamDecorator)(() => {
|
|
10
|
+
return request_context_service_1.RequestContext.get()?.tenantId;
|
|
11
|
+
});
|
|
12
|
+
//# sourceMappingURL=core-tenant.decorators.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"core-tenant.decorators.js","sourceRoot":"","sources":["../../../../src/core/modules/tenant/core-tenant.decorators.ts"],"names":[],"mappings":";;;AAAA,2CAAmE;AAEnE,2FAA+E;AAKlE,QAAA,qBAAqB,GAAG,iBAAiB,CAAC;AAiBhD,MAAM,eAAe,GAAG,GAAG,EAAE,CAAC,IAAA,oBAAW,EAAC,6BAAqB,EAAE,IAAI,CAAC,CAAC;AAAjE,QAAA,eAAe,mBAAkD;AAmBjE,QAAA,aAAa,GAAG,IAAA,6BAAoB,EAAC,GAAuB,EAAE;IACzE,OAAO,wCAAc,CAAC,GAAG,EAAE,EAAE,QAAQ,CAAC;AACxC,CAAC,CAAC,CAAC"}
|
|
@@ -0,0 +1,13 @@
|
|
|
1
|
+
export declare const TENANT_MEMBER_MODEL_TOKEN = "TenantMember";
|
|
2
|
+
export declare enum TenantMemberStatus {
|
|
3
|
+
ACTIVE = "ACTIVE",
|
|
4
|
+
INVITED = "INVITED",
|
|
5
|
+
SUSPENDED = "SUSPENDED"
|
|
6
|
+
}
|
|
7
|
+
export declare const DEFAULT_ROLE_HIERARCHY: Record<string, number>;
|
|
8
|
+
export declare function createHierarchyRoles<T extends Record<string, number>>(hierarchy: T): {
|
|
9
|
+
[K in keyof T as Uppercase<string & K>]: string & K;
|
|
10
|
+
};
|
|
11
|
+
export declare const DefaultHR: {
|
|
12
|
+
[x: Uppercase<string>]: string;
|
|
13
|
+
};
|
|
@@ -0,0 +1,25 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
+
exports.DefaultHR = exports.DEFAULT_ROLE_HIERARCHY = exports.TenantMemberStatus = exports.TENANT_MEMBER_MODEL_TOKEN = void 0;
|
|
4
|
+
exports.createHierarchyRoles = createHierarchyRoles;
|
|
5
|
+
exports.TENANT_MEMBER_MODEL_TOKEN = 'TenantMember';
|
|
6
|
+
var TenantMemberStatus;
|
|
7
|
+
(function (TenantMemberStatus) {
|
|
8
|
+
TenantMemberStatus["ACTIVE"] = "ACTIVE";
|
|
9
|
+
TenantMemberStatus["INVITED"] = "INVITED";
|
|
10
|
+
TenantMemberStatus["SUSPENDED"] = "SUSPENDED";
|
|
11
|
+
})(TenantMemberStatus || (exports.TenantMemberStatus = TenantMemberStatus = {}));
|
|
12
|
+
exports.DEFAULT_ROLE_HIERARCHY = {
|
|
13
|
+
member: 1,
|
|
14
|
+
manager: 2,
|
|
15
|
+
owner: 3,
|
|
16
|
+
};
|
|
17
|
+
function createHierarchyRoles(hierarchy) {
|
|
18
|
+
const result = {};
|
|
19
|
+
for (const key of Object.keys(hierarchy)) {
|
|
20
|
+
result[key.toUpperCase()] = key;
|
|
21
|
+
}
|
|
22
|
+
return result;
|
|
23
|
+
}
|
|
24
|
+
exports.DefaultHR = createHierarchyRoles(exports.DEFAULT_ROLE_HIERARCHY);
|
|
25
|
+
//# sourceMappingURL=core-tenant.enums.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"core-tenant.enums.js","sourceRoot":"","sources":["../../../../src/core/modules/tenant/core-tenant.enums.ts"],"names":[],"mappings":";;;AAuDA,oDAQC;AA3DY,QAAA,yBAAyB,GAAG,cAAc,CAAC;AAKxD,IAAY,kBAKX;AALD,WAAY,kBAAkB;IAC5B,uCAAiB,CAAA;IAEjB,yCAAmB,CAAA;IACnB,6CAAuB,CAAA;AACzB,CAAC,EALW,kBAAkB,kCAAlB,kBAAkB,QAK7B;AAmBY,QAAA,sBAAsB,GAA2B;IAC5D,MAAM,EAAE,CAAC;IACT,OAAO,EAAE,CAAC;IACV,KAAK,EAAE,CAAC;CACT,CAAC;AAkBF,SAAgB,oBAAoB,CAClC,SAAY;IAEZ,MAAM,MAAM,GAAG,EAAS,CAAC;IACzB,KAAK,MAAM,GAAG,IAAI,MAAM,CAAC,IAAI,CAAC,SAAS,CAAC,EAAE,CAAC;QACzC,MAAM,CAAC,GAAG,CAAC,WAAW,EAAE,CAAC,GAAG,GAAG,CAAC;IAClC,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC;AAaY,QAAA,SAAS,GAAG,oBAAoB,CAAC,8BAAsB,CAAC,CAAC"}
|
|
@@ -0,0 +1,13 @@
|
|
|
1
|
+
import { CanActivate, ExecutionContext } from '@nestjs/common';
|
|
2
|
+
import { Reflector } from '@nestjs/core';
|
|
3
|
+
import { Model } from 'mongoose';
|
|
4
|
+
import { CoreTenantMemberModel } from './core-tenant-member.model';
|
|
5
|
+
export declare class CoreTenantGuard implements CanActivate {
|
|
6
|
+
private readonly reflector;
|
|
7
|
+
private readonly memberModel;
|
|
8
|
+
private readonly logger;
|
|
9
|
+
constructor(reflector: Reflector, memberModel: Model<CoreTenantMemberModel>);
|
|
10
|
+
canActivate(context: ExecutionContext): Promise<boolean>;
|
|
11
|
+
private resolveUserTenantIds;
|
|
12
|
+
private getRequest;
|
|
13
|
+
}
|
|
@@ -0,0 +1,162 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
|
|
3
|
+
var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
|
|
4
|
+
if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
|
|
5
|
+
else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
|
|
6
|
+
return c > 3 && r && Object.defineProperty(target, key, r), r;
|
|
7
|
+
};
|
|
8
|
+
var __metadata = (this && this.__metadata) || function (k, v) {
|
|
9
|
+
if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
|
|
10
|
+
};
|
|
11
|
+
var __param = (this && this.__param) || function (paramIndex, decorator) {
|
|
12
|
+
return function (target, key) { decorator(target, key, paramIndex); }
|
|
13
|
+
};
|
|
14
|
+
var CoreTenantGuard_1;
|
|
15
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
16
|
+
exports.CoreTenantGuard = void 0;
|
|
17
|
+
const common_1 = require("@nestjs/common");
|
|
18
|
+
const core_1 = require("@nestjs/core");
|
|
19
|
+
const graphql_1 = require("@nestjs/graphql");
|
|
20
|
+
const mongoose_1 = require("@nestjs/mongoose");
|
|
21
|
+
const mongoose_2 = require("mongoose");
|
|
22
|
+
const role_enum_1 = require("../../common/enums/role.enum");
|
|
23
|
+
const config_service_1 = require("../../common/services/config.service");
|
|
24
|
+
const core_tenant_decorators_1 = require("./core-tenant.decorators");
|
|
25
|
+
const core_tenant_enums_1 = require("./core-tenant.enums");
|
|
26
|
+
const core_tenant_helpers_1 = require("./core-tenant.helpers");
|
|
27
|
+
let CoreTenantGuard = CoreTenantGuard_1 = class CoreTenantGuard {
|
|
28
|
+
reflector;
|
|
29
|
+
memberModel;
|
|
30
|
+
logger = new common_1.Logger(CoreTenantGuard_1.name);
|
|
31
|
+
constructor(reflector, memberModel) {
|
|
32
|
+
this.reflector = reflector;
|
|
33
|
+
this.memberModel = memberModel;
|
|
34
|
+
}
|
|
35
|
+
async canActivate(context) {
|
|
36
|
+
const config = config_service_1.ConfigService.configFastButReadOnly?.multiTenancy;
|
|
37
|
+
if (!config || config.enabled === false) {
|
|
38
|
+
return true;
|
|
39
|
+
}
|
|
40
|
+
const request = this.getRequest(context);
|
|
41
|
+
if (!request) {
|
|
42
|
+
return true;
|
|
43
|
+
}
|
|
44
|
+
const headerName = (config.headerName ?? 'x-tenant-id').toLowerCase();
|
|
45
|
+
const rawHeader = request.headers?.[headerName];
|
|
46
|
+
const headerTenantId = rawHeader && typeof rawHeader === 'string' && rawHeader.length <= 128 ? rawHeader.trim() : undefined;
|
|
47
|
+
const rolesMetadata = this.reflector.getAll('roles', [context.getHandler(), context.getClass()]);
|
|
48
|
+
const roles = (0, core_tenant_helpers_1.mergeRolesMetadata)(rolesMetadata);
|
|
49
|
+
const checkableRoles = roles.filter((r) => !(0, core_tenant_helpers_1.isSystemRole)(r));
|
|
50
|
+
const minRequiredLevel = (0, core_tenant_helpers_1.getMinRequiredLevel)(checkableRoles);
|
|
51
|
+
const user = request.user;
|
|
52
|
+
const adminBypass = config.adminBypass !== false;
|
|
53
|
+
const isAdmin = adminBypass && user?.roles?.includes(role_enum_1.RoleEnum.ADMIN);
|
|
54
|
+
const skipTenantCheck = this.reflector.getAllAndOverride(core_tenant_decorators_1.SKIP_TENANT_CHECK_KEY, [
|
|
55
|
+
context.getHandler(),
|
|
56
|
+
context.getClass(),
|
|
57
|
+
]);
|
|
58
|
+
if (skipTenantCheck) {
|
|
59
|
+
if (checkableRoles.length > 0 && user) {
|
|
60
|
+
if (!isAdmin && !(0, core_tenant_helpers_1.checkRoleAccess)(checkableRoles, user.roles, undefined)) {
|
|
61
|
+
throw new common_1.ForbiddenException('Insufficient role');
|
|
62
|
+
}
|
|
63
|
+
}
|
|
64
|
+
return true;
|
|
65
|
+
}
|
|
66
|
+
if (headerTenantId) {
|
|
67
|
+
if (isAdmin) {
|
|
68
|
+
request.tenantId = headerTenantId;
|
|
69
|
+
request.isAdminBypass = true;
|
|
70
|
+
const requiredRole = checkableRoles.length > 0 ? checkableRoles.join(',') : 'none';
|
|
71
|
+
this.logger.log(`Admin bypass: user ${user.id} accessing tenant ${headerTenantId} (required: ${requiredRole})`);
|
|
72
|
+
return true;
|
|
73
|
+
}
|
|
74
|
+
if (!user) {
|
|
75
|
+
throw new common_1.ForbiddenException('Authentication required for tenant access');
|
|
76
|
+
}
|
|
77
|
+
const membership = await this.memberModel
|
|
78
|
+
.findOne({
|
|
79
|
+
status: core_tenant_enums_1.TenantMemberStatus.ACTIVE,
|
|
80
|
+
tenant: headerTenantId,
|
|
81
|
+
user: user.id,
|
|
82
|
+
})
|
|
83
|
+
.lean()
|
|
84
|
+
.exec();
|
|
85
|
+
if (!membership) {
|
|
86
|
+
throw new common_1.ForbiddenException('Not a member of this tenant');
|
|
87
|
+
}
|
|
88
|
+
const memberRole = membership.role;
|
|
89
|
+
if (checkableRoles.length > 0) {
|
|
90
|
+
if (!(0, core_tenant_helpers_1.checkRoleAccess)(checkableRoles, undefined, memberRole)) {
|
|
91
|
+
throw new common_1.ForbiddenException('Insufficient tenant role');
|
|
92
|
+
}
|
|
93
|
+
}
|
|
94
|
+
request.tenantId = headerTenantId;
|
|
95
|
+
request.tenantRole = memberRole;
|
|
96
|
+
return true;
|
|
97
|
+
}
|
|
98
|
+
if (isAdmin) {
|
|
99
|
+
request.isAdminBypass = true;
|
|
100
|
+
return true;
|
|
101
|
+
}
|
|
102
|
+
if (checkableRoles.length > 0) {
|
|
103
|
+
if (!user) {
|
|
104
|
+
throw new common_1.ForbiddenException('Authentication required');
|
|
105
|
+
}
|
|
106
|
+
if (!(0, core_tenant_helpers_1.checkRoleAccess)(checkableRoles, user.roles, undefined)) {
|
|
107
|
+
throw new common_1.ForbiddenException('Insufficient role');
|
|
108
|
+
}
|
|
109
|
+
await this.resolveUserTenantIds(request, minRequiredLevel);
|
|
110
|
+
return true;
|
|
111
|
+
}
|
|
112
|
+
if (user) {
|
|
113
|
+
await this.resolveUserTenantIds(request);
|
|
114
|
+
}
|
|
115
|
+
return true;
|
|
116
|
+
}
|
|
117
|
+
async resolveUserTenantIds(request, minLevel) {
|
|
118
|
+
if (request.tenantIds) {
|
|
119
|
+
return;
|
|
120
|
+
}
|
|
121
|
+
const memberships = await this.memberModel
|
|
122
|
+
.find({
|
|
123
|
+
status: core_tenant_enums_1.TenantMemberStatus.ACTIVE,
|
|
124
|
+
user: request.user.id,
|
|
125
|
+
})
|
|
126
|
+
.select('tenant role')
|
|
127
|
+
.lean()
|
|
128
|
+
.exec();
|
|
129
|
+
if (minLevel !== undefined) {
|
|
130
|
+
const hierarchy = (0, core_tenant_helpers_1.getRoleHierarchy)();
|
|
131
|
+
request.tenantIds = memberships
|
|
132
|
+
.filter((m) => {
|
|
133
|
+
const level = hierarchy[m.role] ?? 0;
|
|
134
|
+
return level >= minLevel;
|
|
135
|
+
})
|
|
136
|
+
.map((m) => m.tenant);
|
|
137
|
+
}
|
|
138
|
+
else {
|
|
139
|
+
request.tenantIds = memberships.map((m) => m.tenant);
|
|
140
|
+
}
|
|
141
|
+
}
|
|
142
|
+
getRequest(context) {
|
|
143
|
+
if (context.getType() === 'graphql') {
|
|
144
|
+
const ctx = graphql_1.GqlExecutionContext.create(context);
|
|
145
|
+
return ctx.getContext()?.req;
|
|
146
|
+
}
|
|
147
|
+
try {
|
|
148
|
+
return context.switchToHttp().getRequest();
|
|
149
|
+
}
|
|
150
|
+
catch {
|
|
151
|
+
return null;
|
|
152
|
+
}
|
|
153
|
+
}
|
|
154
|
+
};
|
|
155
|
+
exports.CoreTenantGuard = CoreTenantGuard;
|
|
156
|
+
exports.CoreTenantGuard = CoreTenantGuard = CoreTenantGuard_1 = __decorate([
|
|
157
|
+
(0, common_1.Injectable)(),
|
|
158
|
+
__param(1, (0, mongoose_1.InjectModel)(core_tenant_enums_1.TENANT_MEMBER_MODEL_TOKEN)),
|
|
159
|
+
__metadata("design:paramtypes", [core_1.Reflector,
|
|
160
|
+
mongoose_2.Model])
|
|
161
|
+
], CoreTenantGuard);
|
|
162
|
+
//# sourceMappingURL=core-tenant.guard.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"core-tenant.guard.js","sourceRoot":"","sources":["../../../../src/core/modules/tenant/core-tenant.guard.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;AAAA,2CAAuG;AACvG,uCAAyC;AACzC,6CAAsE;AACtE,+CAA+C;AAC/C,uCAAiC;AAEjC,4DAAwD;AACxD,yEAAqE;AAErE,qEAAiE;AACjE,2DAAoF;AACpF,+DAM+B;AA2CxB,IAAM,eAAe,uBAArB,MAAM,eAAe;IAIP;IACwC;IAJ1C,MAAM,GAAG,IAAI,eAAM,CAAC,iBAAe,CAAC,IAAI,CAAC,CAAC;IAE3D,YACmB,SAAoB,EACoB,WAAyC;QADjF,cAAS,GAAT,SAAS,CAAW;QACoB,gBAAW,GAAX,WAAW,CAA8B;IACjG,CAAC;IAEJ,KAAK,CAAC,WAAW,CAAC,OAAyB;QACzC,MAAM,MAAM,GAAG,8BAAa,CAAC,qBAAqB,EAAE,YAAY,CAAC;QACjE,IAAI,CAAC,MAAM,IAAI,MAAM,CAAC,OAAO,KAAK,KAAK,EAAE,CAAC;YACxC,OAAO,IAAI,CAAC;QACd,CAAC;QAED,MAAM,OAAO,GAAG,IAAI,CAAC,UAAU,CAAC,OAAO,CAAC,CAAC;QACzC,IAAI,CAAC,OAAO,EAAE,CAAC;YACb,OAAO,IAAI,CAAC;QACd,CAAC;QAGD,MAAM,UAAU,GAAG,CAAC,MAAM,CAAC,UAAU,IAAI,aAAa,CAAC,CAAC,WAAW,EAAE,CAAC;QACtE,MAAM,SAAS,GAAG,OAAO,CAAC,OAAO,EAAE,CAAC,UAAU,CAAuB,CAAC;QACtE,MAAM,cAAc,GAClB,SAAS,IAAI,OAAO,SAAS,KAAK,QAAQ,IAAI,SAAS,CAAC,MAAM,IAAI,GAAG,CAAC,CAAC,CAAC,SAAS,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,SAAS,CAAC;QAGvG,MAAM,aAAa,GAAG,IAAI,CAAC,SAAS,CAAC,MAAM,CAAa,OAAO,EAAE,CAAC,OAAO,CAAC,UAAU,EAAE,EAAE,OAAO,CAAC,QAAQ,EAAE,CAAC,CAAC,CAAC;QAC7G,MAAM,KAAK,GAAG,IAAA,wCAAkB,EAAC,aAAa,CAAC,CAAC;QAChD,MAAM,cAAc,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAA,kCAAY,EAAC,CAAC,CAAC,CAAC,CAAC;QAC7D,MAAM,gBAAgB,GAAG,IAAA,yCAAmB,EAAC,cAAc,CAAC,CAAC;QAE7D,MAAM,IAAI,GAAG,OAAO,CAAC,IAAI,CAAC;QAC1B,MAAM,WAAW,GAAG,MAAM,CAAC,WAAW,KAAK,KAAK,CAAC;QACjD,MAAM,OAAO,GAAG,WAAW,IAAI,IAAI,EAAE,KAAK,EAAE,QAAQ,CAAC,oBAAQ,CAAC,KAAK,CAAC,CAAC;QAGrE,MAAM,eAAe,GAAG,IAAI,CAAC,SAAS,CAAC,iBAAiB,CAAU,8CAAqB,EAAE;YACvF,OAAO,CAAC,UAAU,EAAE;YACpB,OAAO,CAAC,QAAQ,EAAE;SACnB,CAAC,CAAC;QACH,IAAI,eAAe,EAAE,CAAC;YACpB,IAAI,cAAc,CAAC,MAAM,GAAG,CAAC,IAAI,IAAI,EAAE,CAAC;gBACtC,IAAI,CAAC,OAAO,IAAI,CAAC,IAAA,qCAAe,EAAC,cAAc,EAAE,IAAI,CAAC,KAAK,EAAE,SAAS,CAAC,EAAE,CAAC;oBACxE,MAAM,IAAI,2BAAkB,CAAC,mBAAmB,CAAC,CAAC;gBACpD,CAAC;YACH,CAAC;YACD,OAAO,IAAI,CAAC;QACd,CAAC;QAGD,IAAI,cAAc,EAAE,CAAC;YAGnB,IAAI,OAAO,EAAE,CAAC;gBACZ,OAAO,CAAC,QAAQ,GAAG,cAAc,CAAC;gBAClC,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC;gBAC7B,MAAM,YAAY,GAAG,cAAc,CAAC,MAAM,GAAG,CAAC,CAAC,CAAC,CAAC,cAAc,CAAC,IAAI,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC;gBACnF,IAAI,CAAC,MAAM,CAAC,GAAG,CAAC,sBAAsB,IAAI,CAAC,EAAE,qBAAqB,cAAc,eAAe,YAAY,GAAG,CAAC,CAAC;gBAChH,OAAO,IAAI,CAAC;YACd,CAAC;YAGD,IAAI,CAAC,IAAI,EAAE,CAAC;gBACV,MAAM,IAAI,2BAAkB,CAAC,2CAA2C,CAAC,CAAC;YAC5E,CAAC;YAGD,MAAM,UAAU,GAAG,MAAM,IAAI,CAAC,WAAW;iBACtC,OAAO,CAAC;gBACP,MAAM,EAAE,sCAAkB,CAAC,MAAM;gBACjC,MAAM,EAAE,cAAc;gBACtB,IAAI,EAAE,IAAI,CAAC,EAAE;aACd,CAAC;iBACD,IAAI,EAAE;iBACN,IAAI,EAAE,CAAC;YAEV,IAAI,CAAC,UAAU,EAAE,CAAC;gBAChB,MAAM,IAAI,2BAAkB,CAAC,6BAA6B,CAAC,CAAC;YAC9D,CAAC;YAED,MAAM,UAAU,GAAG,UAAU,CAAC,IAAc,CAAC;YAG7C,IAAI,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;gBAC9B,IAAI,CAAC,IAAA,qCAAe,EAAC,cAAc,EAAE,SAAS,EAAE,UAAU,CAAC,EAAE,CAAC;oBAC5D,MAAM,IAAI,2BAAkB,CAAC,0BAA0B,CAAC,CAAC;gBAC3D,CAAC;YACH,CAAC;YAID,OAAO,CAAC,QAAQ,GAAG,cAAc,CAAC;YAClC,OAAO,CAAC,UAAU,GAAG,UAAU,CAAC;YAChC,OAAO,IAAI,CAAC;QACd,CAAC;QAKD,IAAI,OAAO,EAAE,CAAC;YACZ,OAAO,CAAC,aAAa,GAAG,IAAI,CAAC;YAC7B,OAAO,IAAI,CAAC;QACd,CAAC;QAGD,IAAI,cAAc,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YAE9B,IAAI,CAAC,IAAI,EAAE,CAAC;gBACV,MAAM,IAAI,2BAAkB,CAAC,yBAAyB,CAAC,CAAC;YAC1D,CAAC;YAGD,IAAI,CAAC,IAAA,qCAAe,EAAC,cAAc,EAAE,IAAI,CAAC,KAAK,EAAE,SAAS,CAAC,EAAE,CAAC;gBAC5D,MAAM,IAAI,2BAAkB,CAAC,mBAAmB,CAAC,CAAC;YACpD,CAAC;YAGD,MAAM,IAAI,CAAC,oBAAoB,CAAC,OAAO,EAAE,gBAAgB,CAAC,CAAC;YAC3D,OAAO,IAAI,CAAC;QACd,CAAC;QAID,IAAI,IAAI,EAAE,CAAC;YACT,MAAM,IAAI,CAAC,oBAAoB,CAAC,OAAO,CAAC,CAAC;QAC3C,CAAC;QAED,OAAO,IAAI,CAAC;IACd,CAAC;IASO,KAAK,CAAC,oBAAoB,CAAC,OAAY,EAAE,QAAiB;QAEhE,IAAI,OAAO,CAAC,SAAS,EAAE,CAAC;YACtB,OAAO;QACT,CAAC;QAED,MAAM,WAAW,GAAG,MAAM,IAAI,CAAC,WAAW;aACvC,IAAI,CAAC;YACJ,MAAM,EAAE,sCAAkB,CAAC,MAAM;YACjC,IAAI,EAAE,OAAO,CAAC,IAAI,CAAC,EAAE;SACtB,CAAC;aACD,MAAM,CAAC,aAAa,CAAC;aACrB,IAAI,EAAE;aACN,IAAI,EAAE,CAAC;QAEV,IAAI,QAAQ,KAAK,SAAS,EAAE,CAAC;YAC3B,MAAM,SAAS,GAAG,IAAA,sCAAgB,GAAE,CAAC;YACrC,OAAO,CAAC,SAAS,GAAG,WAAW;iBAC5B,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE;gBACZ,MAAM,KAAK,GAAG,SAAS,CAAC,CAAC,CAAC,IAAc,CAAC,IAAI,CAAC,CAAC;gBAC/C,OAAO,KAAK,IAAI,QAAQ,CAAC;YAC3B,CAAC,CAAC;iBACD,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;QAC1B,CAAC;aAAM,CAAC;YACN,OAAO,CAAC,SAAS,GAAG,WAAW,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;QACvD,CAAC;IACH,CAAC;IAKO,UAAU,CAAC,OAAyB;QAC1C,IAAI,OAAO,CAAC,OAAO,EAAkB,KAAK,SAAS,EAAE,CAAC;YACpD,MAAM,GAAG,GAAG,6BAAmB,CAAC,MAAM,CAAC,OAAO,CAAC,CAAC;YAChD,OAAO,GAAG,CAAC,UAAU,EAAE,EAAE,GAAG,CAAC;QAC/B,CAAC;QACD,IAAI,CAAC;YACH,OAAO,OAAO,CAAC,YAAY,EAAE,CAAC,UAAU,EAAE,CAAC;QAC7C,CAAC;QAAC,MAAM,CAAC;YACP,OAAO,IAAI,CAAC;QACd,CAAC;IACH,CAAC;CACF,CAAA;AAnLY,0CAAe;0BAAf,eAAe;IAD3B,IAAA,mBAAU,GAAE;IAMR,WAAA,IAAA,sBAAW,EAAC,6CAAyB,CAAC,CAAA;qCADX,gBAAS;QACiC,gBAAK;GALlE,eAAe,CAmL3B"}
|
|
@@ -0,0 +1,7 @@
|
|
|
1
|
+
export declare function mergeRolesMetadata(meta: (string[] | undefined)[]): string[];
|
|
2
|
+
export declare function getRoleHierarchy(): Record<string, number>;
|
|
3
|
+
export declare function isSystemRole(role: string): boolean;
|
|
4
|
+
export declare function isMultiTenancyActive(): boolean;
|
|
5
|
+
export declare function isHierarchyRole(role: string): boolean;
|
|
6
|
+
export declare function getMinRequiredLevel(roles: string[]): number | undefined;
|
|
7
|
+
export declare function checkRoleAccess(requiredRoles: string[], userRoles?: string[], tenantRole?: string): boolean;
|
|
@@ -0,0 +1,60 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
Object.defineProperty(exports, "__esModule", { value: true });
|
|
3
|
+
exports.mergeRolesMetadata = mergeRolesMetadata;
|
|
4
|
+
exports.getRoleHierarchy = getRoleHierarchy;
|
|
5
|
+
exports.isSystemRole = isSystemRole;
|
|
6
|
+
exports.isMultiTenancyActive = isMultiTenancyActive;
|
|
7
|
+
exports.isHierarchyRole = isHierarchyRole;
|
|
8
|
+
exports.getMinRequiredLevel = getMinRequiredLevel;
|
|
9
|
+
exports.checkRoleAccess = checkRoleAccess;
|
|
10
|
+
const config_service_1 = require("../../common/services/config.service");
|
|
11
|
+
const core_tenant_enums_1 = require("./core-tenant.enums");
|
|
12
|
+
const SYSTEM_ROLE_PREFIX = 's_';
|
|
13
|
+
function mergeRolesMetadata(meta) {
|
|
14
|
+
return meta[0] ? (meta[1] ? [...meta[0], ...meta[1]] : meta[0]) : meta[1] || [];
|
|
15
|
+
}
|
|
16
|
+
function getRoleHierarchy() {
|
|
17
|
+
return config_service_1.ConfigService.configFastButReadOnly?.multiTenancy?.roleHierarchy ?? core_tenant_enums_1.DEFAULT_ROLE_HIERARCHY;
|
|
18
|
+
}
|
|
19
|
+
function isSystemRole(role) {
|
|
20
|
+
return role.startsWith(SYSTEM_ROLE_PREFIX);
|
|
21
|
+
}
|
|
22
|
+
function isMultiTenancyActive() {
|
|
23
|
+
const config = config_service_1.ConfigService.configFastButReadOnly?.multiTenancy;
|
|
24
|
+
return !!config && config.enabled !== false;
|
|
25
|
+
}
|
|
26
|
+
function isHierarchyRole(role) {
|
|
27
|
+
if (!isMultiTenancyActive())
|
|
28
|
+
return false;
|
|
29
|
+
const hierarchy = getRoleHierarchy();
|
|
30
|
+
return role in hierarchy;
|
|
31
|
+
}
|
|
32
|
+
function getMinRequiredLevel(roles) {
|
|
33
|
+
const hierarchy = getRoleHierarchy();
|
|
34
|
+
const levels = roles.filter((r) => r in hierarchy).map((r) => hierarchy[r]);
|
|
35
|
+
if (levels.length === 0)
|
|
36
|
+
return undefined;
|
|
37
|
+
return Math.min(...levels);
|
|
38
|
+
}
|
|
39
|
+
function checkRoleAccess(requiredRoles, userRoles, tenantRole) {
|
|
40
|
+
const availableRoles = tenantRole ? [tenantRole] : (userRoles ?? []);
|
|
41
|
+
if (availableRoles.length === 0)
|
|
42
|
+
return false;
|
|
43
|
+
const multiTenancyActive = isMultiTenancyActive();
|
|
44
|
+
const hierarchy = multiTenancyActive ? getRoleHierarchy() : {};
|
|
45
|
+
const hierarchyRequired = requiredRoles.filter((r) => r in hierarchy);
|
|
46
|
+
const nonHierarchyRequired = requiredRoles.filter((r) => !(r in hierarchy));
|
|
47
|
+
if (hierarchyRequired.length === 0 && nonHierarchyRequired.length === 0)
|
|
48
|
+
return true;
|
|
49
|
+
if (hierarchyRequired.length > 0) {
|
|
50
|
+
const minRequired = Math.min(...hierarchyRequired.map((r) => hierarchy[r]));
|
|
51
|
+
if (availableRoles.some((r) => r in hierarchy && hierarchy[r] >= minRequired))
|
|
52
|
+
return true;
|
|
53
|
+
}
|
|
54
|
+
if (nonHierarchyRequired.length > 0) {
|
|
55
|
+
if (nonHierarchyRequired.some((r) => availableRoles.includes(r)))
|
|
56
|
+
return true;
|
|
57
|
+
}
|
|
58
|
+
return false;
|
|
59
|
+
}
|
|
60
|
+
//# sourceMappingURL=core-tenant.helpers.js.map
|
|
@@ -0,0 +1 @@
|
|
|
1
|
+
{"version":3,"file":"core-tenant.helpers.js","sourceRoot":"","sources":["../../../../src/core/modules/tenant/core-tenant.helpers.ts"],"names":[],"mappings":";;AAWA,gDAEC;AAKD,4CAEC;AAMD,oCAEC;AAKD,oDAGC;AAMD,0CAIC;AAOD,kDAKC;AAkBD,0CA0BC;AAtGD,yEAAqE;AACrE,2DAA6D;AAE7D,MAAM,kBAAkB,GAAG,IAAI,CAAC;AAQhC,SAAgB,kBAAkB,CAAC,IAA8B;IAC/D,OAAO,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,GAAG,IAAI,CAAC,CAAC,CAAC,EAAE,GAAG,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,IAAI,CAAC,CAAC,CAAC,IAAI,EAAE,CAAC;AAClF,CAAC;AAKD,SAAgB,gBAAgB;IAC9B,OAAO,8BAAa,CAAC,qBAAqB,EAAE,YAAY,EAAE,aAAa,IAAI,0CAAsB,CAAC;AACpG,CAAC;AAMD,SAAgB,YAAY,CAAC,IAAY;IACvC,OAAO,IAAI,CAAC,UAAU,CAAC,kBAAkB,CAAC,CAAC;AAC7C,CAAC;AAKD,SAAgB,oBAAoB;IAClC,MAAM,MAAM,GAAG,8BAAa,CAAC,qBAAqB,EAAE,YAAY,CAAC;IACjE,OAAO,CAAC,CAAC,MAAM,IAAI,MAAM,CAAC,OAAO,KAAK,KAAK,CAAC;AAC9C,CAAC;AAMD,SAAgB,eAAe,CAAC,IAAY;IAC1C,IAAI,CAAC,oBAAoB,EAAE;QAAE,OAAO,KAAK,CAAC;IAC1C,MAAM,SAAS,GAAG,gBAAgB,EAAE,CAAC;IACrC,OAAO,IAAI,IAAI,SAAS,CAAC;AAC3B,CAAC;AAOD,SAAgB,mBAAmB,CAAC,KAAe;IACjD,MAAM,SAAS,GAAG,gBAAgB,EAAE,CAAC;IACrC,MAAM,MAAM,GAAG,KAAK,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,SAAS,CAAC,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC;IAC5E,IAAI,MAAM,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,SAAS,CAAC;IAC1C,OAAO,IAAI,CAAC,GAAG,CAAC,GAAG,MAAM,CAAC,CAAC;AAC7B,CAAC;AAkBD,SAAgB,eAAe,CAAC,aAAuB,EAAE,SAAoB,EAAE,UAAmB;IAChG,MAAM,cAAc,GAAG,UAAU,CAAC,CAAC,CAAC,CAAC,UAAU,CAAC,CAAC,CAAC,CAAC,CAAC,SAAS,IAAI,EAAE,CAAC,CAAC;IACrE,IAAI,cAAc,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,KAAK,CAAC;IAG9C,MAAM,kBAAkB,GAAG,oBAAoB,EAAE,CAAC;IAClD,MAAM,SAAS,GAAG,kBAAkB,CAAC,CAAC,CAAC,gBAAgB,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;IAC/D,MAAM,iBAAiB,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,SAAS,CAAC,CAAC;IACtE,MAAM,oBAAoB,GAAG,aAAa,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,SAAS,CAAC,CAAC,CAAC;IAE5E,IAAI,iBAAiB,CAAC,MAAM,KAAK,CAAC,IAAI,oBAAoB,CAAC,MAAM,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IAKrF,IAAI,iBAAiB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACjC,MAAM,WAAW,GAAG,IAAI,CAAC,GAAG,CAAC,GAAG,iBAAiB,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,SAAS,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC;QAC5E,IAAI,cAAc,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,CAAC,IAAI,SAAS,IAAI,SAAS,CAAC,CAAC,CAAC,IAAI,WAAW,CAAC;YAAE,OAAO,IAAI,CAAC;IAC7F,CAAC;IAGD,IAAI,oBAAoB,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;QACpC,IAAI,oBAAoB,CAAC,IAAI,CAAC,CAAC,CAAC,EAAE,EAAE,CAAC,cAAc,CAAC,QAAQ,CAAC,CAAC,CAAC,CAAC;YAAE,OAAO,IAAI,CAAC;IAChF,CAAC;IAED,OAAO,KAAK,CAAC;AACf,CAAC"}
|
|
@@ -0,0 +1,12 @@
|
|
|
1
|
+
import { CanActivate, DynamicModule, Type } from '@nestjs/common';
|
|
2
|
+
import { CoreTenantMemberModel } from './core-tenant-member.model';
|
|
3
|
+
import { CoreTenantService } from './core-tenant.service';
|
|
4
|
+
export interface CoreTenantModuleOptions {
|
|
5
|
+
memberModel?: Type<CoreTenantMemberModel>;
|
|
6
|
+
guard?: Type<CanActivate>;
|
|
7
|
+
service?: Type<CoreTenantService>;
|
|
8
|
+
modelName?: string;
|
|
9
|
+
}
|
|
10
|
+
export declare class CoreTenantModule {
|
|
11
|
+
static forRoot(options?: CoreTenantModuleOptions): DynamicModule;
|
|
12
|
+
}
|