npm - @solidxai/core - Versions diffs - 0.1.8-beta.9 → 0.1.8 - Mend

@solidxai/core 0.1.8-beta.9 → 0.1.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (131) hide show

package/README.md +197 -0
package/dist/controllers/authentication.controller.d.ts +32 -2
package/dist/controllers/authentication.controller.d.ts.map +1 -1
package/dist/controllers/authentication.controller.js +80 -3
package/dist/controllers/authentication.controller.js.map +1 -1
package/dist/dtos/create-api-key.dto.d.ts +5 -0
package/dist/dtos/create-api-key.dto.d.ts.map +1 -0
package/dist/dtos/create-api-key.dto.js +34 -0
package/dist/dtos/create-api-key.dto.js.map +1 -0
package/dist/dtos/register-private.dto.d.ts +3 -5
package/dist/dtos/register-private.dto.d.ts.map +1 -1
package/dist/dtos/register-private.dto.js +6 -18
package/dist/dtos/register-private.dto.js.map +1 -1
package/dist/dtos/sso-exchange.dto.d.ts +4 -0
package/dist/dtos/sso-exchange.dto.d.ts.map +1 -0
package/dist/dtos/sso-exchange.dto.js +26 -0
package/dist/dtos/sso-exchange.dto.js.map +1 -0
package/dist/dtos/update-api-key.dto.d.ts +4 -0
package/dist/dtos/update-api-key.dto.d.ts.map +1 -0
package/dist/dtos/update-api-key.dto.js +28 -0
package/dist/dtos/update-api-key.dto.js.map +1 -0
package/dist/entities/setting.entity.d.ts +1 -0
package/dist/entities/setting.entity.d.ts.map +1 -1
package/dist/entities/setting.entity.js +5 -1
package/dist/entities/setting.entity.js.map +1 -1
package/dist/entities/user-api-key.entity.d.ts +12 -0
package/dist/entities/user-api-key.entity.d.ts.map +1 -0
package/dist/entities/user-api-key.entity.js +62 -0
package/dist/entities/user-api-key.entity.js.map +1 -0
package/dist/entities/user.entity.d.ts +3 -0
package/dist/entities/user.entity.d.ts.map +1 -1
package/dist/entities/user.entity.js +12 -1
package/dist/entities/user.entity.js.map +1 -1
package/dist/enums/auth-type.enum.d.ts +2 -1
package/dist/enums/auth-type.enum.d.ts.map +1 -1
package/dist/enums/auth-type.enum.js +2 -1
package/dist/enums/auth-type.enum.js.map +1 -1
package/dist/guards/api-key.guard.d.ts +11 -0
package/dist/guards/api-key.guard.d.ts.map +1 -0
package/dist/guards/api-key.guard.js +43 -0
package/dist/guards/api-key.guard.js.map +1 -0
package/dist/guards/authentication.guard.d.ts +4 -2
package/dist/guards/authentication.guard.d.ts.map +1 -1
package/dist/guards/authentication.guard.js +7 -3
package/dist/guards/authentication.guard.js.map +1 -1
package/dist/index.d.ts +2 -0
package/dist/index.d.ts.map +1 -1
package/dist/index.js +2 -0
package/dist/index.js.map +1 -1
package/dist/interfaces.d.ts +12 -0
package/dist/interfaces.d.ts.map +1 -1
package/dist/interfaces.js.map +1 -1
package/dist/jobs/database/chatter-queue-publisher-database.service.d.ts +1 -1
package/dist/jobs/database/chatter-queue-publisher-database.service.d.ts.map +1 -1
package/dist/jobs/database/chatter-queue-publisher-database.service.js.map +1 -1
package/dist/jobs/database/chatter-queue-subscriber-database.service.d.ts +1 -1
package/dist/jobs/database/chatter-queue-subscriber-database.service.d.ts.map +1 -1
package/dist/jobs/database/chatter-queue-subscriber-database.service.js.map +1 -1
package/dist/jobs/rabbitmq/chatter-queue-publisher.service.d.ts +1 -12
package/dist/jobs/rabbitmq/chatter-queue-publisher.service.d.ts.map +1 -1
package/dist/jobs/rabbitmq/chatter-queue-publisher.service.js.map +1 -1
package/dist/jobs/rabbitmq/chatter-queue-subscriber.service.d.ts +1 -1
package/dist/jobs/rabbitmq/chatter-queue-subscriber.service.d.ts.map +1 -1
package/dist/jobs/rabbitmq/chatter-queue-subscriber.service.js.map +1 -1
package/dist/jobs/redis/chatter-queue-subscriber-redis.service.d.ts +1 -1
package/dist/jobs/redis/chatter-queue-subscriber-redis.service.d.ts.map +1 -1
package/dist/jobs/redis/chatter-queue-subscriber-redis.service.js.map +1 -1
package/dist/repository/user-api-key.repository.d.ts +12 -0
package/dist/repository/user-api-key.repository.d.ts.map +1 -0
package/dist/repository/user-api-key.repository.js +34 -0
package/dist/repository/user-api-key.repository.js.map +1 -0
package/dist/seeders/seed-data/solid-core-metadata.json +128 -0
package/dist/services/api-key.service.d.ts +20 -0
package/dist/services/api-key.service.d.ts.map +1 -0
package/dist/services/api-key.service.js +98 -0
package/dist/services/api-key.service.js.map +1 -0
package/dist/services/authentication.service.d.ts +19 -1
package/dist/services/authentication.service.d.ts.map +1 -1
package/dist/services/authentication.service.js +31 -5
package/dist/services/authentication.service.js.map +1 -1
package/dist/services/encryption.service.d.ts +8 -0
package/dist/services/encryption.service.d.ts.map +1 -0
package/dist/services/encryption.service.js +75 -0
package/dist/services/encryption.service.js.map +1 -0
package/dist/services/setting.service.d.ts +1 -0
package/dist/services/setting.service.d.ts.map +1 -1
package/dist/services/setting.service.js +35 -7
package/dist/services/setting.service.js.map +1 -1
package/dist/services/settings/default-settings-provider.service.d.ts +12 -0
package/dist/services/settings/default-settings-provider.service.d.ts.map +1 -1
package/dist/services/settings/default-settings-provider.service.js +4 -3
package/dist/services/settings/default-settings-provider.service.js.map +1 -1
package/dist/services/sso-code-storage.service.d.ts +15 -0
package/dist/services/sso-code-storage.service.d.ts.map +1 -0
package/dist/services/sso-code-storage.service.js +47 -0
package/dist/services/sso-code-storage.service.js.map +1 -0
package/dist/solid-core.module.d.ts.map +1 -1
package/dist/solid-core.module.js +10 -0
package/dist/solid-core.module.js.map +1 -1
package/dist/subscribers/audit.subscriber.d.ts +1 -1
package/dist/subscribers/audit.subscriber.d.ts.map +1 -1
package/dist/subscribers/audit.subscriber.js.map +1 -1
package/package.json +1 -1
package/src/controllers/authentication.controller.ts +59 -3
package/src/dtos/create-api-key.dto.ts +14 -0
package/src/dtos/register-private.dto.ts +5 -14
package/src/dtos/sso-exchange.dto.ts +7 -0
package/src/dtos/update-api-key.dto.ts +9 -0
package/src/entities/setting.entity.ts +3 -0
package/src/entities/user-api-key.entity.ts +37 -0
package/src/entities/user.entity.ts +8 -0
package/src/enums/auth-type.enum.ts +1 -0
package/src/guards/api-key.guard.ts +32 -0
package/src/guards/authentication.guard.ts +6 -3
package/src/index.ts +2 -0
package/src/interfaces.ts +16 -0
package/src/jobs/database/chatter-queue-publisher-database.service.ts +1 -1
package/src/jobs/database/chatter-queue-subscriber-database.service.ts +1 -1
package/src/jobs/rabbitmq/chatter-queue-publisher.service.ts +1 -15
package/src/jobs/rabbitmq/chatter-queue-subscriber.service.ts +1 -1
package/src/jobs/redis/chatter-queue-subscriber-redis.service.ts +1 -1
package/src/repository/user-api-key.repository.ts +17 -0
package/src/seeders/seed-data/solid-core-metadata.json +128 -0
package/src/services/api-key.service.ts +111 -0
package/src/services/authentication.service.ts +35 -3
package/src/services/encryption.service.ts +43 -0
package/src/services/setting.service.ts +38 -9
package/src/services/settings/default-settings-provider.service.ts +4 -3
package/src/services/sso-code-storage.service.ts +36 -0
package/src/solid-core.module.ts +10 -0
package/src/subscribers/audit.subscriber.ts +1 -1

package/src/entities/user-api-key.entity.ts ADDED Viewed

@@ -0,0 +1,37 @@
+import { Exclude, Expose } from "class-transformer";
+import { CommonEntity } from "src/entities/common.entity";
+import { Column, Entity, Index, ManyToOne } from "typeorm";
+import { User } from "./user.entity";
+@Entity("ss_user_api_key")
+@Exclude()
+export class UserApiKey extends CommonEntity {
+    @Expose()
+    @Column()
+    name: string;
+    // SHA-256 hash of the raw key — never exposed, same treatment as User.password
+    @Index({ unique: true })
+    @Column()
+    hashedKey: string;
+    @Expose()
+    @Column()
+    maskedKey: string;
+    @Expose()
+    @Column({ default: true })
+    isActive: boolean;
+    @Expose()
+    @Column({ nullable: true })
+    expiresAt: Date;
+    @Expose()
+    @Column({ nullable: true })
+    lastUsedAt: Date;
+    @ManyToOne(() => User, user => user.apiKeys)
+    user: User;
+}

package/src/entities/user.entity.ts CHANGED Viewed

@@ -2,6 +2,7 @@ import { CommonEntity } from "src/entities/common.entity"
 import { Entity, Column, Index, JoinTable, ManyToMany, OneToMany, TableInheritance } from "typeorm";
 import { RoleMetadata } from 'src/entities/role-metadata.entity';
 import { UserViewMetadata } from 'src/entities/user-view-metadata.entity'
+import { UserApiKey } from 'src/entities/user-api-key.entity'
 import { Exclude, Expose } from "class-transformer";
 @Entity("ss_user")
@@ -151,4 +152,11 @@ export class User extends CommonEntity {
     @Expose()
     _media: any;
+    @Column({ default: false })
+    @Expose()
+    isAllowedToGenerateApiKeys: boolean = false;
+    @OneToMany(() => UserApiKey, key => key.user)
+    apiKeys: UserApiKey[];
 }

package/src/enums/auth-type.enum.ts CHANGED Viewed

@@ -1,4 +1,5 @@
 export enum AuthType {
     Bearer,
+    ApiKey,
     None,
 }

package/src/guards/api-key.guard.ts ADDED Viewed

@@ -0,0 +1,32 @@
+import { CanActivate, ExecutionContext, Injectable, UnauthorizedException } from '@nestjs/common';
+import { Request } from 'express';
+import { REQUEST_USER_KEY } from 'src/constants';
+import { ApiKeyService } from 'src/services/api-key.service';
+import { ClsService } from 'nestjs-cls';
+@Injectable()
+export class ApiKeyGuard implements CanActivate {
+    constructor(
+        private readonly apiKeyService: ApiKeyService,
+        private readonly cls: ClsService,
+    ) {}
+    async canActivate(context: ExecutionContext): Promise<boolean> {
+        const request = context.switchToHttp().getRequest<Request>();
+        const rawKey = this.extractKeyFromHeader(request);
+        if (!rawKey) {
+            throw new UnauthorizedException();
+        }
+        const activeUser = await this.apiKeyService.validate(rawKey);
+        request[REQUEST_USER_KEY] = activeUser;
+        this.cls.set(REQUEST_USER_KEY, activeUser);
+        return true;
+    }
+    private extractKeyFromHeader(request: Request): string | undefined {
+        return request.headers['solidx-api-key'] as string | undefined;
+    }
+}

package/src/guards/authentication.guard.ts CHANGED Viewed

@@ -8,23 +8,26 @@ import { Reflector } from '@nestjs/core';
 import { AUTH_TYPE_KEY } from '../decorators/auth.decorator';
 import { AuthType } from '../enums/auth-type.enum';
 import { AccessTokenGuard } from './access-token.guard';
+import { ApiKeyGuard } from './api-key.guard';
 import { IS_PUBLIC_KEY } from '../decorators/public.decorator';
 import { PermissionMetadataService } from '../services/permission-metadata.service';
 import { ClsService } from 'nestjs-cls';
 @Injectable()
 export class AuthenticationGuard implements CanActivate {
-  private static readonly defaultAuthType = AuthType.Bearer;
+  private static readonly defaultAuthTypes = [AuthType.Bearer, AuthType.ApiKey];
   private readonly authTypeGuardMap: Record<
     AuthType,
     CanActivate | CanActivate[]> = {
       [AuthType.Bearer]: this.accessTokenGuard,
+      [AuthType.ApiKey]: this.apiKeyGuard,
       [AuthType.None]: { canActivate: () => true },
     };
   constructor(
     private readonly reflector: Reflector,
     private readonly accessTokenGuard: AccessTokenGuard,
+    private readonly apiKeyGuard: ApiKeyGuard,
     private readonly permissionService: PermissionMetadataService,
     private readonly cls: ClsService,
   ) { }
@@ -49,7 +52,7 @@ export class AuthenticationGuard implements CanActivate {
       return true;
     }
-    // TODO: Check if this permission viz. contextPermission is listed in the Public role.
+    // TODO: Check if this permission viz. contextPermission is listed in the Public role.
     const contextPermission = `${context.getClass().name}.${context.getHandler().name}`;
     const permissionExistsInRole = await this.permissionService.permissionExistsInRole('Public', contextPermission)
@@ -61,7 +64,7 @@ export class AuthenticationGuard implements CanActivate {
     const authTypes = this.reflector.getAllAndOverride<AuthType[]>(
       AUTH_TYPE_KEY,
       [context.getHandler(), context.getClass()],
-    ) ?? [AuthenticationGuard.defaultAuthType];
+    ) ?? AuthenticationGuard.defaultAuthTypes;
     const guards = authTypes.map((type) => this.authTypeGuardMap[type]).flat();
     let error = new UnauthorizedException();

package/src/index.ts CHANGED Viewed

@@ -126,6 +126,7 @@ export * from './entities/permission-metadata.entity'
 export * from './entities/role-metadata.entity'
 export * from './entities/sms-template.entity'
 export * from './entities/user.entity'
+export * from './entities/user-api-key.entity'
 export * from './entities/view-metadata.entity'
 export * from './entities/setting.entity'
 export * from './entities/saved-filters.entity'
@@ -314,6 +315,7 @@ export * from './services/user.service'
 export * from './services/view-metadata.service'
 export * from './services/whatsapp/Msg91WhatsappService' //rename
 export * from './services/setting.service'
+export * from './services/encryption.service'
 export * from './services/info.service'
 export * from './controllers/info.controller'
 export * from './services/settings/default-settings-provider.service'

package/src/interfaces.ts CHANGED Viewed

@@ -70,6 +70,7 @@ export interface SettingDefinition<T = any> {
   key: string;
   value: T;
   level: SettingLevel;
+  encrypted?: boolean;
 }
 // solid-core/settings/settings-provider.interface.ts
@@ -395,3 +396,18 @@ export interface AwsS3Config {
 // Prevents inference so callers must provide explicit type arguments; reusable for other APIs.
 export type NoInfer<T> = [T][T extends any ? 0 : never];
+export type AuditEventType = 'insert' | 'update' | 'delete';
+export interface AuditQueuePayload {
+    eventType: AuditEventType;
+    modelName: string;
+    entityId: string | number | null;
+    occurredAt: string;
+    after?: any;
+    before?: any;
+    updatedColumnNames?: string[];
+    userId?: number | null;
+}

package/src/jobs/database/chatter-queue-publisher-database.service.ts CHANGED Viewed

@@ -4,7 +4,7 @@ import { DatabasePublisher } from 'src/services/queues/database-publisher.servic
 import { MqMessageQueueService } from '../../services/mq-message-queue.service';
 import { MqMessageService } from '../../services/mq-message.service';
 import { QueuesModuleOptions } from "../../interfaces";
-import { AuditQueuePayload } from '../rabbitmq/chatter-queue-publisher.service';
+import { AuditQueuePayload } from '../../interfaces';
 import chatterQueueOptionsDatabase from './chatter-queue-options-database';
 @Injectable()

package/src/jobs/database/chatter-queue-subscriber-database.service.ts CHANGED Viewed

@@ -6,7 +6,7 @@ import { MqMessageService } from '../../services/mq-message.service';
 import { MqMessageQueueService } from '../../services/mq-message-queue.service';
 import { QueuesModuleOptions } from "../../interfaces";
 import { PollerService } from 'src/services/poller.service';
-import { AuditQueuePayload } from '../rabbitmq/chatter-queue-publisher.service';
+import { AuditQueuePayload } from '../../interfaces';
 import { ChatterMessageService } from 'src/services/chatter-message.service';
 import chatterQueueOptionsDatabase from './chatter-queue-options-database';

package/src/jobs/rabbitmq/chatter-queue-publisher.service.ts CHANGED Viewed

@@ -4,21 +4,7 @@ import { RabbitMqPublisher } from 'src/services/queues/rabbitmq-publisher.servic
 import chatterQueueOptions from './chatter-queue-options';
 import { MqMessageQueueService } from '../../services/mq-message-queue.service';
 import { MqMessageService } from '../../services/mq-message.service';
-import { QueuesModuleOptions } from "../../interfaces";
-export type AuditEventType = 'insert' | 'update' | 'delete';
-export interface AuditQueuePayload {
-    eventType: AuditEventType;
-    modelName: string;              // TypeORM entity class name (e.g. 'Order')
-    entityId: string | number | null;
-    occurredAt: string;             // ISO timestamp, captured at event time
-    after?: any;                    // entity state after operation (insert/update)
-    before?: any;                   // entity state before operation (update/delete)
-    updatedColumnNames?: string[];  // propertyNames of changed columns (update only)
-    userId?: number | null;         // active user captured at event time
-}
+import { AuditQueuePayload, QueuesModuleOptions } from "../../interfaces";
 @Injectable()
 export class ChatterQueuePublisherRabbitmq extends RabbitMqPublisher<AuditQueuePayload> {

package/src/jobs/rabbitmq/chatter-queue-subscriber.service.ts CHANGED Viewed

@@ -6,7 +6,7 @@ import { MqMessageService } from '../../services/mq-message.service';
 import { MqMessageQueueService } from '../../services/mq-message-queue.service';
 import { QueuesModuleOptions } from "../../interfaces";
 import chatterQueueOptions from './chatter-queue-options';
-import { AuditQueuePayload } from './chatter-queue-publisher.service';
+import { AuditQueuePayload } from '../../interfaces';
 import { ChatterMessageService } from 'src/services/chatter-message.service';
 @Injectable()

package/src/jobs/redis/chatter-queue-subscriber-redis.service.ts CHANGED Viewed

@@ -6,7 +6,7 @@ import chatterQueueConfig from './chatter-queue-options-redis';
 import { MqMessageService } from '../../services/mq-message.service';
 import { MqMessageQueueService } from '../../services/mq-message-queue.service';
 import { QueuesModuleOptions } from "../../interfaces";
-import { AuditQueuePayload } from '../rabbitmq/chatter-queue-publisher.service';
+import { AuditQueuePayload } from '../../interfaces';
 import { ChatterMessageService } from '../../services/chatter-message.service';
 @Injectable()

package/src/repository/user-api-key.repository.ts ADDED Viewed

@@ -0,0 +1,17 @@
+import { Injectable } from '@nestjs/common';
+import { UserApiKey } from 'src/entities/user-api-key.entity';
+import { RequestContextService } from 'src/services/request-context.service';
+import { DataSource } from 'typeorm';
+import { SecurityRuleRepository } from './security-rule.repository';
+import { SolidBaseRepository } from './solid-base.repository';
+@Injectable()
+export class UserApiKeyRepository extends SolidBaseRepository<UserApiKey> {
+    constructor(
+        readonly dataSource: DataSource,
+        readonly requestContextService: RequestContextService,
+        readonly securityRuleRepository: SecurityRuleRepository,
+    ) {
+        super(UserApiKey, dataSource, requestContextService, securityRuleRepository);
+    }
+}

package/src/seeders/seed-data/solid-core-metadata.json CHANGED Viewed

@@ -2085,6 +2085,35 @@
             "relationModelModuleName": "solid-core",
             "isSystem": true
           },
+          {
+            "name": "isAllowedToGenerateApiKeys",
+            "displayName": "Is Allowed To Generate API Keys",
+            "type": "boolean",
+            "required": true,
+            "unique": false,
+            "index": false,
+            "private": false,
+            "encrypt": false,
+            "defaultValue": "false",
+            "isSystem": true,
+            "enableAuditTracking": true
+          },
+          {
+            "name": "apiKeys",
+            "displayName": "API Keys",
+            "type": "relation",
+            "required": false,
+            "unique": false,
+            "index": false,
+            "private": false,
+            "encrypt": false,
+            "relationType": "one-to-many",
+            "relationCoModelSingularName": "userApiKey",
+            "relationCoModelFieldName": "user",
+            "relationCreateInverse": true,
+            "relationModelModuleName": "solid-core",
+            "isSystem": true
+          },
           {
             "name": "passwordScheme",
             "displayName": "Password Scheme",
@@ -2129,6 +2158,105 @@
           }
         ]
       },
+      {
+        "singularName": "userApiKey",
+        "tableName": "ss_user_api_key",
+        "pluralName": "userApiKeys",
+        "displayName": "User API Key",
+        "description": "API keys for programmatic server-to-server access",
+        "dataSource": "default",
+        "dataSourceType": "postgres",
+        "userKeyFieldUserKey": "name",
+        "isSystem": true,
+        "fields": [
+          {
+            "name": "name",
+            "displayName": "Name",
+            "type": "shortText",
+            "length": 512,
+            "required": true,
+            "unique": false,
+            "index": false,
+            "private": false,
+            "encrypt": false,
+            "isSystem": true
+          },
+          {
+            "name": "hashedKey",
+            "displayName": "Hashed Key",
+            "type": "shortText",
+            "length": 512,
+            "required": true,
+            "unique": true,
+            "index": true,
+            "private": true,
+            "encrypt": false,
+            "isSystem": true
+          },
+          {
+            "name": "maskedKey",
+            "displayName": "Masked Key",
+            "type": "shortText",
+            "length": 512,
+            "required": true,
+            "unique": false,
+            "index": false,
+            "private": false,
+            "encrypt": false,
+            "isSystem": true
+          },
+          {
+            "name": "isActive",
+            "displayName": "Is Active",
+            "type": "boolean",
+            "required": true,
+            "unique": false,
+            "index": false,
+            "private": false,
+            "encrypt": false,
+            "defaultValue": "true",
+            "isSystem": true
+          },
+          {
+            "name": "expiresAt",
+            "displayName": "Expires At",
+            "type": "datetime",
+            "required": false,
+            "unique": false,
+            "index": false,
+            "private": false,
+            "encrypt": false,
+            "isSystem": true
+          },
+          {
+            "name": "lastUsedAt",
+            "displayName": "Last Used At",
+            "type": "datetime",
+            "required": false,
+            "unique": false,
+            "index": false,
+            "private": false,
+            "encrypt": false,
+            "isSystem": true
+          },
+          {
+            "name": "user",
+            "displayName": "User",
+            "type": "relation",
+            "required": true,
+            "unique": false,
+            "index": false,
+            "private": false,
+            "encrypt": false,
+            "relationType": "many-to-one",
+            "relationCoModelSingularName": "user",
+            "relationCoModelFieldName": "apiKeys",
+            "relationCreateInverse": true,
+            "relationModelModuleName": "solid-core",
+            "isSystem": true
+          }
+        ]
+      },
       {
         "singularName": "userActivityHistory",
         "tableName": "ss_user_activity_history",

package/src/services/api-key.service.ts ADDED Viewed

@@ -0,0 +1,111 @@
+import {
+    ForbiddenException,
+    Injectable,
+    Logger,
+    NotFoundException,
+    UnauthorizedException,
+} from '@nestjs/common';
+import { createHash, randomBytes } from 'crypto';
+import { CreateApiKeyDto } from 'src/dtos/create-api-key.dto';
+import { UpdateApiKeyDto } from 'src/dtos/update-api-key.dto';
+import { UserApiKey } from 'src/entities/user-api-key.entity';
+import { User } from 'src/entities/user.entity';
+import { ActiveUserData } from 'src/interfaces/active-user-data.interface';
+import { UserApiKeyRepository } from 'src/repository/user-api-key.repository';
+import { PermissionMetadataService } from 'src/services/permission-metadata.service';
+@Injectable()
+export class ApiKeyService {
+    private readonly logger = new Logger(ApiKeyService.name);
+    constructor(
+        private readonly apiKeyRepository: UserApiKeyRepository,
+        private readonly permissionMetadataService: PermissionMetadataService,
+    ) {}
+    async generate(userId: number, dto: CreateApiKeyDto): Promise<{ apiKey: string; record: UserApiKey }> {
+        const user = await this.apiKeyRepository.manager.findOne(User, {
+            where: { id: userId },
+            select: ['id', 'isAllowedToGenerateApiKeys'],
+        });
+        if (!user?.isAllowedToGenerateApiKeys) {
+            throw new ForbiddenException('You are not allowed to generate API keys');
+        }
+        const rawKey = 'sldx_' + randomBytes(32).toString('hex');
+        const hashedKey = this.hash(rawKey);
+        const maskedKey = 'sldx_****' + rawKey.slice(-4);
+        const record = this.apiKeyRepository.create({
+            name: dto.name,
+            hashedKey,
+            maskedKey,
+            isActive: true,
+            expiresAt: dto.expiresAt ? new Date(dto.expiresAt) : null,
+            user,
+        });
+        await this.apiKeyRepository.save(record);
+        // Strip hashedKey from the returned record — maskedKey is all the UI needs
+        delete (record as any).hashedKey;
+        return { apiKey: rawKey, record };
+    }
+    async validate(rawKey: string): Promise<ActiveUserData> {
+        const hashedKey = this.hash(rawKey);
+        // Bypass security rules for auth validation — must find the key regardless of caller context
+        const keyRecord = await this.apiKeyRepository.findOne({
+            where: { hashedKey, isActive: true },
+            relations: ['user', 'user.roles'],
+        });
+        if (!keyRecord) {
+            throw new UnauthorizedException();
+        }
+        if (keyRecord.expiresAt && keyRecord.expiresAt < new Date()) {
+            throw new UnauthorizedException('API key expired');
+        }
+        // Fire-and-forget — does not need security rule context
+        this.apiKeyRepository.update(keyRecord.id, { lastUsedAt: new Date() }).catch((err) => {
+            this.logger.warn(`Failed to update lastUsedAt for key ${keyRecord.id}: ${err.message}`);
+        });
+        const roles = (keyRecord.user.roles ?? []).map((r) => r.name);
+        const permissions = await this.permissionMetadataService.findAllUsingRoles(roles);
+        return {
+            sub: keyRecord.user.id,
+            username: keyRecord.user.username,
+            email: keyRecord.user.email,
+            roles,
+            permissions: permissions.map((p) => p.name),
+        };
+    }
+    async updateKey(id: number, userId: number, dto: UpdateApiKeyDto): Promise<void> {
+        const keyRecord = await this.apiKeyRepository.findOne({
+            where: { id, user: { id: userId } },
+        });
+        if (!keyRecord) {
+            throw new NotFoundException('API key not found');
+        }
+        await this.apiKeyRepository.manager
+            .createQueryBuilder()
+            .update(UserApiKey)
+            .set({ isActive: dto.isActive })
+            .where('id = :id', { id })
+            .execute();
+    }
+    private hash(rawKey: string): string {
+        return createHash('sha256').update(rawKey).digest('hex');
+    }
+}

package/src/services/authentication.service.ts CHANGED Viewed

@@ -41,6 +41,7 @@ import { EventDetails, EventType } from "../interfaces";
 import { ActiveUserData } from '../interfaces/active-user-data.interface';
 import { HashingService } from './hashing.service';
 import { InvalidatedRefreshTokenError, RefreshTokenIdsStorageService } from './refresh-token-ids-storage.service';
+import { SsoCodeStorageService } from './sso-code-storage.service';
 import { RoleMetadataService } from './role-metadata.service';
 import { SettingService } from './setting.service';
 import { UserActivityHistoryService } from './user-activity-history.service';
@@ -78,6 +79,7 @@ export class AuthenticationService {
         private readonly settingService: SettingService,
         private readonly roleMetadataService: RoleMetadataService,
         private readonly userActivityHistoryService: UserActivityHistoryService,
+        private readonly ssoCodeStorage: SsoCodeStorageService,
         @InjectDataSource()
         private readonly dataSource: DataSource,
@@ -152,6 +154,10 @@ export class AuthenticationService {
             const defaultRole = this.settingService.getConfigValue<SolidCoreSetting>('defaultRole');
             var { user, pwd, autoGeneratedPwd } = await this.populateForSignup(new User(), signUpDto, activateUserOnRegistration, onForcePasswordChange);
+            const privateDto = signUpDto as { isAllowedToGenerateApiKeys?: boolean };
+            if (privateDto.isAllowedToGenerateApiKeys !== undefined) {
+                user.isAllowedToGenerateApiKeys = privateDto.isAllowedToGenerateApiKeys;
+            }
             const savedUser = await this.userRepository.save(user);
             // Also assign a default role to the newly created user.
             const userRoles = signUpDto.roles ?? [];
@@ -879,11 +885,15 @@ export class AuthenticationService {
         }
     }
-    private async buildLoginTokenResponse(user: User) {
-        const { accessToken, refreshToken } = await this.generateTokens(user);
+    private buildUserPayload(user: User) {
         const { id, username, email, mobile, lastLoginProvider } = user;
         const roles = user.roles.map((role) => role.name);
-        return { accessToken, refreshToken, user: { id, username, email, mobile, lastLoginProvider, roles } };
+        return { id, username, email, mobile, lastLoginProvider, roles };
+    }
+    private async buildLoginTokenResponse(user: User) {
+        const { accessToken, refreshToken } = await this.generateTokens(user);
+        return { accessToken, refreshToken, user: this.buildUserPayload(user) };
     }
     async changePassword(changePasswordDto: ChangePasswordDto, activeUser: ActiveUserData) {
@@ -1414,6 +1424,28 @@ export class AuthenticationService {
         return response;
     }
+    async generateSsoCode(activeUser: ActiveUserData, rawAccessToken: string): Promise<{ ssoCode: string }> {
+        const refreshTokenState = await this.refreshTokenIdsStorage.getCurrentRefreshTokenState(activeUser.sub);
+        if (!refreshTokenState?.currentRefreshToken) {
+            throw new UnauthorizedException('No active session found');
+        }
+        const ssoCode = await this.ssoCodeStorage.generateCode(
+            activeUser.sub,
+            rawAccessToken,
+            refreshTokenState.currentRefreshToken,
+        );
+        return { ssoCode };
+    }
+    async exchangeSsoCode(code: string) {
+        const { userId, accessToken, refreshToken } = await this.ssoCodeStorage.consumeCode(code);
+        const user = await this.userRepository.findOne({ where: { id: userId }, relations: { roles: true } });
+        if (!user) {
+            throw new UnauthorizedException('User not found');
+        }
+        return { accessToken, refreshToken, user: this.buildUserPayload(user) };
+    }
 }
 function parseUniqueConstraintError(detail: string): string {

package/src/services/encryption.service.ts ADDED Viewed

@@ -0,0 +1,43 @@
+import * as crypto from 'crypto';
+const ALGORITHM = 'aes-256-gcm';
+const IV_LENGTH = 12;
+const AUTH_TAG_LENGTH = 16;
+const KEY_LENGTH = 32;
+const SCRYPT_SALT = 'solid-encryption-salt';
+const ENC_PREFIX = 'enc:';
+export class EncryptionService {
+  private readonly key: Buffer;
+  constructor(secret: string) {
+    if (!secret) throw new Error('EncryptionService: secret must not be empty');
+    this.key = crypto.scryptSync(secret, SCRYPT_SALT, KEY_LENGTH) as Buffer;
+  }
+  encrypt(plaintext: string): string {
+    const iv = crypto.randomBytes(IV_LENGTH);
+    const cipher = crypto.createCipheriv(ALGORITHM, this.key, iv, { authTagLength: AUTH_TAG_LENGTH });
+    const encrypted = Buffer.concat([cipher.update(plaintext, 'utf8'), cipher.final()]);
+    const authTag = cipher.getAuthTag();
+    return `${ENC_PREFIX}${iv.toString('hex')}:${authTag.toString('hex')}:${encrypted.toString('hex')}`;
+  }
+  decrypt(ciphertext: string): string {
+    if (!ciphertext.startsWith(ENC_PREFIX)) {
+      throw new Error('EncryptionService: value does not appear to be encrypted');
+    }
+    const payload = ciphertext.slice(ENC_PREFIX.length);
+    const [ivHex, authTagHex, encryptedHex] = payload.split(':');
+    const iv = Buffer.from(ivHex, 'hex');
+    const authTag = Buffer.from(authTagHex, 'hex');
+    const encryptedBuf = Buffer.from(encryptedHex, 'hex');
+    const decipher = crypto.createDecipheriv(ALGORITHM, this.key, iv, { authTagLength: AUTH_TAG_LENGTH });
+    decipher.setAuthTag(authTag);
+    return decipher.update(encryptedBuf).toString('utf8') + decipher.final('utf8');
+  }
+  isEncrypted(value: string): boolean {
+    return typeof value === 'string' && value.startsWith(ENC_PREFIX);
+  }
+}