@things-factory/auth-base 8.0.0-alpha.28 → 8.0.0-alpha.35

package/server/service/user/user-mutation.ts

@@ -1,6 +1,6 @@
 import { Arg, Ctx, Directive, Mutation, Resolver } from 'type-graphql'
 import { GraphQLEmailAddress } from 'graphql-scalars'
-import { ILike, In, SelectQueryBuilder } from 'typeorm'
+import { ILike, In, SelectQueryBuilder, EntityManager } from 'typeorm'
 
 import { config } from '@things-factory/env'
 import { Domain, getRepository, ObjectRef } from '@things-factory/shell'
@@ -10,6 +10,7 @@ import { buildDomainUsersQueryBuilder } from '../../utils/get-domain-users'
 import { Role } from '../role/role'
 import { User, UserStatus } from './user'
 import { NewUser, UserPatch } from './user-types'
+import { USERNAME_ALREADY_EXISTS, EMAIL_ALREADY_EXISTS } from '../../constants/error-code'
 
 @Resolver(User)
 export class UserMutation {
@@ -17,19 +18,29 @@ export class UserMutation {
   @Directive('@transaction')
   @Mutation(returns => User, { description: 'To create new user' })
   async createUser(@Arg('user') user: NewUser, @Ctx() context: ResolverContext) {
-    const { domain } = context.state
+    const { domain, tx } = context.state
     const { defaultPassword } = config.get('password')
-    const { email } = user
+    const { username, email } = user
+    const userRepository = getRepository(User, tx)
 
+    user.username = username.trim()
     user.email = email.trim()
 
-    const oldUser: User = await getRepository(User).findOne({ where: { email: ILike(user.email) } })
-    if (oldUser) {
-      throw new Error(context.t('error.x already exists in y', { x: context.t('field.user'), y: 'operato' }))
+    if (await userRepository.findOne({ where: { username: user.username } })) {
+      throw new Error(context.t(USERNAME_ALREADY_EXISTS))
+    }
+
+    if (await userRepository.findOne({ where: { email: ILike(user.email) } })) {
+      throw new Error(context.t(EMAIL_ALREADY_EXISTS))
     }
 
     if (!user.password && !defaultPassword) {
-      throw new Error(context.t('error.initial password or default password should be supported'))
+      throw new Error('initial password or default password should be supported.')
+    }
+
+    // TODO username은 다음 패턴을 따라야 한다. pattern="^[A-Za-z0-9]*$"
+    if (!/^[A-Za-z0-9]*$/.test(user.username)) {
+      throw new Error(context.t('error.invalid x', { x: context.t('field.username') }))
     }
 
     // consider if validation password rule is required
@@ -38,14 +49,14 @@ export class UserMutation {
 
     const salt = User.generateSalt()
 
-    return await getRepository(User).save({
+    return await userRepository.save({
       creator: context.state.user,
       updater: context.state.user,
       ...user,
       domains: [domain],
       roles:
         user.roles && user.roles.length
-          ? await getRepository(Role).findBy({
+          ? await getRepository(Role, tx).findBy({
               id: In(user.roles.map(role => role.id)),
               domain: { id: domain.id }
             })
@@ -64,7 +75,7 @@ export class UserMutation {
     @Arg('patch') patch: UserPatch,
     @Ctx() context: ResolverContext
   ) {
-    const { domain, user: updater }: { domain: Domain; user: User } = context.state
+    const { domain, user: updater, tx }: { domain: Domain; user: User; tx?: EntityManager } = context.state
     const qb: SelectQueryBuilder<User> = buildDomainUsersQueryBuilder(domain.id, 'USER')
     const user: User = await qb
       .andWhere('LOWER(USER.email) = :email', { email: email?.toLowerCase().trim() || '' })
@@ -73,14 +84,16 @@ export class UserMutation {
       .getOne()
 
     if (patch.roles) {
-      patch.roles = await getRepository(Role).find({ where: { id: In(patch.roles.map((r: Partial<Role>) => r.id)) } })
+      patch.roles = await getRepository(Role, tx).find({
+        where: { id: In(patch.roles.map((r: Partial<Role>) => r.id)) }
+      })
     }
 
     if (patch.status && patch.status === 'activated') {
       user.status = UserStatus.ACTIVATED
     }
 
-    return await getRepository(User).save({
+    return await getRepository(User, tx).save({
       ...user,
       ...patch,
       updater
@@ -92,7 +105,7 @@ export class UserMutation {
   @Mutation(returns => [User], { description: 'To modify multiple users information' })
   async updateMultipleUser(@Arg('patches', type => [UserPatch]) patches: UserPatch[], @Ctx() context: ResolverContext) {
     const { domain, user, tx } = context.state
-    const userRepo = tx.getRepository(User)
+    const userRepo = getRepository(User, tx)
 
     let results = []
     const _createRecords = patches.filter((patch: any) => patch.cuFlag.toUpperCase() === '+')
@@ -183,10 +196,10 @@ export class UserMutation {
   @Directive('@privilege(category: "user", privilege: "mutation", domainOwnerGranted: true)')
   @Directive('@transaction')
   @Mutation(returns => Boolean, { description: 'To delete a user' })
-  async deleteUser(@Arg('email', type => GraphQLEmailAddress) email: string, @Ctx() context: ResolverContext) {
+  async deleteUser(@Arg('username') username: string, @Ctx() context: ResolverContext) {
     const { tx } = context.state
 
-    await commonDeleteUser({ email }, tx)
+    await commonDeleteUser({ username }, tx)
 
     return true
   }
@@ -194,9 +207,9 @@ export class UserMutation {
   @Directive('@privilege(category: "user", privilege: "mutation", domainOwnerGranted: true)')
   @Directive('@transaction')
   @Mutation(returns => Boolean, { description: 'To delete some users' })
-  async deleteUsers(@Arg('emails', type => [String]) emails: string[], @Ctx() context: ResolverContext) {
+  async deleteUsers(@Arg('usernames', type => [String]) usernames: string[], @Ctx() context: ResolverContext) {
     const { tx } = context.state
-    await commonDeleteUsers({ emails }, tx)
+    await commonDeleteUsers({ usernames }, tx)
 
     return true
   }
@@ -207,8 +220,8 @@ export class UserMutation {
     @Arg('email', type => GraphQLEmailAddress) email: string,
     @Ctx() context: ResolverContext
   ): Promise<boolean> {
-    const { domain } = context.state
-    const invitee: User = await getRepository(User).findOne({
+    const { domain, tx } = context.state
+    const invitee: User = await getRepository(User, tx).findOne({
       where: { email: ILike(email) },
       relations: ['domains']
     })
@@ -222,7 +235,7 @@ export class UserMutation {
       throw new Error(context.t('error.x already exists in y', { x: context.t('field.user'), y: domain.name }))
     }
     invitee.domains = [...existingDomains, domain]
-    await getRepository(User).save(invitee)
+    await getRepository(User, tx).save(invitee)
 
     return true
   }
@@ -236,9 +249,10 @@ export class UserMutation {
   ): Promise<boolean> {
     const { tx, domain } = context.state
 
-    let user: User = await tx
-      .getRepository(User)
-      .findOne({ where: { email: ILike(email) }, relations: ['domains', 'roles', 'roles.domain'] })
+    let user: User = await getRepository(User, tx).findOne({
+      where: { email: ILike(email) },
+      relations: ['domains', 'roles', 'roles.domain']
+    })
     if (!user) {
       throw new Error(context.t('error.failed to find x', { x: context.t('field.user') }))
     }
@@ -254,7 +268,7 @@ export class UserMutation {
     // Remove domain's roles that user has
     user.roles = user.roles.filter((role: Role) => role.domain.id !== domain.id)
 
-    await tx.getRepository(User).save(user)
+    await getRepository(User, tx).save(user)
 
     return true
   }
@@ -266,12 +280,30 @@ export class UserMutation {
     @Arg('email', type => GraphQLEmailAddress) email: string,
     @Ctx() context: ResolverContext
   ): Promise<boolean> {
-    const { domain } = context.state
-    const user: User = await getRepository(User).findOne({
-      where: { email: ILike(email) }
+    const { domain, tx } = context.state
+    const user: User = await getRepository(User, tx).findOne({
+      where: { email: ILike(email) },
+      relations: ['domains', 'roles']
     })
+
+    if (!user) {
+      throw new Error('Failed to find user')
+    }
+
+    if (user.status !== UserStatus.ACTIVATED) {
+      throw new Error('Only activated users are eligible to receive admin privileges.')
+    }
+
+    if (user.domains.map((d: Domain) => d.id).indexOf(domain.id) < 0) {
+      throw new Error(`User is not belongs to current domain`)
+    }
+
+    if (user.roles.filter((r: Role) => r.domainId == domain.id).length == 0) {
+      throw new Error(`Only users with at least one role in this domain are eligible to receive admin privileges.`)
+    }
+
     domain.owner = user.id
-    await getRepository(Domain).save(domain)
+    await getRepository(Domain, tx).save(domain)
 
     return true
   }
@@ -282,7 +314,7 @@ export class UserMutation {
   async activateUser(@Arg('userId') userId: string, @Ctx() context: ResolverContext): Promise<boolean> {
     const { tx, domain } = context.state
 
-    const targetUser: User = await tx.getRepository(User).findOne({
+    const targetUser: User = await getRepository(User, tx).findOne({
       where: { id: userId },
       relations: ['domains']
     })
@@ -297,7 +329,7 @@ export class UserMutation {
     targetUser.failCount = 0
     targetUser.status = UserStatus.ACTIVATED
 
-    await tx.getRepository(User).save(targetUser)
+    await getRepository(User, tx).save(targetUser)
 
     return true
   }
@@ -308,7 +340,7 @@ export class UserMutation {
   async inactivateUser(@Arg('userId') userId: string, @Ctx() context: ResolverContext): Promise<boolean> {
     const { tx, domain } = context.state
 
-    const targetUser: User = await tx.getRepository(User).findOne({
+    const targetUser: User = await getRepository(User, tx).findOne({
       where: { id: userId },
       relations: ['domains']
     })
@@ -326,7 +358,7 @@ export class UserMutation {
 
     targetUser.status = UserStatus.INACTIVE
 
-    await tx.getRepository(User).save(targetUser)
+    await getRepository(User, tx).save(targetUser)
 
     return true
   }
@@ -342,7 +374,7 @@ export class UserMutation {
       throw new Error('No default password found')
     }
 
-    const targetUser: User = await tx.getRepository(User).findOne({
+    const targetUser: User = await getRepository(User, tx).findOne({
       where: { id: userId },
       relations: ['domains']
     })
@@ -356,7 +388,7 @@ export class UserMutation {
 
     targetUser.salt = User.generateSalt()
     targetUser.password = User.encode(defaultPassword, targetUser.salt)
-    await tx.getRepository(User).save(targetUser)
+    await getRepository(User, tx).save(targetUser)
 
     return true
   }
@@ -371,7 +403,7 @@ export class UserMutation {
     @Ctx() context: ResolverContext
   ) {
     const { domain, tx } = context.state
-    let user: User = await tx.getRepository(User).findOne({
+    let user: User = await getRepository(User, tx).findOne({
       where: { id: userId },
       relations: ['domains', 'roles']
     })
@@ -387,6 +419,6 @@ export class UserMutation {
     user.roles = user.roles.filter((r: Role) => availableRoleIds.indexOf(r.id) < 0)
     user.roles = user.roles.concat(selectedRoles as Role[])
 
-    return await tx.getRepository(User).save(user)
+    return await getRepository(User, tx).save(user)
   }
 }

package/server/service/user/user-types.ts

@@ -35,6 +35,9 @@ export class PasswordRule {
 
 @InputType()
 export class NewUser {
+  @Field()
+  username: string
+
   @Field()
   name: string
 

package/server/service/user/user.ts

@@ -6,6 +6,7 @@ import {
   Column,
   CreateDateColumn,
   Entity,
+  ILike,
   Index,
   JoinTable,
   ManyToMany,
@@ -43,13 +44,23 @@ export enum UserStatus {
 }
 
 @Entity()
-@Index('ix_user_0', (user: User) => [user.email], { unique: true })
+@Index('ix_user_0', (user: User) => [user.email], {
+  unique: true
+})
+@Index('ix_user_1', (user: User) => [user.username], {
+  unique: true,
+  where: '"username" IS NOT NULL'
+})
 @ObjectType()
 export class User {
   @PrimaryGeneratedColumn('uuid')
   @Field(type => ID)
   readonly id: string
 
+  @Column({ nullable: true })
+  @Field({ nullable: true })
+  username: string
+
   @Column()
   @Field({ nullable: true })
   name: string
@@ -165,15 +176,10 @@ export class User {
 
   /* signing for jsonwebtoken */
   async sign(options?) {
-    var { expiresIn = sessionExpirySeconds, subdomain } = options || {}
+    var { expiresIn = sessionExpirySeconds } = options || {}
 
     var user = {
-      id: this.id,
-      userType: this.userType,
-      status: this.status,
-      domain: {
-        subdomain
-      }
+      username: this.username || this.email
     }
 
     return await jwt.sign(user, SECRET, {
@@ -262,18 +268,39 @@ export class User {
   }
 
   static async checkAuth(decoded) {
-    if (decoded?.id === undefined) {
+    // id 는 하위호환성을 위해 단기적으로 유지함
+    const { id, username } = decoded || {}
+
+    if (!id && !username) {
       throw new AuthError({
         errorCode: AuthError.ERROR_CODES.USER_NOT_FOUND
       })
     }
 
     const repository = getRepository(User)
-    var user = await repository.findOne({
-      where: { id: decoded.id },
-      relations: ['domains', 'credentials'],
-      cache: true
-    })
+    if (id) {
+      var user = await repository.findOne({
+        where: { id },
+        relations: ['domains', 'credentials'],
+        cache: true
+      })
+    } else {
+      var user = await repository.findOne({
+        where: { username },
+        relations: ['domains', 'credentials'],
+        cache: true
+      })
+
+      if (!user && /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(username)) {
+        user = await repository.findOne({
+          where: {
+            email: ILike(username)
+          },
+          relations: ['domains', 'credentials'],
+          cache: true
+        })
+      }
+    }
 
     if (!user)
       throw new AuthError({

package/server/templates/account-unlock-email.ts

@@ -1,4 +1,4 @@
-export function getUnlockUserEmailForm({ name, resetUrl }) {
+export function getUnlockUserEmailForm({ username, name, resetUrl }) {
   return `
   <html lang="en">
     <head>

package/server/templates/invitation-email.ts

@@ -1,4 +1,4 @@
-export function getInvitationEmailForm({ email, acceptUrl }) {
+export function getInvitationEmailForm({ username, email, acceptUrl }) {
   return `
   <html lang="en">
     <head>

package/server/templates/verification-email.ts

@@ -1,4 +1,4 @@
-export function getVerificationEmailForm({ name, verifyUrl }) {
+export function getVerificationEmailForm({ username, name, verifyUrl }) {
   return `
   <html lang="en">
     <head>

package/translations/en.json

@@ -4,6 +4,7 @@
   "error.confirm password not matched": "new password and confirm password is not matched",
   "error.domain mismatch": "certificate is not for this domain",
   "error.domain not allowed": "user not allowed domain `{subdomain}`",
+  "error.email already exists": "email already used by another user",
   "error.failed to find x": "failed to find {x}",
   "error.password should be supported": "initial password or default password should be supported",
   "error.password should match the rule": "password should match following rule. ${rule}",
@@ -11,13 +12,15 @@
   "error.subdomain not found": "domain not found",
   "error.token or password is invalid": "token or password is invalid",
   "error.unavailable-domain": "unavailable domain",
+  "error.user credential not found": "user credential not found. You need to register device to use biometric authentication.",
   "error.user credential registeration failed": "user credential registration failed. It may be an already registered credential.",
   "error.user credential registration not allowed": "user credential registration failed. The registration timed out or was not allowed.",
-  "error.user duplicated": "user duplicated",
+  "error.user duplicated.": "there is a user account using same email or user ID.",
   "error.user not activated": "user is not activated",
   "error.user not found": "user not found",
   "error.user or verification token not found": "user or verification token not found",
   "error.user validation failed": "user validation failed",
+  "error.username already exists": "username already used by another user",
   "error.x is not a member of y": "{x} is not a member of {y}",
   "field.active": "active",
   "field.appliance_id": "appliance id",

package/translations/ja.json

@@ -4,6 +4,7 @@
   "error.confirm password not matched": "新しいパスワードと確認パスワードが一致しません.",
   "error.domain mismatch": "証明書のドメインと現在のドメインが一致しません.",
   "error.domain not allowed": "'{subdomain}' 領域はこのユーザに許可されていません.",
+  "error.email already exists": "メールはすでに他のユーザーによって使用されています.",
   "error.failed to find x": "{x}が見つかりません.",
   "error.password should be supported": "初期パスワードまたはデフォルトパスワードがサポートされるべきです",
   "error.password should match the rule": "パスワードは次の規則を守らなければなりません. {rule}",
@@ -11,13 +12,15 @@
   "error.subdomain not found": "サブドメインが見つかりません.",
   "error.token or password is invalid": "トークンまたはパスワードが無効です.",
   "error.unavailable-domain": "使用できないドメインです.",
+  "error.user credential not found": "ユーザー資格情報が見つかりません. 生体認証を使用するにはデバイスを登録する必要があります.",
   "error.user credential registeration failed": "ユーザー資格情報の登録に失敗しました。既に登録されている資格情報の可能性があります。",
   "error.user credential registration not allowed": "ユーザー資格情報の登録に失敗しました。登録のタイムアウトまたは登録が許可されていません。",
-  "error.user duplicated": "同じメールで登録されたアカウントが存在します.",
+  "error.user duplicated.": "ユーザーが重複しています.",
   "error.user not activated": "ユーザーがアクティブ化されていません.",
   "error.user not found": "ユーザーが存在しません.",
   "error.user or verification token not found": "ユーザーまたは確認トークンが見つかりません.",
   "error.user validation failed": "ユーザー確認に失敗しました.",
+  "error.username already exists": "ユーザー名はすでに他のユーザーによって使用されています.",
   "error.x is not a member of y": "{x}は{y}のメンバーではありません.",
   "field.active": "アクティブ",
   "field.appliance_id": "器具ID",

package/translations/ko.json

@@ -4,6 +4,7 @@
   "error.confirm password not matched": "새 비밀번호와 확인 비밀번호가 일치하지 않습니다.",
   "error.domain mismatch": "인증서의 도메인과 현재 도메인이 일치하지 않습니다.",
   "error.domain not allowed": "'{subdomain}' 영역은 이 사용자에게 허가되지 않았습니다.",
+  "error.email already exists": "이메일이 이미 사용되고 있습니다.",
   "error.failed to find x": "{x}을(를) 찾을 수 없습니다.",
   "error.password should be supported": "초기 비밀번호나 디폴트 비밀번호가 제공되어야 합니다.",
   "error.password should match the rule": "비밀번호는 다음 규칙을 지켜야 합니다. {rule}",
@@ -12,13 +13,14 @@
   "error.token or password is invalid": "토큰 또는 비밀번호가 유효하지 않습니다.",
   "error.unavailable-domain": "사용할 수 없는 도메인입니다.",
   "error.user credential not found": "사용자 자격 증명을 찾을 수 없습니다. 바이오메트릭 인증을 사용하기 위해서는 먼저 기기를 등록해야 합니다.",
-  "error.user duplicated": "동일한 이메일로 가입된 계정이 이미 존재합니다.",
+  "error.user credential registeration failed": "사용자 인증서 등록이 실패하였습니다. 이미 등록된 인증서일 수 있습니다.",
+  "error.user credential registration not allowed": "사용자 인증서 등록이 실패하였습니다. 등록 시간이 초과되었거나 등록이 허용되지 않았습니다.",
+  "error.user duplicated": "동일한 이메일이나 사용자아이디로 가입된 계정이 이미 존재합니다.",
   "error.user not activated": "사용자가 활성화되지 않았습니다.",
   "error.user not found": "사용자가 존재하지 않습니다.",
   "error.user or verification token not found": "사용자 또는 확인토큰을 찾을 수 없습니다.",
-  "error.user credential registeration failed": "사용자 인증서 등록이 실패하였습니다. 이미 등록된 인증서일 수 있습니다.",
-  "error.user credential registration not allowed": "사용자 인증서 등록이 실패하였습니다. 등록 시간이 초과되었거나 등록이 허용되지 않았습니다.",
   "error.user validation failed": "사용자 확인에 실패하였습니다.",
+  "error.username already exists": "사용자 아이디가 이미 사용되고 있습니다.",
   "error.x is not a member of y": "{x}은(는) {y}의 멤버가 아닙니다.",
   "field.active": "활성화",
   "field.appliance_id": "기구 아이디",

package/translations/ms.json

@@ -4,6 +4,7 @@
   "error.confirm password not matched": "Kata laluan baru dan pengesahan kata laluan tidak sepadan",
   "error.domain mismatch": "Sijil tidak sesuai untuk domain ini",
   "error.domain not allowed": "Pengguna tidak dibenarkan domain `{subdomain}`",
+  "error.email already exists": "Emel telah digunakan oleh pengguna lain",
   "error.failed to find x": "Gagal mencari {x}",
   "error.password should be supported": "kata laluan awal atau kata laluan lalai harus disokong",
   "error.password should match the rule": "Kata laluan harus mematuhi peraturan berikut. ${rule}",
@@ -11,13 +12,15 @@
   "error.subdomain not found": "Domain tidak ditemui",
   "error.token or password is invalid": "Token atau kata laluan tidak sah",
   "error.unavailable-domain": "Domain tidak tersedia",
+  "error.user credential not found": "kelayakan pengguna tidak ditemui. Anda perlu mendaftarkan peranti untuk menggunakan pengesahan biometrik.",
   "error.user credential registeration failed": "pendaftaran kelayakan pengguna gagal. Mungkin kelayakan tersebut sudah didaftarkan.",
   "error.user credential registration not allowed": "pendaftaran kelayakan pengguna gagal. Masa pendaftaran telah tamat atau pendaftaran tidak dibenarkan.",
-  "error.user duplicated": "Emel telah digunakan oleh akaun lain",
+  "error.user duplicated": "terdapat akaun pengguna yang menggunakan e-mel atau ID pengguna yang sama.",
   "error.user not activated": "Pengguna tidak diaktifkan",
   "error.user not found": "Pengguna tidak ditemui",
   "error.user or verification token not found": "Pengguna atau token pengesahan tidak ditemui",
   "error.user validation failed": "Validasi pengguna gagal",
+  "error.username already exists": "Nama pengguna telah digunakan oleh pengguna lain",
   "error.x is not a member of y": "{x} bukan ahli {y}",
   "field.active": "Aktif",
   "field.appliance_id": "Perkakas",

package/translations/zh.json

@@ -5,6 +5,7 @@
   "error.confirm password not matched": "新密码与确认密码不匹配！",
   "error.domain mismatch": "证书不适用于该域！",
   "error.domain not allowed": "用户无权限使用`{subdomain}`域！",
+  "error.email already exists": "电子邮件已被其他用户使用！",
   "error.failed to find x": "查询{x}失败！",
   "error.password should be supported": "应支持初始密码或默认密码",
   "error.password should match the rule": "密码应符合以下规则。${rule}",
@@ -12,13 +13,15 @@
   "error.subdomain not found": "用户域查询失败！",
   "error.token or password is invalid": "令牌或密码无效！",
   "error.unavailable-domain": "不可用的域名",
+  "error.user credential not found": "用户凭证未找到。您需要注册设备以使用生物识别认证。",
   "error.user credential registeration failed": "用户凭证注册失败。可能是已注册的凭证。",
   "error.user credential registration not allowed": "用户凭证注册失败。注册超时或注册不被允许。",
-  "error.user duplicated": "有一个用户帐户使用相同的电子邮件",
+  "error.user duplicated": "存在一个用户帐户使用相同的电子邮件或用户ID。",
   "error.user not activated": "用户未激活！",
   "error.user not found": "找不到用户",
   "error.user or verification token not found": "找不到用户或验证令牌。",
   "error.user validation failed": "用户验证失败！",
+  "error.username already exists": "用户名已被其他用户使用",
   "error.x is not a member of y": "{x}不是{y}的成员",
   "field.active": "激活",
   "field.appliance_id": "终端机ID",