npm - @things-factory/auth-base - Versions diffs - 10.0.0-beta.53 → 10.0.0-beta.57 - Mend

@things-factory/auth-base 10.0.0-beta.53 → 10.0.0-beta.57

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (26) hide show

package/dist-server/middlewares/domain-authenticate-middleware.js CHANGED Viewed

@@ -3,10 +3,44 @@ Object.defineProperty(exports, "__esModule", { value: true });
 exports.domainAuthenticateMiddleware = domainAuthenticateMiddleware;
 const shell_1 = require("@things-factory/shell");
 const auth_error_js_1 = require("../errors/auth-error.js");
+const domain_owner_js_1 = require("../service/domain-owner/domain-owner.js");
 const user_js_1 = require("../service/user/user.js");
 const get_user_domains_js_1 = require("../utils/get-user-domains.js");
+/**
+ * 도메인 소유권 확인.
+ *
+ * 소유권은 두 가지 경로 중 하나로 인식된다:
+ *   1) 하위 호환: `Domain.owner` 컬럼에 user.id 일치 (마이그레이션 이전 데이터
+ *      또는 "대표 owner 표시용 캐시")
+ *   2) `DomainOwner` 테이블에 (domainId, userId) 엔트리 존재 (정식 멀티 owner)
+ *
+ * 둘 중 하나라도 만족하면 owner로 인정 — 마이그레이션 기간/기존 API 호환을
+ * 끊어뜨리지 않기 위함.
+ */
 process.domainOwnerGranted = async (domain, user) => {
-    return user && domain && domain.owner === user.id;
+    if (!user || !domain)
+        return false;
+    // (1) 하위 호환: Domain.owner 캐시 필드
+    if (domain.owner === user.id)
+        return true;
+    // Request-level 메모이제이션 — 한 요청 안에서 @privilege directive 가
+    // 걸린 field 마다 이 함수가 호출될 수 있는데 (list 쿼리의 경우 N 번),
+    // 같은 (domain, user) 조합은 DB 조회를 1 번만 수행.
+    // user 객체는 request-scoped 이므로 request 종료 시 자연스럽게 소멸.
+    const cacheKey = `__domainOwnerGranted:${domain.id}`;
+    const cached = user[cacheKey];
+    if (cached !== undefined)
+        return cached;
+    // (2) DomainOwner join table
+    const exists = await (0, shell_1.getRepository)(domain_owner_js_1.DomainOwner)
+        .createQueryBuilder('ow')
+        .where('ow.domain_id = :domainId AND ow.user_id = :userId', {
+        domainId: domain.id,
+        userId: user.id
+    })
+        .getExists();
+    user[cacheKey] = exists;
+    return exists;
 };
 process.superUserGranted = async (domain, user) => {
     if (!user) {

package/dist-server/middlewares/domain-authenticate-middleware.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"file":"domain-authenticate-middleware.js","sourceRoot":"","sources":["../../server/middlewares/domain-authenticate-middleware.ts"],"names":[],"mappings":";;~~AAiDA~~,oEAuBC;~~AAxED~~,iDAA6D;AAE7D,2DAAmD;AACnD,qDAA8C;AAC9C,sEAA6D;AAW7D,OAAO,CAAC,kBAAkB,GAAG,KAAK,EAAE,MAAc,EAAE,IAAU,EAAoB,EAAE;IAClF,~~OAAO~~,IAAI,IAAI,MAAM,IAAI,MAAM,CAAC,KAAK,KAAK,IAAI,CAAC,EAAE,CAAA;~~AACnD~~,CAAC,CAAA;AAED,OAAO,CAAC,gBAAgB,GAAG,KAAK,EAAE,MAAc,EAAE,IAAU,EAAoB,EAAE;IAChF,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,OAAO,KAAK,CAAA;IACd,CAAC;IAED,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC;QACzB,IAAI,GAAG,MAAM,IAAA,qBAAa,EAAC,cAAI,CAAC,CAAC,OAAO,CAAC;YACvC,KAAK,EAAE,EAAE,EAAE,EAAE,IAAI,CAAC,EAAE,EAAE;YACtB,SAAS,EAAE,CAAC,SAAS,CAAC;SACvB,CAAC,CAAA;IACJ,CAAC;IAED,MAAM,YAAY,GAAW,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,MAAc,EAAE,EAAE,CAAC,MAAM,CAAC,SAAS,KAAK,QAAQ,CAAC,CAAA;IACjG,IAAI,CAAC,YAAY,EAAE,CAAC;QAClB,OAAO,KAAK,CAAA;IACd,CAAC;IAED,OAAO,YAAY,CAAC,KAAK,KAAK,IAAI,CAAC,EAAE,CAAA;AACvC,CAAC,CAAA;AAED;;;;;;;;GAQG;AAEI,KAAK,UAAU,4BAA4B,CAAC,OAAY,EAAE,IAAS;IACxE,MAAM,EAAE,CAAC,EAAE,GAAG,OAAO,CAAA;IACrB,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,GAAG,OAAO,CAAC,KAAK,CAAA;IAEtC,MAAM,SAAS,GAAW,MAAM,EAAE,SAAS,CAAA;IAE3C,gCAAgC;IAChC,mBAAmB;IACnB,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,MAAM,IAAI,yBAAS,CAAC;YAClB,SAAS,EAAE,yBAAS,CAAC,WAAW,CAAC,kBAAkB;SACpD,CAAC,CAAA;IACJ,CAAC;IAED,4BAA4B;IAC5B,MAAM,WAAW,GAAsB,MAAM,IAAA,oCAAc,EAAC,IAAI,CAAC,CAAA;IACjE,IAAI,WAAW,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,CAAC,SAAS,IAAI,SAAS,CAAC,IAAI,CAAC,MAAM,OAAO,CAAC,gBAAgB,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC,EAAE,CAAC;QAChH,OAAO,MAAM,IAAI,EAAE,CAAA;IACrB,CAAC;IAED,MAAM,IAAI,yBAAS,CAAC;QAClB,SAAS,EAAE,yBAAS,CAAC,WAAW,CAAC,kBAAkB;KACpD,CAAC,CAAA;AACJ,CAAC","sourcesContent":["import { Domain, getRepository } from '@things-factory/shell'\n\nimport { AuthError } from '../errors/auth-error.js'\nimport { User } from '../service/user/user.js'\nimport { getUserDomains } from '../utils/get-user-domains.js'\n\ndeclare global {\n namespace NodeJS {\n interface Process {\n domainOwnerGranted: (domain: Domain, user: User) => Promise<boolean>\n superUserGranted: (domain: Domain, user: User) => Promise<boolean>\n }\n }\n}\n\nprocess.domainOwnerGranted = async (domain: Domain, user: User): Promise<boolean> => {\n ~~return~~ user && domain && domain.owner === user.id\n}\n\nprocess.superUserGranted = async (domain: Domain, user: User): Promise<boolean> => {\n if (!user) {\n return false\n }\n\n if (!user.domains.length) {\n user = await getRepository(User).findOne({\n where: { id: user.id },\n relations: ['domains']\n })\n }\n\n const systemDomain: Domain = user.domains.find((domain: Domain) => domain.subdomain === 'system')\n if (!systemDomain) {\n return false\n }\n\n return systemDomain.owner === user.id\n}\n\n/\n 현재 subdomain 과 user의 domain list와의 비교를 통해서,\n * 인증 성공 또는 인증 에러를 발생시킬 것인지를 결정한다.\n * 1. 현재 subdomain 이 결정되지 않은 경우.\n * - checkin로 이동한다.\n * 2. superUser 판단\n * 3. 현재 subdomain 이 결정된 경우.\n * - user의 domains 리스트에 해당 subdomain이 없다면, 인증 오류를 발생한다.\n */\n\nexport async function domainAuthenticateMiddleware(context: any, next: any) {\n const { t } = context\n const { domain, user } = context.state\n\n const subdomain: string = domain?.subdomain\n\n // 1. 현재 subdomain 이 결정되지 않은 경우.\n // - checkin로 이동한다.\n if (!subdomain) {\n throw new AuthError({\n errorCode: AuthError.ERROR_CODES.SUBDOMAIN_NOTFOUND\n })\n }\n\n // 2. 현재 subdomain 이 결정된 경우.\n const userDomains: Partial<Domain>[] = await getUserDomains(user)\n if (userDomains.find(domain => domain.subdomain == subdomain) \|\| (await process.superUserGranted(domain, user))) {\n return await next()\n }\n\n throw new AuthError({\n errorCode: AuthError.ERROR_CODES.SUBDOMAIN_NOTFOUND\n })\n}\n"]}
1	+ {"version":3,"file":"domain-authenticate-middleware.js","sourceRoot":"","sources":["../../server/middlewares/domain-authenticate-middleware.ts"],"names":[],"mappings":";;AAmFA,oEAuBC;AA1GD,iDAA6D;AAE7D,2DAAmD;AACnD,6EAAqE;AACrE,qDAA8C;AAC9C,sEAA6D;AAW7D;;;;;;;;;;GAUG;AACH,OAAO,CAAC,kBAAkB,GAAG,KAAK,EAAE,MAAc,EAAE,IAAU,EAAoB,EAAE;IAClF,IAAI,CAAC,IAAI,IAAI,CAAC,MAAM;QAAE,OAAO,KAAK,CAAA;IAElC,gCAAgC;IAChC,IAAI,MAAM,CAAC,KAAK,KAAK,IAAI,CAAC,EAAE;QAAE,OAAO,IAAI,CAAA;IAEzC,yDAAyD;IACzD,iDAAiD;IACjD,wCAAwC;IACxC,qDAAqD;IACrD,MAAM,QAAQ,GAAG,wBAAwB,MAAM,CAAC,EAAE,EAAE,CAAA;IACpD,MAAM,MAAM,GAAI,IAAY,CAAC,QAAQ,CAAC,CAAA;IACtC,IAAI,MAAM,KAAK,SAAS;QAAE,OAAO,MAAM,CAAA;IAEvC,6BAA6B;IAC7B,MAAM,MAAM,GAAG,MAAM,IAAA,qBAAa,EAAC,6BAAW,CAAC;SAC5C,kBAAkB,CAAC,IAAI,CAAC;SACxB,KAAK,CAAC,mDAAmD,EAAE;QAC1D,QAAQ,EAAE,MAAM,CAAC,EAAE;QACnB,MAAM,EAAE,IAAI,CAAC,EAAE;KAChB,CAAC;SACD,SAAS,EAAE,CACb;IAAC,IAAY,CAAC,QAAQ,CAAC,GAAG,MAAM,CAAA;IACjC,OAAO,MAAM,CAAA;AACf,CAAC,CAAA;AAED,OAAO,CAAC,gBAAgB,GAAG,KAAK,EAAE,MAAc,EAAE,IAAU,EAAoB,EAAE;IAChF,IAAI,CAAC,IAAI,EAAE,CAAC;QACV,OAAO,KAAK,CAAA;IACd,CAAC;IAED,IAAI,CAAC,IAAI,CAAC,OAAO,CAAC,MAAM,EAAE,CAAC;QACzB,IAAI,GAAG,MAAM,IAAA,qBAAa,EAAC,cAAI,CAAC,CAAC,OAAO,CAAC;YACvC,KAAK,EAAE,EAAE,EAAE,EAAE,IAAI,CAAC,EAAE,EAAE;YACtB,SAAS,EAAE,CAAC,SAAS,CAAC;SACvB,CAAC,CAAA;IACJ,CAAC;IAED,MAAM,YAAY,GAAW,IAAI,CAAC,OAAO,CAAC,IAAI,CAAC,CAAC,MAAc,EAAE,EAAE,CAAC,MAAM,CAAC,SAAS,KAAK,QAAQ,CAAC,CAAA;IACjG,IAAI,CAAC,YAAY,EAAE,CAAC;QAClB,OAAO,KAAK,CAAA;IACd,CAAC;IAED,OAAO,YAAY,CAAC,KAAK,KAAK,IAAI,CAAC,EAAE,CAAA;AACvC,CAAC,CAAA;AAED;;;;;;;;GAQG;AAEI,KAAK,UAAU,4BAA4B,CAAC,OAAY,EAAE,IAAS;IACxE,MAAM,EAAE,CAAC,EAAE,GAAG,OAAO,CAAA;IACrB,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,GAAG,OAAO,CAAC,KAAK,CAAA;IAEtC,MAAM,SAAS,GAAW,MAAM,EAAE,SAAS,CAAA;IAE3C,gCAAgC;IAChC,mBAAmB;IACnB,IAAI,CAAC,SAAS,EAAE,CAAC;QACf,MAAM,IAAI,yBAAS,CAAC;YAClB,SAAS,EAAE,yBAAS,CAAC,WAAW,CAAC,kBAAkB;SACpD,CAAC,CAAA;IACJ,CAAC;IAED,4BAA4B;IAC5B,MAAM,WAAW,GAAsB,MAAM,IAAA,oCAAc,EAAC,IAAI,CAAC,CAAA;IACjE,IAAI,WAAW,CAAC,IAAI,CAAC,MAAM,CAAC,EAAE,CAAC,MAAM,CAAC,SAAS,IAAI,SAAS,CAAC,IAAI,CAAC,MAAM,OAAO,CAAC,gBAAgB,CAAC,MAAM,EAAE,IAAI,CAAC,CAAC,EAAE,CAAC;QAChH,OAAO,MAAM,IAAI,EAAE,CAAA;IACrB,CAAC;IAED,MAAM,IAAI,yBAAS,CAAC;QAClB,SAAS,EAAE,yBAAS,CAAC,WAAW,CAAC,kBAAkB;KACpD,CAAC,CAAA;AACJ,CAAC","sourcesContent":["import { Domain, getRepository } from '@things-factory/shell'\n\nimport { AuthError } from '../errors/auth-error.js'\nimport { DomainOwner } from '../service/domain-owner/domain-owner.js'\nimport { User } from '../service/user/user.js'\nimport { getUserDomains } from '../utils/get-user-domains.js'\n\ndeclare global {\n namespace NodeJS {\n interface Process {\n domainOwnerGranted: (domain: Domain, user: User) => Promise<boolean>\n superUserGranted: (domain: Domain, user: User) => Promise<boolean>\n }\n }\n}\n\n/*\n 도메인 소유권 확인.\n \n 소유권은 두 가지 경로 중 하나로 인식된다:\n * 1) 하위 호환: `Domain.owner` 컬럼에 user.id 일치 (마이그레이션 이전 데이터\n * 또는 \"대표 owner 표시용 캐시\")\n * 2) `DomainOwner` 테이블에 (domainId, userId) 엔트리 존재 (정식 멀티 owner)\n \n 둘 중 하나라도 만족하면 owner로 인정 — 마이그레이션 기간/기존 API 호환을\n * 끊어뜨리지 않기 위함.\n /\nprocess.domainOwnerGranted = async (domain: Domain, user: User): Promise<boolean> => {\n if (!user \|\| !domain) return false\n\n // (1) 하위 호환: Domain.owner 캐시 필드\n if (domain.owner === user.id) return true\n\n // Request-level 메모이제이션 — 한 요청 안에서 @privilege directive 가\n // 걸린 field 마다 이 함수가 호출될 수 있는데 (list 쿼리의 경우 N 번),\n // 같은 (domain, user) 조합은 DB 조회를 1 번만 수행.\n // user 객체는 request-scoped 이므로 request 종료 시 자연스럽게 소멸.\n const cacheKey = `__domainOwnerGranted:${domain.id}`\n const cached = (user as any)[cacheKey]\n if (cached !== undefined) return cached\n\n // (2) DomainOwner join table\n const exists = await getRepository(DomainOwner)\n .createQueryBuilder('ow')\n .where('ow.domain_id = :domainId AND ow.user_id = :userId', {\n domainId: domain.id,\n userId: user.id\n })\n .getExists()\n ;(user as any)[cacheKey] = exists\n return exists\n}\n\nprocess.superUserGranted = async (domain: Domain, user: User): Promise<boolean> => {\n if (!user) {\n return false\n }\n\n if (!user.domains.length) {\n user = await getRepository(User).findOne({\n where: { id: user.id },\n relations: ['domains']\n })\n }\n\n const systemDomain: Domain = user.domains.find((domain: Domain) => domain.subdomain === 'system')\n if (!systemDomain) {\n return false\n }\n\n return systemDomain.owner === user.id\n}\n\n/\n * 현재 subdomain 과 user의 domain list와의 비교를 통해서,\n * 인증 성공 또는 인증 에러를 발생시킬 것인지를 결정한다.\n * 1. 현재 subdomain 이 결정되지 않은 경우.\n * - checkin로 이동한다.\n * 2. superUser 판단\n * 3. 현재 subdomain 이 결정된 경우.\n * - user의 domains 리스트에 해당 subdomain이 없다면, 인증 오류를 발생한다.\n */\n\nexport async function domainAuthenticateMiddleware(context: any, next: any) {\n const { t } = context\n const { domain, user } = context.state\n\n const subdomain: string = domain?.subdomain\n\n // 1. 현재 subdomain 이 결정되지 않은 경우.\n // - checkin로 이동한다.\n if (!subdomain) {\n throw new AuthError({\n errorCode: AuthError.ERROR_CODES.SUBDOMAIN_NOTFOUND\n })\n }\n\n // 2. 현재 subdomain 이 결정된 경우.\n const userDomains: Partial<Domain>[] = await getUserDomains(user)\n if (userDomains.find(domain => domain.subdomain == subdomain) \|\| (await process.superUserGranted(domain, user))) {\n return await next()\n }\n\n throw new AuthError({\n errorCode: AuthError.ERROR_CODES.SUBDOMAIN_NOTFOUND\n })\n}\n"]}

package/dist-server/migrations/1745000000000-MigrateDomainOwnersToTable.d.ts ADDED Viewed

@@ -0,0 +1,14 @@
+import { MigrationInterface, QueryRunner } from 'typeorm';
+/**
+ * 기존 `Domain.owner` 단일 소유자 데이터를 신규 `DomainOwner` 테이블로 이관한다.
+ *
+ * `Domain.owner` 컬럼은 제거하지 않는다 — "대표 owner 표시용 캐시"로 유지되며
+ * 하위 호환 API에서 계속 사용된다. 권위 있는 소유권 체크는 `DomainOwner` 테이블
+ * 또는 `Domain.owner` 캐시 중 하나라도 일치하면 통과 (domain-authenticate-middleware).
+ *
+ * 이 마이그레이션은 idempotent — 이미 존재하는 (domain, user) 쌍은 skip.
+ */
+export declare class MigrateDomainOwnersToTable1745000000000 implements MigrationInterface {
+    up(_queryRunner: QueryRunner): Promise<void>;
+    down(_queryRunner: QueryRunner): Promise<void>;
+}

package/dist-server/migrations/1745000000000-MigrateDomainOwnersToTable.js ADDED Viewed

@@ -0,0 +1,60 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.MigrateDomainOwnersToTable1745000000000 = void 0;
+const shell_1 = require("@things-factory/shell");
+const domain_owner_js_1 = require("../service/domain-owner/domain-owner.js");
+/**
+ * 기존 `Domain.owner` 단일 소유자 데이터를 신규 `DomainOwner` 테이블로 이관한다.
+ *
+ * `Domain.owner` 컬럼은 제거하지 않는다 — "대표 owner 표시용 캐시"로 유지되며
+ * 하위 호환 API에서 계속 사용된다. 권위 있는 소유권 체크는 `DomainOwner` 테이블
+ * 또는 `Domain.owner` 캐시 중 하나라도 일치하면 통과 (domain-authenticate-middleware).
+ *
+ * 이 마이그레이션은 idempotent — 이미 존재하는 (domain, user) 쌍은 skip.
+ */
+class MigrateDomainOwnersToTable1745000000000 {
+    async up(_queryRunner) {
+        const domainRepository = (0, shell_1.getRepository)(shell_1.Domain);
+        const ownerRepository = (0, shell_1.getRepository)(domain_owner_js_1.DomainOwner);
+        const domains = await domainRepository
+            .createQueryBuilder('d')
+            .where('d.owner IS NOT NULL')
+            .getMany();
+        let migrated = 0;
+        let skipped = 0;
+        for (const domain of domains) {
+            if (!domain.owner)
+                continue;
+            const existing = await ownerRepository
+                .createQueryBuilder('ow')
+                .where('ow.domain_id = :d AND ow.user_id = :u', { d: domain.id, u: domain.owner })
+                .getOne();
+            if (existing) {
+                skipped++;
+                continue;
+            }
+            const entry = ownerRepository.create({
+                domain: { id: domain.id },
+                user: { id: domain.owner },
+                reason: 'migrated from legacy single-owner field'
+            });
+            await ownerRepository.save(entry);
+            migrated++;
+        }
+        // eslint-disable-next-line no-console
+        console.log(`[MigrateDomainOwnersToTable] migrated ${migrated} ownership entries, skipped ${skipped} (already exist)`);
+    }
+    async down(_queryRunner) {
+        // rollback: domain_owners 중 'migrated from legacy...' reason만 제거
+        // Domain.owner 필드는 그대로이므로 데이터 유실 없음
+        const ownerRepository = (0, shell_1.getRepository)(domain_owner_js_1.DomainOwner);
+        await ownerRepository
+            .createQueryBuilder()
+            .delete()
+            .from(domain_owner_js_1.DomainOwner)
+            .where('reason = :reason', { reason: 'migrated from legacy single-owner field' })
+            .execute();
+    }
+}
+exports.MigrateDomainOwnersToTable1745000000000 = MigrateDomainOwnersToTable1745000000000;
+//# sourceMappingURL=1745000000000-MigrateDomainOwnersToTable.js.map

package/dist-server/migrations/1745000000000-MigrateDomainOwnersToTable.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"1745000000000-MigrateDomainOwnersToTable.js","sourceRoot":"","sources":["../../server/migrations/1745000000000-MigrateDomainOwnersToTable.ts"],"names":[],"mappings":";;;AAEA,iDAA6D;AAE7D,6EAAqE;AAErE;;;;;;;;GAQG;AACH,MAAa,uCAAuC;IAC3C,KAAK,CAAC,EAAE,CAAC,YAAyB;QACvC,MAAM,gBAAgB,GAAG,IAAA,qBAAa,EAAC,cAAM,CAAC,CAAA;QAC9C,MAAM,eAAe,GAAG,IAAA,qBAAa,EAAC,6BAAW,CAAC,CAAA;QAElD,MAAM,OAAO,GAAG,MAAM,gBAAgB;aACnC,kBAAkB,CAAC,GAAG,CAAC;aACvB,KAAK,CAAC,qBAAqB,CAAC;aAC5B,OAAO,EAAE,CAAA;QAEZ,IAAI,QAAQ,GAAG,CAAC,CAAA;QAChB,IAAI,OAAO,GAAG,CAAC,CAAA;QAEf,KAAK,MAAM,MAAM,IAAI,OAAO,EAAE,CAAC;YAC7B,IAAI,CAAC,MAAM,CAAC,KAAK;gBAAE,SAAQ;YAE3B,MAAM,QAAQ,GAAG,MAAM,eAAe;iBACnC,kBAAkB,CAAC,IAAI,CAAC;iBACxB,KAAK,CAAC,uCAAuC,EAAE,EAAE,CAAC,EAAE,MAAM,CAAC,EAAE,EAAE,CAAC,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC;iBACjF,MAAM,EAAE,CAAA;YAEX,IAAI,QAAQ,EAAE,CAAC;gBACb,OAAO,EAAE,CAAA;gBACT,SAAQ;YACV,CAAC;YAED,MAAM,KAAK,GAAG,eAAe,CAAC,MAAM,CAAC;gBACnC,MAAM,EAAE,EAAE,EAAE,EAAE,MAAM,CAAC,EAAE,EAAY;gBACnC,IAAI,EAAE,EAAE,EAAE,EAAE,MAAM,CAAC,KAAK,EAAS;gBACjC,MAAM,EAAE,yCAAyC;aAClD,CAAC,CAAA;YACF,MAAM,eAAe,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;YACjC,QAAQ,EAAE,CAAA;QACZ,CAAC;QAED,sCAAsC;QACtC,OAAO,CAAC,GAAG,CACT,yCAAyC,QAAQ,+BAA+B,OAAO,kBAAkB,CAC1G,CAAA;IACH,CAAC;IAEM,KAAK,CAAC,IAAI,CAAC,YAAyB;QACzC,iEAAiE;QACjE,oCAAoC;QACpC,MAAM,eAAe,GAAG,IAAA,qBAAa,EAAC,6BAAW,CAAC,CAAA;QAClD,MAAM,eAAe;aAClB,kBAAkB,EAAE;aACpB,MAAM,EAAE;aACR,IAAI,CAAC,6BAAW,CAAC;aACjB,KAAK,CAAC,kBAAkB,EAAE,EAAE,MAAM,EAAE,yCAAyC,EAAE,CAAC;aAChF,OAAO,EAAE,CAAA;IACd,CAAC;CACF;AApDD,0FAoDC","sourcesContent":["import { MigrationInterface, QueryRunner } from 'typeorm'\n\nimport { Domain, getRepository } from '@things-factory/shell'\n\nimport { DomainOwner } from '../service/domain-owner/domain-owner.js'\n\n/**\n * 기존 `Domain.owner` 단일 소유자 데이터를 신규 `DomainOwner` 테이블로 이관한다.\n *\n * `Domain.owner` 컬럼은 제거하지 않는다 — \"대표 owner 표시용 캐시\"로 유지되며\n * 하위 호환 API에서 계속 사용된다. 권위 있는 소유권 체크는 `DomainOwner` 테이블\n * 또는 `Domain.owner` 캐시 중 하나라도 일치하면 통과 (domain-authenticate-middleware).\n *\n * 이 마이그레이션은 idempotent — 이미 존재하는 (domain, user) 쌍은 skip.\n */\nexport class MigrateDomainOwnersToTable1745000000000 implements MigrationInterface {\n public async up(_queryRunner: QueryRunner): Promise<void> {\n const domainRepository = getRepository(Domain)\n const ownerRepository = getRepository(DomainOwner)\n\n const domains = await domainRepository\n .createQueryBuilder('d')\n .where('d.owner IS NOT NULL')\n .getMany()\n\n let migrated = 0\n let skipped = 0\n\n for (const domain of domains) {\n if (!domain.owner) continue\n\n const existing = await ownerRepository\n .createQueryBuilder('ow')\n .where('ow.domain_id = :d AND ow.user_id = :u', { d: domain.id, u: domain.owner })\n .getOne()\n\n if (existing) {\n skipped++\n continue\n }\n\n const entry = ownerRepository.create({\n domain: { id: domain.id } as Domain,\n user: { id: domain.owner } as any,\n reason: 'migrated from legacy single-owner field'\n })\n await ownerRepository.save(entry)\n migrated++\n }\n\n // eslint-disable-next-line no-console\n console.log(\n `[MigrateDomainOwnersToTable] migrated ${migrated} ownership entries, skipped ${skipped} (already exist)`\n )\n }\n\n public async down(_queryRunner: QueryRunner): Promise<void> {\n // rollback: domain_owners 중 'migrated from legacy...' reason만 제거\n // Domain.owner 필드는 그대로이므로 데이터 유실 없음\n const ownerRepository = getRepository(DomainOwner)\n await ownerRepository\n .createQueryBuilder()\n .delete()\n .from(DomainOwner)\n .where('reason = :reason', { reason: 'migrated from legacy single-owner field' })\n .execute()\n }\n}\n"]}

package/dist-server/service/domain-owner/domain-owner-mutation.d.ts ADDED Viewed

@@ -0,0 +1,16 @@
+import { DomainOwner } from './domain-owner.js';
+export declare class DomainOwnerMutation {
+    /**
+     * 현재 도메인에 새 owner를 추가한다. 기존 도메인 오너 또는 수퍼유저만 호출 가능.
+     *
+     * 하위 호환: `Domain.owner` 캐시 필드가 비어 있으면 추가된 user를 세팅한다.
+     */
+    addDomainOwner(username: string, context: any, reason?: string): Promise<DomainOwner>;
+    /**
+     * 현재 도메인의 owner를 제거한다.
+     * - 기존 도메인 오너 또는 수퍼유저만 호출 가능
+     * - 마지막 남은 owner는 제거 불가 (최소 1명 유지)
+     * - `Domain.owner` 캐시가 제거되는 user였다면, 남은 owner 중 하나로 재설정
+     */
+    removeDomainOwner(username: string, context: any, _reason?: string): Promise<boolean>;
+}

package/dist-server/service/domain-owner/domain-owner-mutation.js ADDED Viewed

@@ -0,0 +1,151 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DomainOwnerMutation = void 0;
+const tslib_1 = require("tslib");
+const type_graphql_1 = require("type-graphql");
+const shell_1 = require("@things-factory/shell");
+const domain_owner_js_1 = require("./domain-owner.js");
+const user_js_1 = require("../user/user.js");
+let DomainOwnerMutation = class DomainOwnerMutation {
+    /**
+     * 현재 도메인에 새 owner를 추가한다. 기존 도메인 오너 또는 수퍼유저만 호출 가능.
+     *
+     * 하위 호환: `Domain.owner` 캐시 필드가 비어 있으면 추가된 user를 세팅한다.
+     */
+    async addDomainOwner(username, context, reason) {
+        const { domain, user: actor } = context.state;
+        return (0, shell_1.getRepository)(shell_1.Domain).manager.transaction(async (tx) => {
+            const userRepo = tx.getRepository(user_js_1.User);
+            const ownerRepo = tx.getRepository(domain_owner_js_1.DomainOwner);
+            const domainRepo = tx.getRepository(shell_1.Domain);
+            // username 컬럼이 nullable — 사용자는 username 을 가지지 않고
+            // email 만 갖는 경우가 많음. User.get username() 도 `username || email`
+            // 을 리턴하므로 UI 가 email 을 보낼 수 있음. 둘 다 매칭한다.
+            const targetUser = await userRepo
+                .createQueryBuilder('u')
+                .innerJoin('u.domains', 'd')
+                .where('(u.username = :key OR u.email = :key) AND d.id = :domainId', {
+                key: username,
+                domainId: domain.id
+            })
+                .getOne();
+            if (!targetUser) {
+                throw new Error(`User '${username}' is not a member of this domain.`);
+            }
+            const existing = await ownerRepo.findOne({
+                where: { domain: { id: domain.id }, user: { id: targetUser.id } }
+            });
+            if (existing) {
+                throw new Error(`User '${username}' is already an owner of this domain.`);
+            }
+            const entry = ownerRepo.create({
+                domain: { id: domain.id },
+                user: { id: targetUser.id },
+                grantedBy: actor,
+                reason
+            });
+            const saved = await ownerRepo.save(entry);
+            // 하위 호환 캐시: domain.owner가 비어 있으면 세팅
+            if (!domain.owner) {
+                await domainRepo.update(domain.id, { owner: targetUser.id });
+            }
+            // GraphQL 응답을 위해 relations 포함해 재조회.
+            // (save() 반환값은 { user: {id}, grantedBy: actor } 인데 user/grantedBy 의
+            //  non-nullable 필드 email 등이 채워져 있지 않아 직렬화 에러 발생)
+            return ownerRepo.findOneOrFail({
+                where: { id: saved.id },
+                relations: ['user', 'grantedBy', 'domain']
+            });
+        });
+    }
+    /**
+     * 현재 도메인의 owner를 제거한다.
+     * - 기존 도메인 오너 또는 수퍼유저만 호출 가능
+     * - 마지막 남은 owner는 제거 불가 (최소 1명 유지)
+     * - `Domain.owner` 캐시가 제거되는 user였다면, 남은 owner 중 하나로 재설정
+     */
+    async removeDomainOwner(username, context, _reason) {
+        const { domain } = context.state;
+        return (0, shell_1.getRepository)(shell_1.Domain).manager.transaction(async (tx) => {
+            const userRepo = tx.getRepository(user_js_1.User);
+            const ownerRepo = tx.getRepository(domain_owner_js_1.DomainOwner);
+            const domainRepo = tx.getRepository(shell_1.Domain);
+            // username 또는 email 둘 다 허용 — addDomainOwner 와 대칭.
+            const targetUser = await userRepo.findOne({
+                where: [{ username }, { email: username }]
+            });
+            if (!targetUser) {
+                throw new Error(`User '${username}' not found.`);
+            }
+            const entry = await ownerRepo.findOne({
+                where: { domain: { id: domain.id }, user: { id: targetUser.id } }
+            });
+            const hasLegacyOwner = domain.owner === targetUser.id;
+            if (!entry && !hasLegacyOwner) {
+                throw new Error(`User '${username}' is not an owner of this domain.`);
+            }
+            // 마지막 1인 보호: DomainOwner 테이블 기준 count + legacy owner 포함 여부
+            const ownerCount = await ownerRepo
+                .createQueryBuilder('ow')
+                .where('ow.domain_id = :d', { d: domain.id })
+                .getCount();
+            // 남을 owner 수 계산:
+            //   - DomainOwner 테이블에서 제거 대상이 있으면 ownerCount - 1
+            //   - legacy owner가 별도로 있고 DomainOwner에 없다면 +1
+            let remaining = ownerCount;
+            if (entry)
+                remaining -= 1;
+            // legacy owner가 지금 제거 대상과 다른 user라면, 그 user도 하나의 owner로 카운트
+            if (domain.owner && domain.owner !== targetUser.id) {
+                // legacy owner가 DomainOwner 테이블에도 이미 있는지
+                const legacyInTable = await ownerRepo
+                    .createQueryBuilder('ow')
+                    .where('ow.domain_id = :d AND ow.user_id = :u', { d: domain.id, u: domain.owner })
+                    .getExists();
+                if (!legacyInTable)
+                    remaining += 1;
+            }
+            if (remaining < 1) {
+                throw new Error('Cannot remove the last owner of a domain. Add another owner first.');
+            }
+            if (entry) {
+                await ownerRepo.delete(entry.id);
+            }
+            if (hasLegacyOwner) {
+                // 캐시 재설정: 남은 DomainOwner 중 가장 먼저 추가된 사람
+                const next = await ownerRepo
+                    .createQueryBuilder('ow')
+                    .where('ow.domain_id = :d', { d: domain.id })
+                    .orderBy('ow.grantedAt', 'ASC')
+                    .getOne();
+                await domainRepo.update(domain.id, { owner: next?.userId ?? null });
+            }
+            return true;
+        });
+    }
+};
+exports.DomainOwnerMutation = DomainOwnerMutation;
+tslib_1.__decorate([
+    (0, type_graphql_1.Directive)('@privilege(domainOwnerGranted: true, superUserGranted: true)'),
+    (0, type_graphql_1.Mutation)(returns => domain_owner_js_1.DomainOwner, { description: 'Add a user as owner of the current domain.' }),
+    tslib_1.__param(0, (0, type_graphql_1.Arg)('username')),
+    tslib_1.__param(1, (0, type_graphql_1.Ctx)()),
+    tslib_1.__param(2, (0, type_graphql_1.Arg)('reason', { nullable: true })),
+    tslib_1.__metadata("design:type", Function),
+    tslib_1.__metadata("design:paramtypes", [String, Object, String]),
+    tslib_1.__metadata("design:returntype", Promise)
+], DomainOwnerMutation.prototype, "addDomainOwner", null);
+tslib_1.__decorate([
+    (0, type_graphql_1.Directive)('@privilege(domainOwnerGranted: true, superUserGranted: true)'),
+    (0, type_graphql_1.Mutation)(returns => Boolean, { description: 'Remove a user from the owners of the current domain.' }),
+    tslib_1.__param(0, (0, type_graphql_1.Arg)('username')),
+    tslib_1.__param(1, (0, type_graphql_1.Ctx)()),
+    tslib_1.__param(2, (0, type_graphql_1.Arg)('reason', { nullable: true })),
+    tslib_1.__metadata("design:type", Function),
+    tslib_1.__metadata("design:paramtypes", [String, Object, String]),
+    tslib_1.__metadata("design:returntype", Promise)
+], DomainOwnerMutation.prototype, "removeDomainOwner", null);
+exports.DomainOwnerMutation = DomainOwnerMutation = tslib_1.__decorate([
+    (0, type_graphql_1.Resolver)(of => domain_owner_js_1.DomainOwner)
+], DomainOwnerMutation);
+//# sourceMappingURL=domain-owner-mutation.js.map

package/dist-server/service/domain-owner/domain-owner-mutation.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"domain-owner-mutation.js","sourceRoot":"","sources":["../../../server/service/domain-owner/domain-owner-mutation.ts"],"names":[],"mappings":";;;;AAAA,+CAAsE;AACtE,iDAA6D;AAE7D,uDAA+C;AAC/C,6CAAsC;AAG/B,IAAM,mBAAmB,GAAzB,MAAM,mBAAmB;IAC9B;;;;OAIG;IAGG,AAAN,KAAK,CAAC,cAAc,CACD,QAAgB,EAC1B,OAAY,EACgB,MAAe;QAElD,MAAM,EAAE,MAAM,EAAE,IAAI,EAAE,KAAK,EAAE,GAAG,OAAO,CAAC,KAAK,CAAA;QAE7C,OAAQ,IAAA,qBAAa,EAAC,cAAM,CAAS,CAAC,OAAO,CAAC,WAAW,CAAC,KAAK,EAAE,EAAO,EAAE,EAAE;YAC1E,MAAM,QAAQ,GAAG,EAAE,CAAC,aAAa,CAAC,cAAI,CAAC,CAAA;YACvC,MAAM,SAAS,GAAG,EAAE,CAAC,aAAa,CAAC,6BAAW,CAAC,CAAA;YAC/C,MAAM,UAAU,GAAG,EAAE,CAAC,aAAa,CAAC,cAAM,CAAC,CAAA;YAE3C,iDAAiD;YACjD,+DAA+D;YAC/D,0CAA0C;YAC1C,MAAM,UAAU,GAAG,MAAM,QAAQ;iBAC9B,kBAAkB,CAAC,GAAG,CAAC;iBACvB,SAAS,CAAC,WAAW,EAAE,GAAG,CAAC;iBAC3B,KAAK,CAAC,4DAA4D,EAAE;gBACnE,GAAG,EAAE,QAAQ;gBACb,QAAQ,EAAE,MAAM,CAAC,EAAE;aACpB,CAAC;iBACD,MAAM,EAAE,CAAA;YACX,IAAI,CAAC,UAAU,EAAE,CAAC;gBAChB,MAAM,IAAI,KAAK,CAAC,SAAS,QAAQ,mCAAmC,CAAC,CAAA;YACvE,CAAC;YAED,MAAM,QAAQ,GAAG,MAAM,SAAS,CAAC,OAAO,CAAC;gBACvC,KAAK,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,EAAE,MAAM,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,EAAE,UAAU,CAAC,EAAE,EAAE,EAAE;aAClE,CAAC,CAAA;YACF,IAAI,QAAQ,EAAE,CAAC;gBACb,MAAM,IAAI,KAAK,CAAC,SAAS,QAAQ,uCAAuC,CAAC,CAAA;YAC3E,CAAC;YAED,MAAM,KAAK,GAAG,SAAS,CAAC,MAAM,CAAC;gBAC7B,MAAM,EAAE,EAAE,EAAE,EAAE,MAAM,CAAC,EAAE,EAAY;gBACnC,IAAI,EAAE,EAAE,EAAE,EAAE,UAAU,CAAC,EAAE,EAAU;gBACnC,SAAS,EAAE,KAAK;gBAChB,MAAM;aACP,CAAC,CAAA;YACF,MAAM,KAAK,GAAG,MAAM,SAAS,CAAC,IAAI,CAAC,KAAK,CAAC,CAAA;YAEzC,oCAAoC;YACpC,IAAI,CAAC,MAAM,CAAC,KAAK,EAAE,CAAC;gBAClB,MAAM,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,UAAU,CAAC,EAAE,EAAE,CAAC,CAAA;YAC9D,CAAC;YAED,oCAAoC;YACpC,oEAAoE;YACpE,iDAAiD;YACjD,OAAO,SAAS,CAAC,aAAa,CAAC;gBAC7B,KAAK,EAAE,EAAE,EAAE,EAAE,KAAK,CAAC,EAAE,EAAE;gBACvB,SAAS,EAAE,CAAC,MAAM,EAAE,WAAW,EAAE,QAAQ,CAAC;aAC3C,CAAC,CAAA;QACJ,CAAC,CAAC,CAAA;IACJ,CAAC;IAED;;;;;OAKG;IAGG,AAAN,KAAK,CAAC,iBAAiB,CACJ,QAAgB,EAC1B,OAAY,EACgB,OAAgB;QAEnD,MAAM,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,KAAK,CAAA;QAEhC,OAAQ,IAAA,qBAAa,EAAC,cAAM,CAAS,CAAC,OAAO,CAAC,WAAW,CAAC,KAAK,EAAE,EAAO,EAAE,EAAE;YAC1E,MAAM,QAAQ,GAAG,EAAE,CAAC,aAAa,CAAC,cAAI,CAAC,CAAA;YACvC,MAAM,SAAS,GAAG,EAAE,CAAC,aAAa,CAAC,6BAAW,CAAC,CAAA;YAC/C,MAAM,UAAU,GAAG,EAAE,CAAC,aAAa,CAAC,cAAM,CAAC,CAAA;YAE3C,kDAAkD;YAClD,MAAM,UAAU,GAAG,MAAM,QAAQ,CAAC,OAAO,CAAC;gBACxC,KAAK,EAAE,CAAC,EAAE,QAAQ,EAAE,EAAE,EAAE,KAAK,EAAE,QAAQ,EAAE,CAAC;aAC3C,CAAC,CAAA;YACF,IAAI,CAAC,UAAU,EAAE,CAAC;gBAChB,MAAM,IAAI,KAAK,CAAC,SAAS,QAAQ,cAAc,CAAC,CAAA;YAClD,CAAC;YAED,MAAM,KAAK,GAAG,MAAM,SAAS,CAAC,OAAO,CAAC;gBACpC,KAAK,EAAE,EAAE,MAAM,EAAE,EAAE,EAAE,EAAE,MAAM,CAAC,EAAE,EAAE,EAAE,IAAI,EAAE,EAAE,EAAE,EAAE,UAAU,CAAC,EAAE,EAAE,EAAE;aAClE,CAAC,CAAA;YACF,MAAM,cAAc,GAAG,MAAM,CAAC,KAAK,KAAK,UAAU,CAAC,EAAE,CAAA;YAErD,IAAI,CAAC,KAAK,IAAI,CAAC,cAAc,EAAE,CAAC;gBAC9B,MAAM,IAAI,KAAK,CAAC,SAAS,QAAQ,mCAAmC,CAAC,CAAA;YACvE,CAAC;YAED,2DAA2D;YAC3D,MAAM,UAAU,GAAG,MAAM,SAAS;iBAC/B,kBAAkB,CAAC,IAAI,CAAC;iBACxB,KAAK,CAAC,mBAAmB,EAAE,EAAE,CAAC,EAAE,MAAM,CAAC,EAAE,EAAE,CAAC;iBAC5C,QAAQ,EAAE,CAAA;YAEb,iBAAiB;YACjB,kDAAkD;YAClD,+CAA+C;YAC/C,IAAI,SAAS,GAAG,UAAU,CAAA;YAC1B,IAAI,KAAK;gBAAE,SAAS,IAAI,CAAC,CAAA;YACzB,4DAA4D;YAC5D,IAAI,MAAM,CAAC,KAAK,IAAI,MAAM,CAAC,KAAK,KAAK,UAAU,CAAC,EAAE,EAAE,CAAC;gBACnD,yCAAyC;gBACzC,MAAM,aAAa,GAAG,MAAM,SAAS;qBAClC,kBAAkB,CAAC,IAAI,CAAC;qBACxB,KAAK,CAAC,uCAAuC,EAAE,EAAE,CAAC,EAAE,MAAM,CAAC,EAAE,EAAE,CAAC,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC;qBACjF,SAAS,EAAE,CAAA;gBACd,IAAI,CAAC,aAAa;oBAAE,SAAS,IAAI,CAAC,CAAA;YACpC,CAAC;YAED,IAAI,SAAS,GAAG,CAAC,EAAE,CAAC;gBAClB,MAAM,IAAI,KAAK,CACb,oEAAoE,CACrE,CAAA;YACH,CAAC;YAED,IAAI,KAAK,EAAE,CAAC;gBACV,MAAM,SAAS,CAAC,MAAM,CAAC,KAAK,CAAC,EAAE,CAAC,CAAA;YAClC,CAAC;YAED,IAAI,cAAc,EAAE,CAAC;gBACnB,wCAAwC;gBACxC,MAAM,IAAI,GAAG,MAAM,SAAS;qBACzB,kBAAkB,CAAC,IAAI,CAAC;qBACxB,KAAK,CAAC,mBAAmB,EAAE,EAAE,CAAC,EAAE,MAAM,CAAC,EAAE,EAAE,CAAC;qBAC5C,OAAO,CAAC,cAAc,EAAE,KAAK,CAAC;qBAC9B,MAAM,EAAE,CAAA;gBACX,MAAM,UAAU,CAAC,MAAM,CAAC,MAAM,CAAC,EAAE,EAAE,EAAE,KAAK,EAAE,IAAI,EAAE,MAAM,IAAI,IAAI,EAAE,CAAC,CAAA;YACrE,CAAC;YAED,OAAO,IAAI,CAAA;QACb,CAAC,CAAC,CAAA;IACJ,CAAC;CACF,CAAA;AAlJY,kDAAmB;AAQxB;IAFL,IAAA,wBAAS,EAAC,8DAA8D,CAAC;IACzE,IAAA,uBAAQ,EAAC,OAAO,CAAC,EAAE,CAAC,6BAAW,EAAE,EAAE,WAAW,EAAE,4CAA4C,EAAE,CAAC;IAE7F,mBAAA,IAAA,kBAAG,EAAC,UAAU,CAAC,CAAA;IACf,mBAAA,IAAA,kBAAG,GAAE,CAAA;IACL,mBAAA,IAAA,kBAAG,EAAC,QAAQ,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAA;;;;yDAoDnC;AAUK;IAFL,IAAA,wBAAS,EAAC,8DAA8D,CAAC;IACzE,IAAA,uBAAQ,EAAC,OAAO,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,WAAW,EAAE,sDAAsD,EAAE,CAAC;IAEnG,mBAAA,IAAA,kBAAG,EAAC,UAAU,CAAC,CAAA;IACf,mBAAA,IAAA,kBAAG,GAAE,CAAA;IACL,mBAAA,IAAA,kBAAG,EAAC,QAAQ,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC,CAAA;;;;4DAqEnC;8BAjJU,mBAAmB;IAD/B,IAAA,uBAAQ,EAAC,EAAE,CAAC,EAAE,CAAC,6BAAW,CAAC;GACf,mBAAmB,CAkJ/B","sourcesContent":["import { Resolver, Mutation, Arg, Ctx, Directive } from 'type-graphql'\nimport { Domain, getRepository } from '@things-factory/shell'\n\nimport { DomainOwner } from './domain-owner.js'\nimport { User } from '../user/user.js'\n\n@Resolver(of => DomainOwner)\nexport class DomainOwnerMutation {\n /**\n * 현재 도메인에 새 owner를 추가한다. 기존 도메인 오너 또는 수퍼유저만 호출 가능.\n *\n * 하위 호환: `Domain.owner` 캐시 필드가 비어 있으면 추가된 user를 세팅한다.\n */\n @Directive('@privilege(domainOwnerGranted: true, superUserGranted: true)')\n @Mutation(returns => DomainOwner, { description: 'Add a user as owner of the current domain.' })\n async addDomainOwner(\n @Arg('username') username: string,\n @Ctx() context: any,\n @Arg('reason', { nullable: true }) reason?: string\n ): Promise<DomainOwner> {\n const { domain, user: actor } = context.state\n\n return (getRepository(Domain) as any).manager.transaction(async (tx: any) => {\n const userRepo = tx.getRepository(User)\n const ownerRepo = tx.getRepository(DomainOwner)\n const domainRepo = tx.getRepository(Domain)\n\n // username 컬럼이 nullable — 사용자는 username 을 가지지 않고\n // email 만 갖는 경우가 많음. User.get username() 도 `username || email`\n // 을 리턴하므로 UI 가 email 을 보낼 수 있음. 둘 다 매칭한다.\n const targetUser = await userRepo\n .createQueryBuilder('u')\n .innerJoin('u.domains', 'd')\n .where('(u.username = :key OR u.email = :key) AND d.id = :domainId', {\n key: username,\n domainId: domain.id\n })\n .getOne()\n if (!targetUser) {\n throw new Error(`User '${username}' is not a member of this domain.`)\n }\n\n const existing = await ownerRepo.findOne({\n where: { domain: { id: domain.id }, user: { id: targetUser.id } }\n })\n if (existing) {\n throw new Error(`User '${username}' is already an owner of this domain.`)\n }\n\n const entry = ownerRepo.create({\n domain: { id: domain.id } as Domain,\n user: { id: targetUser.id } as User,\n grantedBy: actor,\n reason\n })\n const saved = await ownerRepo.save(entry)\n\n // 하위 호환 캐시: domain.owner가 비어 있으면 세팅\n if (!domain.owner) {\n await domainRepo.update(domain.id, { owner: targetUser.id })\n }\n\n // GraphQL 응답을 위해 relations 포함해 재조회.\n // (save() 반환값은 { user: {id}, grantedBy: actor } 인데 user/grantedBy 의\n // non-nullable 필드 email 등이 채워져 있지 않아 직렬화 에러 발생)\n return ownerRepo.findOneOrFail({\n where: { id: saved.id },\n relations: ['user', 'grantedBy', 'domain']\n })\n })\n }\n\n /**\n * 현재 도메인의 owner를 제거한다.\n * - 기존 도메인 오너 또는 수퍼유저만 호출 가능\n * - 마지막 남은 owner는 제거 불가 (최소 1명 유지)\n * - `Domain.owner` 캐시가 제거되는 user였다면, 남은 owner 중 하나로 재설정\n */\n @Directive('@privilege(domainOwnerGranted: true, superUserGranted: true)')\n @Mutation(returns => Boolean, { description: 'Remove a user from the owners of the current domain.' })\n async removeDomainOwner(\n @Arg('username') username: string,\n @Ctx() context: any,\n @Arg('reason', { nullable: true }) _reason?: string\n ): Promise<boolean> {\n const { domain } = context.state\n\n return (getRepository(Domain) as any).manager.transaction(async (tx: any) => {\n const userRepo = tx.getRepository(User)\n const ownerRepo = tx.getRepository(DomainOwner)\n const domainRepo = tx.getRepository(Domain)\n\n // username 또는 email 둘 다 허용 — addDomainOwner 와 대칭.\n const targetUser = await userRepo.findOne({\n where: [{ username }, { email: username }]\n })\n if (!targetUser) {\n throw new Error(`User '${username}' not found.`)\n }\n\n const entry = await ownerRepo.findOne({\n where: { domain: { id: domain.id }, user: { id: targetUser.id } }\n })\n const hasLegacyOwner = domain.owner === targetUser.id\n\n if (!entry && !hasLegacyOwner) {\n throw new Error(`User '${username}' is not an owner of this domain.`)\n }\n\n // 마지막 1인 보호: DomainOwner 테이블 기준 count + legacy owner 포함 여부\n const ownerCount = await ownerRepo\n .createQueryBuilder('ow')\n .where('ow.domain_id = :d', { d: domain.id })\n .getCount()\n\n // 남을 owner 수 계산:\n // - DomainOwner 테이블에서 제거 대상이 있으면 ownerCount - 1\n // - legacy owner가 별도로 있고 DomainOwner에 없다면 +1\n let remaining = ownerCount\n if (entry) remaining -= 1\n // legacy owner가 지금 제거 대상과 다른 user라면, 그 user도 하나의 owner로 카운트\n if (domain.owner && domain.owner !== targetUser.id) {\n // legacy owner가 DomainOwner 테이블에도 이미 있는지\n const legacyInTable = await ownerRepo\n .createQueryBuilder('ow')\n .where('ow.domain_id = :d AND ow.user_id = :u', { d: domain.id, u: domain.owner })\n .getExists()\n if (!legacyInTable) remaining += 1\n }\n\n if (remaining < 1) {\n throw new Error(\n 'Cannot remove the last owner of a domain. Add another owner first.'\n )\n }\n\n if (entry) {\n await ownerRepo.delete(entry.id)\n }\n\n if (hasLegacyOwner) {\n // 캐시 재설정: 남은 DomainOwner 중 가장 먼저 추가된 사람\n const next = await ownerRepo\n .createQueryBuilder('ow')\n .where('ow.domain_id = :d', { d: domain.id })\n .orderBy('ow.grantedAt', 'ASC')\n .getOne()\n await domainRepo.update(domain.id, { owner: next?.userId ?? null })\n }\n\n return true\n })\n }\n}\n"]}

package/dist-server/service/domain-owner/domain-owner-query.d.ts ADDED Viewed

@@ -0,0 +1,12 @@
+import { DomainOwner } from './domain-owner.js';
+export declare class DomainOwnerQuery {
+    /**
+     * 현재 도메인의 owner 목록 조회 — **도메인 오너 또는 수퍼유저만** 가능.
+     * 오너 구성은 관리 정보라 비공개가 기본.
+     */
+    domainOwners(context: any): Promise<DomainOwner[]>;
+    /**
+     * 특정 user가 현재 도메인의 owner인지 확인 — 도메인 오너 또는 수퍼유저만.
+     */
+    isDomainOwner(username: string, context: any): Promise<boolean>;
+}

package/dist-server/service/domain-owner/domain-owner-query.js ADDED Viewed

@@ -0,0 +1,70 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DomainOwnerQuery = void 0;
+const tslib_1 = require("tslib");
+const type_graphql_1 = require("type-graphql");
+const shell_1 = require("@things-factory/shell");
+const domain_owner_js_1 = require("./domain-owner.js");
+const user_js_1 = require("../user/user.js");
+let DomainOwnerQuery = class DomainOwnerQuery {
+    /**
+     * 현재 도메인의 owner 목록 조회 — **도메인 오너 또는 수퍼유저만** 가능.
+     * 오너 구성은 관리 정보라 비공개가 기본.
+     */
+    async domainOwners(context) {
+        const { domain } = context.state;
+        return (0, shell_1.getRepository)(domain_owner_js_1.DomainOwner)
+            .createQueryBuilder('ow')
+            .leftJoinAndSelect('ow.user', 'user')
+            .leftJoinAndSelect('ow.grantedBy', 'grantedBy')
+            .where('ow.domain_id = :domainId', { domainId: domain.id })
+            .orderBy('ow.grantedAt', 'ASC')
+            .getMany();
+    }
+    /**
+     * 특정 user가 현재 도메인의 owner인지 확인 — 도메인 오너 또는 수퍼유저만.
+     */
+    async isDomainOwner(username, context) {
+        const { domain } = context.state;
+        // username 또는 email 둘 다 허용 (username 컬럼이 nullable 이라 email 만
+        // 세팅된 사용자도 있음).
+        const user = await (0, shell_1.getRepository)(user_js_1.User).findOne({
+            where: [
+                { username, domains: { id: domain.id } },
+                { email: username, domains: { id: domain.id } }
+            ]
+        });
+        if (!user)
+            return false;
+        // Domain.owner 캐시 또는 DomainOwner 테이블 둘 다 확인
+        if (domain.owner === user.id)
+            return true;
+        const exists = await (0, shell_1.getRepository)(domain_owner_js_1.DomainOwner)
+            .createQueryBuilder('ow')
+            .where('ow.domain_id = :d AND ow.user_id = :u', { d: domain.id, u: user.id })
+            .getExists();
+        return exists;
+    }
+};
+exports.DomainOwnerQuery = DomainOwnerQuery;
+tslib_1.__decorate([
+    (0, type_graphql_1.Directive)('@privilege(domainOwnerGranted: true, superUserGranted: true)'),
+    (0, type_graphql_1.Query)(returns => [domain_owner_js_1.DomainOwner], { description: 'List owners of the current domain.' }),
+    tslib_1.__param(0, (0, type_graphql_1.Ctx)()),
+    tslib_1.__metadata("design:type", Function),
+    tslib_1.__metadata("design:paramtypes", [Object]),
+    tslib_1.__metadata("design:returntype", Promise)
+], DomainOwnerQuery.prototype, "domainOwners", null);
+tslib_1.__decorate([
+    (0, type_graphql_1.Directive)('@privilege(domainOwnerGranted: true, superUserGranted: true)'),
+    (0, type_graphql_1.Query)(returns => Boolean, { description: 'Check if a user is an owner of the current domain.' }),
+    tslib_1.__param(0, (0, type_graphql_1.Arg)('username')),
+    tslib_1.__param(1, (0, type_graphql_1.Ctx)()),
+    tslib_1.__metadata("design:type", Function),
+    tslib_1.__metadata("design:paramtypes", [String, Object]),
+    tslib_1.__metadata("design:returntype", Promise)
+], DomainOwnerQuery.prototype, "isDomainOwner", null);
+exports.DomainOwnerQuery = DomainOwnerQuery = tslib_1.__decorate([
+    (0, type_graphql_1.Resolver)(of => domain_owner_js_1.DomainOwner)
+], DomainOwnerQuery);
+//# sourceMappingURL=domain-owner-query.js.map

package/dist-server/service/domain-owner/domain-owner-query.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"domain-owner-query.js","sourceRoot":"","sources":["../../../server/service/domain-owner/domain-owner-query.ts"],"names":[],"mappings":";;;;AAAA,+CAAmE;AACnE,iDAA6D;AAE7D,uDAA+C;AAC/C,6CAAsC;AAG/B,IAAM,gBAAgB,GAAtB,MAAM,gBAAgB;IAC3B;;;OAGG;IAGG,AAAN,KAAK,CAAC,YAAY,CAAQ,OAAY;QACpC,MAAM,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,KAAK,CAAA;QAEhC,OAAO,IAAA,qBAAa,EAAC,6BAAW,CAAC;aAC9B,kBAAkB,CAAC,IAAI,CAAC;aACxB,iBAAiB,CAAC,SAAS,EAAE,MAAM,CAAC;aACpC,iBAAiB,CAAC,cAAc,EAAE,WAAW,CAAC;aAC9C,KAAK,CAAC,0BAA0B,EAAE,EAAE,QAAQ,EAAE,MAAM,CAAC,EAAE,EAAE,CAAC;aAC1D,OAAO,CAAC,cAAc,EAAE,KAAK,CAAC;aAC9B,OAAO,EAAE,CAAA;IACd,CAAC;IAED;;OAEG;IAGG,AAAN,KAAK,CAAC,aAAa,CACA,QAAgB,EAC1B,OAAY;QAEnB,MAAM,EAAE,MAAM,EAAE,GAAG,OAAO,CAAC,KAAK,CAAA;QAEhC,6DAA6D;QAC7D,gBAAgB;QAChB,MAAM,IAAI,GAAG,MAAM,IAAA,qBAAa,EAAC,cAAI,CAAC,CAAC,OAAO,CAAC;YAC7C,KAAK,EAAE;gBACL,EAAE,QAAQ,EAAE,OAAO,EAAE,EAAE,EAAE,EAAE,MAAM,CAAC,EAAE,EAAE,EAAE;gBACxC,EAAE,KAAK,EAAE,QAAQ,EAAE,OAAO,EAAE,EAAE,EAAE,EAAE,MAAM,CAAC,EAAE,EAAE,EAAE;aAChD;SACF,CAAC,CAAA;QACF,IAAI,CAAC,IAAI;YAAE,OAAO,KAAK,CAAA;QAEvB,4CAA4C;QAC5C,IAAI,MAAM,CAAC,KAAK,KAAK,IAAI,CAAC,EAAE;YAAE,OAAO,IAAI,CAAA;QAEzC,MAAM,MAAM,GAAG,MAAM,IAAA,qBAAa,EAAC,6BAAW,CAAC;aAC5C,kBAAkB,CAAC,IAAI,CAAC;aACxB,KAAK,CAAC,uCAAuC,EAAE,EAAE,CAAC,EAAE,MAAM,CAAC,EAAE,EAAE,CAAC,EAAE,IAAI,CAAC,EAAE,EAAE,CAAC;aAC5E,SAAS,EAAE,CAAA;QACd,OAAO,MAAM,CAAA;IACf,CAAC;CACF,CAAA;AAjDY,4CAAgB;AAOrB;IAFL,IAAA,wBAAS,EAAC,8DAA8D,CAAC;IACzE,IAAA,oBAAK,EAAC,OAAO,CAAC,EAAE,CAAC,CAAC,6BAAW,CAAC,EAAE,EAAE,WAAW,EAAE,oCAAoC,EAAE,CAAC;IACnE,mBAAA,IAAA,kBAAG,GAAE,CAAA;;;;oDAUxB;AAOK;IAFL,IAAA,wBAAS,EAAC,8DAA8D,CAAC;IACzE,IAAA,oBAAK,EAAC,OAAO,CAAC,EAAE,CAAC,OAAO,EAAE,EAAE,WAAW,EAAE,oDAAoD,EAAE,CAAC;IAE9F,mBAAA,IAAA,kBAAG,EAAC,UAAU,CAAC,CAAA;IACf,mBAAA,IAAA,kBAAG,GAAE,CAAA;;;;qDAsBP;2BAhDU,gBAAgB;IAD5B,IAAA,uBAAQ,EAAC,EAAE,CAAC,EAAE,CAAC,6BAAW,CAAC;GACf,gBAAgB,CAiD5B","sourcesContent":["import { Resolver, Query, Arg, Ctx, Directive } from 'type-graphql'\nimport { Domain, getRepository } from '@things-factory/shell'\n\nimport { DomainOwner } from './domain-owner.js'\nimport { User } from '../user/user.js'\n\n@Resolver(of => DomainOwner)\nexport class DomainOwnerQuery {\n /**\n * 현재 도메인의 owner 목록 조회 — **도메인 오너 또는 수퍼유저만** 가능.\n * 오너 구성은 관리 정보라 비공개가 기본.\n */\n @Directive('@privilege(domainOwnerGranted: true, superUserGranted: true)')\n @Query(returns => [DomainOwner], { description: 'List owners of the current domain.' })\n async domainOwners(@Ctx() context: any): Promise<DomainOwner[]> {\n const { domain } = context.state\n\n return getRepository(DomainOwner)\n .createQueryBuilder('ow')\n .leftJoinAndSelect('ow.user', 'user')\n .leftJoinAndSelect('ow.grantedBy', 'grantedBy')\n .where('ow.domain_id = :domainId', { domainId: domain.id })\n .orderBy('ow.grantedAt', 'ASC')\n .getMany()\n }\n\n /**\n * 특정 user가 현재 도메인의 owner인지 확인 — 도메인 오너 또는 수퍼유저만.\n */\n @Directive('@privilege(domainOwnerGranted: true, superUserGranted: true)')\n @Query(returns => Boolean, { description: 'Check if a user is an owner of the current domain.' })\n async isDomainOwner(\n @Arg('username') username: string,\n @Ctx() context: any\n ): Promise<boolean> {\n const { domain } = context.state\n\n // username 또는 email 둘 다 허용 (username 컬럼이 nullable 이라 email 만\n // 세팅된 사용자도 있음).\n const user = await getRepository(User).findOne({\n where: [\n { username, domains: { id: domain.id } },\n { email: username, domains: { id: domain.id } }\n ]\n })\n if (!user) return false\n\n // Domain.owner 캐시 또는 DomainOwner 테이블 둘 다 확인\n if (domain.owner === user.id) return true\n\n const exists = await getRepository(DomainOwner)\n .createQueryBuilder('ow')\n .where('ow.domain_id = :d AND ow.user_id = :u', { d: domain.id, u: user.id })\n .getExists()\n return exists\n }\n}\n"]}

package/dist-server/service/domain-owner/domain-owner.d.ts ADDED Viewed

@@ -0,0 +1,29 @@
+import { Domain } from '@things-factory/shell';
+import { User } from '../user/user.js';
+/**
+ * 도메인의 소유자(Owner)를 여러 명 허용하기 위한 join entity.
+ *
+ * 기존 `Domain.owner`(단일 UUID 문자열) 모델의 한계를 해소하고,
+ * 여러 User를 같은 Domain의 owner로 등록 가능하게 한다. 모든 owner는 동등한
+ * 권한을 가진다 (primary 개념 없음).
+ *
+ * `Domain.owner` 컬럼은 하위 호환을 위해 유지되며 "대표 owner 표시용 캐시"로
+ * 활용된다:
+ *   - owner 추가 시, 기존 owner 컬럼이 비어있으면 자동 세팅
+ *   - owner 제거 시, 그 사람이 owner 컬럼이었다면 남은 owners 중 첫 사람으로 재설정
+ * 권위 있는 소유권 정보는 이 테이블이 가지며, `domainOwnerGranted` 권한 체크는
+ * 양쪽을 OR로 확인해 마이그레이션 기간 동안의 안전성을 보장한다.
+ *
+ * User 삭제 시 CASCADE로 소유권 엔트리 자동 해제.
+ */
+export declare class DomainOwner {
+    readonly id: string;
+    domain: Domain;
+    domainId: string;
+    user: User;
+    userId: string;
+    grantedBy: User;
+    grantedById: string;
+    grantedAt: Date;
+    reason: string;
+}

package/dist-server/service/domain-owner/domain-owner.js ADDED Viewed

@@ -0,0 +1,77 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.DomainOwner = void 0;
+const tslib_1 = require("tslib");
+const shell_1 = require("@things-factory/shell");
+const typeorm_1 = require("typeorm");
+const type_graphql_1 = require("type-graphql");
+const user_js_1 = require("../user/user.js");
+/**
+ * 도메인의 소유자(Owner)를 여러 명 허용하기 위한 join entity.
+ *
+ * 기존 `Domain.owner`(단일 UUID 문자열) 모델의 한계를 해소하고,
+ * 여러 User를 같은 Domain의 owner로 등록 가능하게 한다. 모든 owner는 동등한
+ * 권한을 가진다 (primary 개념 없음).
+ *
+ * `Domain.owner` 컬럼은 하위 호환을 위해 유지되며 "대표 owner 표시용 캐시"로
+ * 활용된다:
+ *   - owner 추가 시, 기존 owner 컬럼이 비어있으면 자동 세팅
+ *   - owner 제거 시, 그 사람이 owner 컬럼이었다면 남은 owners 중 첫 사람으로 재설정
+ * 권위 있는 소유권 정보는 이 테이블이 가지며, `domainOwnerGranted` 권한 체크는
+ * 양쪽을 OR로 확인해 마이그레이션 기간 동안의 안전성을 보장한다.
+ *
+ * User 삭제 시 CASCADE로 소유권 엔트리 자동 해제.
+ */
+let DomainOwner = class DomainOwner {
+};
+exports.DomainOwner = DomainOwner;
+tslib_1.__decorate([
+    (0, typeorm_1.PrimaryGeneratedColumn)('uuid'),
+    (0, type_graphql_1.Field)(type => type_graphql_1.ID, { description: 'Unique identifier.' }),
+    tslib_1.__metadata("design:type", String)
+], DomainOwner.prototype, "id", void 0);
+tslib_1.__decorate([
+    (0, typeorm_1.ManyToOne)(type => shell_1.Domain, { onDelete: 'CASCADE' }),
+    (0, typeorm_1.JoinColumn)(),
+    (0, type_graphql_1.Field)(type => shell_1.Domain, { description: 'Domain that the user owns.' }),
+    tslib_1.__metadata("design:type", shell_1.Domain)
+], DomainOwner.prototype, "domain", void 0);
+tslib_1.__decorate([
+    (0, typeorm_1.RelationId)((ow) => ow.domain),
+    tslib_1.__metadata("design:type", String)
+], DomainOwner.prototype, "domainId", void 0);
+tslib_1.__decorate([
+    (0, typeorm_1.ManyToOne)(type => user_js_1.User, { onDelete: 'CASCADE' }),
+    (0, typeorm_1.JoinColumn)(),
+    (0, type_graphql_1.Field)(type => user_js_1.User, { description: 'User who owns the domain.' }),
+    tslib_1.__metadata("design:type", user_js_1.User)
+], DomainOwner.prototype, "user", void 0);
+tslib_1.__decorate([
+    (0, typeorm_1.RelationId)((ow) => ow.user),
+    tslib_1.__metadata("design:type", String)
+], DomainOwner.prototype, "userId", void 0);
+tslib_1.__decorate([
+    (0, typeorm_1.ManyToOne)(type => user_js_1.User, { nullable: true }),
+    (0, type_graphql_1.Field)(type => user_js_1.User, { nullable: true, description: 'User who granted this ownership (audit).' }),
+    tslib_1.__metadata("design:type", user_js_1.User)
+], DomainOwner.prototype, "grantedBy", void 0);
+tslib_1.__decorate([
+    (0, typeorm_1.RelationId)((ow) => ow.grantedBy),
+    tslib_1.__metadata("design:type", String)
+], DomainOwner.prototype, "grantedById", void 0);
+tslib_1.__decorate([
+    (0, typeorm_1.CreateDateColumn)(),
+    (0, type_graphql_1.Field)({ description: 'When the ownership was granted.' }),
+    tslib_1.__metadata("design:type", Date)
+], DomainOwner.prototype, "grantedAt", void 0);
+tslib_1.__decorate([
+    (0, typeorm_1.Column)({ nullable: true }),
+    (0, type_graphql_1.Field)({ nullable: true, description: 'Optional reason/memo for granting ownership.' }),
+    tslib_1.__metadata("design:type", String)
+], DomainOwner.prototype, "reason", void 0);
+exports.DomainOwner = DomainOwner = tslib_1.__decorate([
+    (0, typeorm_1.Entity)(),
+    (0, typeorm_1.Index)('ix_domain_owner_unique', (ow) => [ow.domain, ow.user], { unique: true }),
+    (0, type_graphql_1.ObjectType)({ description: 'An ownership record binding a User to a Domain (multi-owner support).' })
+], DomainOwner);
+//# sourceMappingURL=domain-owner.js.map

package/dist-server/service/domain-owner/domain-owner.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"domain-owner.js","sourceRoot":"","sources":["../../../server/service/domain-owner/domain-owner.ts"],"names":[],"mappings":";;;;AAAA,iDAA8C;AAC9C,qCASgB;AAChB,+CAAoD;AAEpD,6CAAsC;AAEtC;;;;;;;;;;;;;;;GAeG;AAII,IAAM,WAAW,GAAjB,MAAM,WAAW;CAmCvB,CAAA;AAnCY,kCAAW;AAGb;IAFR,IAAA,gCAAsB,EAAC,MAAM,CAAC;IAC9B,IAAA,oBAAK,EAAC,IAAI,CAAC,EAAE,CAAC,iBAAE,EAAE,EAAE,WAAW,EAAE,oBAAoB,EAAE,CAAC;;uCACtC;AAKnB;IAHC,IAAA,mBAAS,EAAC,IAAI,CAAC,EAAE,CAAC,cAAM,EAAE,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC;IAClD,IAAA,oBAAU,GAAE;IACZ,IAAA,oBAAK,EAAC,IAAI,CAAC,EAAE,CAAC,cAAM,EAAE,EAAE,WAAW,EAAE,4BAA4B,EAAE,CAAC;sCAC7D,cAAM;2CAAA;AAGd;IADC,IAAA,oBAAU,EAAC,CAAC,EAAe,EAAE,EAAE,CAAC,EAAE,CAAC,MAAM,CAAC;;6CAC3B;AAKhB;IAHC,IAAA,mBAAS,EAAC,IAAI,CAAC,EAAE,CAAC,cAAI,EAAE,EAAE,QAAQ,EAAE,SAAS,EAAE,CAAC;IAChD,IAAA,oBAAU,GAAE;IACZ,IAAA,oBAAK,EAAC,IAAI,CAAC,EAAE,CAAC,cAAI,EAAE,EAAE,WAAW,EAAE,2BAA2B,EAAE,CAAC;sCAC5D,cAAI;yCAAA;AAGV;IADC,IAAA,oBAAU,EAAC,CAAC,EAAe,EAAE,EAAE,CAAC,EAAE,CAAC,IAAI,CAAC;;2CAC3B;AAId;IAFC,IAAA,mBAAS,EAAC,IAAI,CAAC,EAAE,CAAC,cAAI,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;IAC3C,IAAA,oBAAK,EAAC,IAAI,CAAC,EAAE,CAAC,cAAI,EAAE,EAAE,QAAQ,EAAE,IAAI,EAAE,WAAW,EAAE,0CAA0C,EAAE,CAAC;sCACtF,cAAI;8CAAA;AAGf;IADC,IAAA,oBAAU,EAAC,CAAC,EAAe,EAAE,EAAE,CAAC,EAAE,CAAC,SAAS,CAAC;;gDAC3B;AAInB;IAFC,IAAA,0BAAgB,GAAE;IAClB,IAAA,oBAAK,EAAC,EAAE,WAAW,EAAE,iCAAiC,EAAE,CAAC;sCAC/C,IAAI;8CAAA;AAIf;IAFC,IAAA,gBAAM,EAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,CAAC;IAC1B,IAAA,oBAAK,EAAC,EAAE,QAAQ,EAAE,IAAI,EAAE,WAAW,EAAE,8CAA8C,EAAE,CAAC;;2CACzE;sBAlCH,WAAW;IAHvB,IAAA,gBAAM,GAAE;IACR,IAAA,eAAK,EAAC,wBAAwB,EAAE,CAAC,EAAe,EAAE,EAAE,CAAC,CAAC,EAAE,CAAC,MAAM,EAAE,EAAE,CAAC,IAAI,CAAC,EAAE,EAAE,MAAM,EAAE,IAAI,EAAE,CAAC;IAC5F,IAAA,yBAAU,EAAC,EAAE,WAAW,EAAE,uEAAuE,EAAE,CAAC;GACxF,WAAW,CAmCvB","sourcesContent":["import { Domain } from '@things-factory/shell'\nimport {\n Column,\n CreateDateColumn,\n Entity,\n Index,\n JoinColumn,\n ManyToOne,\n PrimaryGeneratedColumn,\n RelationId\n} from 'typeorm'\nimport { ObjectType, Field, ID } from 'type-graphql'\n\nimport { User } from '../user/user.js'\n\n/**\n * 도메인의 소유자(Owner)를 여러 명 허용하기 위한 join entity.\n *\n * 기존 `Domain.owner`(단일 UUID 문자열) 모델의 한계를 해소하고,\n * 여러 User를 같은 Domain의 owner로 등록 가능하게 한다. 모든 owner는 동등한\n * 권한을 가진다 (primary 개념 없음).\n *\n * `Domain.owner` 컬럼은 하위 호환을 위해 유지되며 \"대표 owner 표시용 캐시\"로\n * 활용된다:\n * - owner 추가 시, 기존 owner 컬럼이 비어있으면 자동 세팅\n * - owner 제거 시, 그 사람이 owner 컬럼이었다면 남은 owners 중 첫 사람으로 재설정\n * 권위 있는 소유권 정보는 이 테이블이 가지며, `domainOwnerGranted` 권한 체크는\n * 양쪽을 OR로 확인해 마이그레이션 기간 동안의 안전성을 보장한다.\n *\n * User 삭제 시 CASCADE로 소유권 엔트리 자동 해제.\n */\n@Entity()\n@Index('ix_domain_owner_unique', (ow: DomainOwner) => [ow.domain, ow.user], { unique: true })\n@ObjectType({ description: 'An ownership record binding a User to a Domain (multi-owner support).' })\nexport class DomainOwner {\n @PrimaryGeneratedColumn('uuid')\n @Field(type => ID, { description: 'Unique identifier.' })\n readonly id: string\n\n @ManyToOne(type => Domain, { onDelete: 'CASCADE' })\n @JoinColumn()\n @Field(type => Domain, { description: 'Domain that the user owns.' })\n domain: Domain\n\n @RelationId((ow: DomainOwner) => ow.domain)\n domainId: string\n\n @ManyToOne(type => User, { onDelete: 'CASCADE' })\n @JoinColumn()\n @Field(type => User, { description: 'User who owns the domain.' })\n user: User\n\n @RelationId((ow: DomainOwner) => ow.user)\n userId: string\n\n @ManyToOne(type => User, { nullable: true })\n @Field(type => User, { nullable: true, description: 'User who granted this ownership (audit).' })\n grantedBy: User\n\n @RelationId((ow: DomainOwner) => ow.grantedBy)\n grantedById: string\n\n @CreateDateColumn()\n @Field({ description: 'When the ownership was granted.' })\n grantedAt: Date\n\n @Column({ nullable: true })\n @Field({ nullable: true, description: 'Optional reason/memo for granting ownership.' })\n reason: string\n}\n"]}

package/dist-server/service/domain-owner/index.d.ts ADDED Viewed

@@ -0,0 +1,5 @@
+import { DomainOwner } from './domain-owner.js';
+import { DomainOwnerQuery } from './domain-owner-query.js';
+import { DomainOwnerMutation } from './domain-owner-mutation.js';
+export declare const entities: (typeof DomainOwner)[];
+export declare const resolvers: (typeof DomainOwnerQuery | typeof DomainOwnerMutation)[];

package/dist-server/service/domain-owner/index.js ADDED Viewed

@@ -0,0 +1,9 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.resolvers = exports.entities = void 0;
+const domain_owner_js_1 = require("./domain-owner.js");
+const domain_owner_query_js_1 = require("./domain-owner-query.js");
+const domain_owner_mutation_js_1 = require("./domain-owner-mutation.js");
+exports.entities = [domain_owner_js_1.DomainOwner];
+exports.resolvers = [domain_owner_query_js_1.DomainOwnerQuery, domain_owner_mutation_js_1.DomainOwnerMutation];
+//# sourceMappingURL=index.js.map

package/dist-server/service/domain-owner/index.js.map ADDED Viewed

@@ -0,0 +1 @@

+ {"version":3,"file":"index.js","sourceRoot":"","sources":["../../../server/service/domain-owner/index.ts"],"names":[],"mappings":";;;AAAA,uDAA+C;AAC/C,mEAA0D;AAC1D,yEAAgE;AAEnD,QAAA,QAAQ,GAAG,CAAC,6BAAW,CAAC,CAAA;AACxB,QAAA,SAAS,GAAG,CAAC,wCAAgB,EAAE,8CAAmB,CAAC,CAAA","sourcesContent":["import { DomainOwner } from './domain-owner.js'\nimport { DomainOwnerQuery } from './domain-owner-query.js'\nimport { DomainOwnerMutation } from './domain-owner-mutation.js'\n\nexport const entities = [DomainOwner]\nexport const resolvers = [DomainOwnerQuery, DomainOwnerMutation]\n"]}

package/dist-server/service/index.d.ts CHANGED Viewed

@@ -14,6 +14,7 @@ export * from './verification-token/verification-token.js';
 export * from './login-history/login-history.js';
 export * from './web-auth-credential/web-auth-credential.js';
 export * from './domain-link/domain-link.js';
+export * from './domain-owner/domain-owner.js';
 export * from './app-binding/app-binding-types.js';
 export * from './appliance/appliance-types.js';
 export * from './application/application-types.js';
@@ -24,7 +25,7 @@ export * from './privilege/privilege-types.js';
 export * from './role/role-types.js';
 export * from './user/user-types.js';
 export * from './domain-link/domain-link-types.js';
-export declare const entities: (typeof import("./web-auth-credential/web-auth-credential.js").WebAuthCredential | typeof import("./user/user.js").User | typeof import("./auth-provider/auth-provider.js").AuthProvider | typeof import("./users-auth-providers/users-auth-providers.js").UsersAuthProviders | typeof import("./role/role.js").Role | typeof import("./privilege/privilege.js").Privilege | typeof import("./verification-token/verification-token.js").VerificationToken | typeof import("./verification-token/verification-token.js").VerificationTokenType | typeof import("./password-history/password-history.js").PasswordHistory | typeof import("./invitation/invitation.js").Invitation | typeof import("./application/application.js").Application | typeof import("./login-history/login-history.js").LoginHistory | typeof import("./appliance/appliance.js").Appliance | typeof import("./granted-role/granted-role.js").GrantedRole | typeof import("./partner/partner.js").Partner | typeof import("./domain-link/domain-link.js").DomainLink)[];
+export declare const entities: (typeof import("./domain-owner/domain-owner.js").DomainOwner | typeof import("./user/user.js").User | typeof import("./users-auth-providers/users-auth-providers.js").UsersAuthProviders | typeof import("./auth-provider/auth-provider.js").AuthProvider | typeof import("./application/application.js").Application | typeof import("./appliance/appliance.js").Appliance | typeof import("./privilege/privilege.js").Privilege | typeof import("./role/role.js").Role | typeof import("./partner/partner.js").Partner | typeof import("./granted-role/granted-role.js").GrantedRole | typeof import("./invitation/invitation.js").Invitation | typeof import("./password-history/password-history.js").PasswordHistory | typeof import("./verification-token/verification-token.js").VerificationToken | typeof import("./verification-token/verification-token.js").VerificationTokenType | typeof import("./login-history/login-history.js").LoginHistory | typeof import("./web-auth-credential/web-auth-credential.js").WebAuthCredential | typeof import("./domain-link/domain-link.js").DomainLink)[];
 export declare const schema: {
     typeDefs: {
         privilegeDirectiveTypeDefs: import("graphql").DocumentNode;