@things-factory/auth-base 8.0.0-alpha.8 → 8.0.0-beta.0

package/server/service/user/user-mutation.ts

@@ -1,6 +1,6 @@
 import { Arg, Ctx, Directive, Mutation, Resolver } from 'type-graphql'
 import { GraphQLEmailAddress } from 'graphql-scalars'
-import { ILike, In, SelectQueryBuilder } from 'typeorm'
+import { ILike, In, SelectQueryBuilder, EntityManager } from 'typeorm'
 
 import { config } from '@things-factory/env'
 import { Domain, getRepository, ObjectRef } from '@things-factory/shell'
@@ -10,6 +10,7 @@ import { buildDomainUsersQueryBuilder } from '../../utils/get-domain-users'
 import { Role } from '../role/role'
 import { User, UserStatus } from './user'
 import { NewUser, UserPatch } from './user-types'
+import { USERNAME_ALREADY_EXISTS, EMAIL_ALREADY_EXISTS } from '../../constants/error-code'
 
 @Resolver(User)
 export class UserMutation {
@@ -17,19 +18,29 @@ export class UserMutation {
   @Directive('@transaction')
   @Mutation(returns => User, { description: 'To create new user' })
   async createUser(@Arg('user') user: NewUser, @Ctx() context: ResolverContext) {
-    const { domain } = context.state
+    const { domain, tx } = context.state
     const { defaultPassword } = config.get('password')
-    const { email } = user
+    const { username, email } = user
+    const userRepository = getRepository(User, tx)
 
+    user.username = username.trim()
     user.email = email.trim()
 
-    const oldUser: User = await getRepository(User).findOne({ where: { email: ILike(user.email) } })
-    if (oldUser) {
-      throw new Error(context.t('error.x already exists in y', { x: context.t('field.user'), y: 'operato' }))
+    if (await userRepository.findOne({ where: { username: user.username } })) {
+      throw new Error(context.t(USERNAME_ALREADY_EXISTS))
+    }
+
+    if (await userRepository.findOne({ where: { email: ILike(user.email) } })) {
+      throw new Error(context.t(EMAIL_ALREADY_EXISTS))
     }
 
     if (!user.password && !defaultPassword) {
-      throw new Error(context.t('error.initial password or default password should be supported'))
+      throw new Error('initial password or default password should be supported.')
+    }
+
+    // TODO username은 다음 패턴을 따라야 한다. pattern="^[A-Za-z0-9]*$"
+    if (!/^[A-Za-z0-9]*$/.test(user.username)) {
+      throw new Error(context.t('error.invalid x', { x: context.t('field.username') }))
     }
 
     // consider if validation password rule is required
@@ -38,14 +49,14 @@ export class UserMutation {
 
     const salt = User.generateSalt()
 
-    return await getRepository(User).save({
+    return await userRepository.save({
       creator: context.state.user,
       updater: context.state.user,
       ...user,
       domains: [domain],
       roles:
         user.roles && user.roles.length
-          ? await getRepository(Role).findBy({
+          ? await getRepository(Role, tx).findBy({
               id: In(user.roles.map(role => role.id)),
               domain: { id: domain.id }
             })
@@ -64,7 +75,7 @@ export class UserMutation {
     @Arg('patch') patch: UserPatch,
     @Ctx() context: ResolverContext
   ) {
-    const { domain, user: updater }: { domain: Domain; user: User } = context.state
+    const { domain, user: updater, tx }: { domain: Domain; user: User; tx?: EntityManager } = context.state
     const qb: SelectQueryBuilder<User> = buildDomainUsersQueryBuilder(domain.id, 'USER')
     const user: User = await qb
       .andWhere('LOWER(USER.email) = :email', { email: email?.toLowerCase().trim() || '' })
@@ -73,14 +84,16 @@ export class UserMutation {
       .getOne()
 
     if (patch.roles) {
-      patch.roles = await getRepository(Role).find({ where: { id: In(patch.roles.map((r: Partial<Role>) => r.id)) } })
+      patch.roles = await getRepository(Role, tx).find({
+        where: { id: In(patch.roles.map((r: Partial<Role>) => r.id)) }
+      })
     }
 
     if (patch.status && patch.status === 'activated') {
       user.status = UserStatus.ACTIVATED
     }
 
-    return await getRepository(User).save({
+    return await getRepository(User, tx).save({
       ...user,
       ...patch,
       updater
@@ -92,7 +105,7 @@ export class UserMutation {
   @Mutation(returns => [User], { description: 'To modify multiple users information' })
   async updateMultipleUser(@Arg('patches', type => [UserPatch]) patches: UserPatch[], @Ctx() context: ResolverContext) {
     const { domain, user, tx } = context.state
-    const userRepo = tx.getRepository(User)
+    const userRepo = getRepository(User, tx)
 
     let results = []
     const _createRecords = patches.filter((patch: any) => patch.cuFlag.toUpperCase() === '+')
@@ -183,10 +196,10 @@ export class UserMutation {
   @Directive('@privilege(category: "user", privilege: "mutation", domainOwnerGranted: true)')
   @Directive('@transaction')
   @Mutation(returns => Boolean, { description: 'To delete a user' })
-  async deleteUser(@Arg('email', type => GraphQLEmailAddress) email: string, @Ctx() context: ResolverContext) {
+  async deleteUser(@Arg('username') username: string, @Ctx() context: ResolverContext) {
     const { tx } = context.state
 
-    await commonDeleteUser({ email }, tx)
+    await commonDeleteUser({ username }, tx)
 
     return true
   }
@@ -194,25 +207,31 @@ export class UserMutation {
   @Directive('@privilege(category: "user", privilege: "mutation", domainOwnerGranted: true)')
   @Directive('@transaction')
   @Mutation(returns => Boolean, { description: 'To delete some users' })
-  async deleteUsers(@Arg('emails', type => [String]) emails: string[], @Ctx() context: ResolverContext) {
+  async deleteUsers(@Arg('usernames', type => [String]) usernames: string[], @Ctx() context: ResolverContext) {
     const { tx } = context.state
-    await commonDeleteUsers({ emails }, tx)
+    await commonDeleteUsers({ usernames }, tx)
 
     return true
   }
 
   @Directive('@transaction')
   @Mutation(returns => Boolean, { description: 'To invite new user' })
-  async inviteUser(
-    @Arg('email', type => GraphQLEmailAddress) email: string,
-    @Ctx() context: ResolverContext
-  ): Promise<boolean> {
-    const { domain } = context.state
-    const invitee: User = await getRepository(User).findOne({
-      where: { email: ILike(email) },
+  async inviteUser(@Arg('username') username: string, @Ctx() context: ResolverContext): Promise<boolean> {
+    const { domain, tx } = context.state
+    const userRepository = getRepository(User, tx)
+
+    var invitee: User = await userRepository.findOne({
+      where: { username },
       relations: ['domains']
     })
 
+    if (!invitee && /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(username)) {
+      invitee = await userRepository.findOne({
+        where: { email: ILike(username) },
+        relations: ['domains']
+      })
+    }
+
     if (!invitee) {
       throw new Error(context.t('error.failed to find x', { x: context.t('field.user') }))
     }
@@ -221,8 +240,9 @@ export class UserMutation {
     if (existingDomains.find((d: Domain) => d.id === domain.id)) {
       throw new Error(context.t('error.x already exists in y', { x: context.t('field.user'), y: domain.name }))
     }
+
     invitee.domains = [...existingDomains, domain]
-    await getRepository(User).save(invitee)
+    await userRepository.save(invitee)
 
     return true
   }
@@ -230,15 +250,22 @@ export class UserMutation {
   @Directive('@transaction')
   @Directive('@privilege(category: "user", privilege: "mutation", domainOwnerGranted: true)')
   @Mutation(returns => Boolean, { description: 'To delete domain user' })
-  async deleteDomainUser(
-    @Arg('email', type => GraphQLEmailAddress) email: string,
-    @Ctx() context: ResolverContext
-  ): Promise<boolean> {
+  async deleteDomainUser(@Arg('username') username: string, @Ctx() context: ResolverContext): Promise<boolean> {
     const { tx, domain } = context.state
+    const userRepository = getRepository(User, tx)
+
+    var user: User = await userRepository.findOne({
+      where: { username },
+      relations: ['domains', 'roles']
+    })
+
+    if (!user && /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(username)) {
+      user = await userRepository.findOne({
+        where: { email: ILike(username) },
+        relations: ['domains', 'roles']
+      })
+    }
 
-    let user: User = await tx
-      .getRepository(User)
-      .findOne({ where: { email: ILike(email) }, relations: ['domains', 'roles', 'roles.domain'] })
     if (!user) {
       throw new Error(context.t('error.failed to find x', { x: context.t('field.user') }))
     }
@@ -252,9 +279,9 @@ export class UserMutation {
     user.domains.splice(targetDomainIdx, 1)
 
     // Remove domain's roles that user has
-    user.roles = user.roles.filter((role: Role) => role.domain.id !== domain.id)
+    user.roles = user.roles.filter((role: Role) => role.domainId !== domain.id)
 
-    await tx.getRepository(User).save(user)
+    await userRepository.save(user)
 
     return true
   }
@@ -262,16 +289,40 @@ export class UserMutation {
   @Directive('@privilege(domainOwnerGranted: true, superUserGranted: true)')
   @Directive('@transaction')
   @Mutation(returns => Boolean, { description: 'To transfer owner of domain' })
-  async transferOwner(
-    @Arg('email', type => GraphQLEmailAddress) email: string,
-    @Ctx() context: ResolverContext
-  ): Promise<boolean> {
-    const { domain } = context.state
-    const user: User = await getRepository(User).findOne({
-      where: { email: ILike(email) }
+  async transferOwner(@Arg('username') username: string, @Ctx() context: ResolverContext): Promise<boolean> {
+    const { domain, tx } = context.state
+    const userRepository = getRepository(User, tx)
+
+    var user: User = await userRepository.findOne({
+      where: { username },
+      relations: ['domains']
     })
+
+    if (!user && /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(username)) {
+      user = await userRepository.findOne({
+        where: { email: ILike(username) },
+        relations: ['domains']
+      })
+    }
+
+    if (!user) {
+      throw new Error(context.t('error.failed to find x', { x: context.t('field.user') }))
+    }
+
+    if (user.status !== UserStatus.ACTIVATED) {
+      throw new Error('Only activated users are eligible to receive admin privileges.')
+    }
+
+    if (user.domains.map((d: Domain) => d.id).indexOf(domain.id) < 0) {
+      throw new Error(`User is not belongs to current domain`)
+    }
+
+    if (user.roles.filter((r: Role) => r.domainId == domain.id).length == 0) {
+      throw new Error(`Only users with at least one role in this domain are eligible to receive admin privileges.`)
+    }
+
     domain.owner = user.id
-    await getRepository(Domain).save(domain)
+    await getRepository(Domain, tx).save(domain)
 
     return true
   }
@@ -279,15 +330,24 @@ export class UserMutation {
   @Directive('@privilege(category: "user", privilege: "mutation", domainOwnerGranted: true)')
   @Directive('@transaction')
   @Mutation(returns => Boolean, { description: 'To activate user' })
-  async activateUser(@Arg('userId') userId: string, @Ctx() context: ResolverContext): Promise<boolean> {
+  async activateUser(@Arg('username') username: string, @Ctx() context: ResolverContext): Promise<boolean> {
     const { tx, domain } = context.state
+    const userRepository = getRepository(User, tx)
 
-    const targetUser: User = await tx.getRepository(User).findOne({
-      where: { id: userId },
+    var targetUser: User = await userRepository.findOne({
+      where: { username },
       relations: ['domains']
     })
+
+    if (!targetUser && /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(username)) {
+      targetUser = await userRepository.findOne({
+        where: { email: ILike(username) },
+        relations: ['domains']
+      })
+    }
+
     if (!targetUser) {
-      throw new Error('No user found')
+      throw new Error(context.t('error.failed to find x', { x: context.t('field.user') }))
     }
 
     if (!targetUser?.domains?.find((userDomain: Domain) => userDomain.id === domain.id)) {
@@ -297,7 +357,7 @@ export class UserMutation {
     targetUser.failCount = 0
     targetUser.status = UserStatus.ACTIVATED
 
-    await tx.getRepository(User).save(targetUser)
+    await userRepository.save(targetUser)
 
     return true
   }
@@ -305,15 +365,24 @@ export class UserMutation {
   @Directive('@privilege(category: "user", privilege: "mutation", domainOwnerGranted: true)')
   @Directive('@transaction')
   @Mutation(returns => Boolean, { description: 'To inactivate user' })
-  async inactivateUser(@Arg('userId') userId: string, @Ctx() context: ResolverContext): Promise<boolean> {
+  async inactivateUser(@Arg('username') username: string, @Ctx() context: ResolverContext): Promise<boolean> {
     const { tx, domain } = context.state
+    const userRepository = getRepository(User, tx)
 
-    const targetUser: User = await tx.getRepository(User).findOne({
-      where: { id: userId },
+    var targetUser: User = await userRepository.findOne({
+      where: { username },
       relations: ['domains']
     })
+
+    if (!targetUser && /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(username)) {
+      targetUser = await userRepository.findOne({
+        where: { email: ILike(username) },
+        relations: ['domains']
+      })
+    }
+
     if (!targetUser) {
-      throw new Error('No user found')
+      throw new Error(context.t('error.failed to find x', { x: context.t('field.user') }))
     }
 
     if (!targetUser?.domains?.find((userDomain: Domain) => userDomain.id === domain.id)) {
@@ -326,7 +395,7 @@ export class UserMutation {
 
     targetUser.status = UserStatus.INACTIVE
 
-    await tx.getRepository(User).save(targetUser)
+    await userRepository.save(targetUser)
 
     return true
   }
@@ -334,7 +403,7 @@ export class UserMutation {
   @Directive('@privilege(category: "user", privilege: "mutation", domainOwnerGranted: true)')
   @Directive('@transaction')
   @Mutation(returns => Boolean, { description: 'To reset password to default' })
-  async resetPasswordToDefault(@Arg('userId') userId: string, @Ctx() context: ResolverContext): Promise<boolean> {
+  async resetPasswordToDefault(@Arg('username') username: string, @Ctx() context: ResolverContext): Promise<boolean> {
     const { tx, domain } = context.state
 
     const { defaultPassword } = config.get('password')
@@ -342,12 +411,22 @@ export class UserMutation {
       throw new Error('No default password found')
     }
 
-    const targetUser: User = await tx.getRepository(User).findOne({
-      where: { id: userId },
+    const userRepository = getRepository(User, tx)
+
+    var targetUser: User = await userRepository.findOne({
+      where: { username },
       relations: ['domains']
     })
+
+    if (!targetUser && /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(username)) {
+      targetUser = await userRepository.findOne({
+        where: { email: ILike(username) },
+        relations: ['domains']
+      })
+    }
+
     if (!targetUser) {
-      throw new Error('No user found')
+      throw new Error(context.t('error.failed to find x', { x: context.t('field.user') }))
     }
 
     if (!targetUser?.domains?.find((userDomain: Domain) => userDomain.id === domain.id)) {
@@ -356,7 +435,8 @@ export class UserMutation {
 
     targetUser.salt = User.generateSalt()
     targetUser.password = User.encode(defaultPassword, targetUser.salt)
-    await tx.getRepository(User).save(targetUser)
+
+    await userRepository.save(targetUser)
 
     return true
   }
@@ -365,18 +445,28 @@ export class UserMutation {
   @Directive('@transaction')
   @Mutation(returns => User, { description: 'To update roles for a user' })
   async updateUserRoles(
-    @Arg('userId') userId: string,
+    @Arg('username') username: string,
     @Arg('availableRoles', type => [ObjectRef]) availableRoles: ObjectRef[],
     @Arg('selectedRoles', type => [ObjectRef]) selectedRoles: ObjectRef[],
     @Ctx() context: ResolverContext
   ) {
     const { domain, tx } = context.state
-    let user: User = await tx.getRepository(User).findOne({
-      where: { id: userId },
+    const userRepository = getRepository(User, tx)
+
+    var user: User = await userRepository.findOne({
+      where: { username },
       relations: ['domains', 'roles']
     })
+
+    if (!user && /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(username)) {
+      user = await userRepository.findOne({
+        where: { email: ILike(username) },
+        relations: ['domains', 'roles']
+      })
+    }
+
     if (!user) {
-      throw new Error('Failed to find user')
+      throw new Error(context.t('error.failed to find x', { x: context.t('field.user') }))
     }
 
     if (user.domains.map((d: Domain) => d.id).indexOf(domain.id) < 0) {
@@ -387,6 +477,6 @@ export class UserMutation {
     user.roles = user.roles.filter((r: Role) => availableRoleIds.indexOf(r.id) < 0)
     user.roles = user.roles.concat(selectedRoles as Role[])
 
-    return await tx.getRepository(User).save(user)
+    return await userRepository.save(user)
   }
 }

package/server/service/user/user-types.ts

@@ -35,6 +35,9 @@ export class PasswordRule {
 
 @InputType()
 export class NewUser {
+  @Field()
+  username: string
+
   @Field()
   name: string
 

package/server/service/user/user.ts

@@ -2,7 +2,20 @@ import crypto from 'crypto'
 import jwt from 'jsonwebtoken'
 import { Directive, Field, ID, ObjectType } from 'type-graphql'
 import { GraphQLEmailAddress } from 'graphql-scalars'
-import { Column, CreateDateColumn, Entity, Index, JoinTable, ManyToMany, ManyToOne, OneToMany, PrimaryGeneratedColumn, RelationId, UpdateDateColumn } from 'typeorm'
+import {
+  Column,
+  CreateDateColumn,
+  Entity,
+  ILike,
+  Index,
+  JoinTable,
+  ManyToMany,
+  ManyToOne,
+  OneToMany,
+  PrimaryGeneratedColumn,
+  RelationId,
+  UpdateDateColumn
+} from 'typeorm'
 
 import { config } from '@things-factory/env'
 import { Domain, getRepository } from '@things-factory/shell'
@@ -31,13 +44,23 @@ export enum UserStatus {
 }
 
 @Entity()
-@Index('ix_user_0', (user: User) => [user.email], { unique: true })
+@Index('ix_user_0', (user: User) => [user.email], {
+  unique: true
+})
+@Index('ix_user_1', (user: User) => [user.username], {
+  unique: true,
+  where: '"username" IS NOT NULL'
+})
 @ObjectType()
 export class User {
   @PrimaryGeneratedColumn('uuid')
   @Field(type => ID)
   readonly id: string
 
+  @Column({ nullable: true })
+  @Field({ nullable: true })
+  username: string
+
   @Column()
   @Field({ nullable: true })
   name: string
@@ -58,7 +81,15 @@ export class User {
   @Directive('@privilege(category: "security", privilege: "query", domainOwnerGranted: true)')
   @Column({
     nullable: true,
-    type: DATABASE_TYPE == 'mysql' || DATABASE_TYPE == 'mariadb' ? 'longtext' : DATABASE_TYPE == 'oracle' ? 'clob' : 'varchar'
+    type:
+      DATABASE_TYPE == 'mysql' || DATABASE_TYPE == 'mariadb'
+        ? 'longtext'
+        : DATABASE_TYPE == 'oracle'
+          ? 'clob'
+          : DATABASE_TYPE == 'mssql'
+            ? 'nvarchar'
+            : 'varchar',
+    length: DATABASE_TYPE == 'mssql' ? 'MAX' : undefined
   })
   password: string
 
@@ -89,8 +120,17 @@ export class User {
   ssoId: string
 
   @Column({
-    type: DATABASE_TYPE == 'postgres' || DATABASE_TYPE == 'mysql' || DATABASE_TYPE == 'mariadb' ? 'enum' : DATABASE_TYPE == 'oracle' ? 'varchar2' : 'smallint',
-    enum: UserStatus,
+    type:
+      DATABASE_TYPE == 'postgres' || DATABASE_TYPE == 'mysql' || DATABASE_TYPE == 'mariadb'
+        ? 'enum'
+        : DATABASE_TYPE == 'oracle'
+          ? 'varchar2'
+          : DATABASE_TYPE == 'mssql'
+            ? 'nvarchar'
+            : 'varchar',
+    enum:
+      DATABASE_TYPE == 'postgres' || DATABASE_TYPE == 'mysql' || DATABASE_TYPE == 'mariadb' ? UserStatus : undefined,
+    length: DATABASE_TYPE == 'postgres' || DATABASE_TYPE == 'mysql' || DATABASE_TYPE == 'mariadb' ? undefined : 32,
     default: UserStatus.INACTIVE
   })
   @Field(type => String)
@@ -136,15 +176,10 @@ export class User {
 
   /* signing for jsonwebtoken */
   async sign(options?) {
-    var { expiresIn = sessionExpirySeconds, subdomain } = options || {}
+    var { expiresIn = sessionExpirySeconds } = options || {}
 
     var user = {
-      id: this.id,
-      userType: this.userType,
-      status: this.status,
-      domain: {
-        subdomain
-      }
+      username: this.username || this.email
     }
 
     return await jwt.sign(user, SECRET, {
@@ -233,18 +268,39 @@ export class User {
   }
 
   static async checkAuth(decoded) {
-    if (decoded?.id === undefined) {
+    // id 는 하위호환성을 위해 단기적으로 유지함
+    const { id, username } = decoded || {}
+
+    if (!id && !username) {
       throw new AuthError({
         errorCode: AuthError.ERROR_CODES.USER_NOT_FOUND
       })
     }
 
     const repository = getRepository(User)
-    var user = await repository.findOne({
-      where: { id: decoded.id },
-      relations: ['domains', 'credentials'],
-      cache: true
-    })
+    if (id) {
+      var user = await repository.findOne({
+        where: { id },
+        relations: ['domains', 'credentials'],
+        cache: true
+      })
+    } else {
+      var user = await repository.findOne({
+        where: { username },
+        relations: ['domains', 'credentials'],
+        cache: true
+      })
+
+      if (!user && /^[^\s@]+@[^\s@]+\.[^\s@]+$/.test(username)) {
+        user = await repository.findOne({
+          where: {
+            email: ILike(username)
+          },
+          relations: ['domains', 'credentials'],
+          cache: true
+        })
+      }
+    }
 
     if (!user)
       throw new AuthError({

package/server/service/verification-token/verification-token.ts

@@ -30,9 +30,15 @@ export class VerificationToken {
       DATABASE_TYPE == 'postgres' || DATABASE_TYPE == 'mysql' || DATABASE_TYPE == 'mariadb'
         ? 'enum'
         : DATABASE_TYPE == 'oracle'
-        ? 'varchar2'
-        : 'smallint',
-    enum: VerificationTokenType,
+          ? 'varchar2'
+          : DATABASE_TYPE == 'mssql'
+            ? 'nvarchar'
+            : 'varchar',
+    enum:
+      DATABASE_TYPE == 'postgres' || DATABASE_TYPE == 'mysql' || DATABASE_TYPE == 'mariadb'
+        ? VerificationTokenType
+        : undefined,
+    length: DATABASE_TYPE == 'postgres' || DATABASE_TYPE == 'mysql' || DATABASE_TYPE == 'mariadb' ? undefined : 32,
     default: VerificationTokenType.ACTIVATION
   })
   @Field()

package/server/templates/account-unlock-email.ts

@@ -1,4 +1,4 @@
-export function getUnlockUserEmailForm({ name, resetUrl }) {
+export function getUnlockUserEmailForm({ username, name, resetUrl }) {
   return `
   <html lang="en">
     <head>

package/server/templates/invitation-email.ts

@@ -1,4 +1,4 @@
-export function getInvitationEmailForm({ email, acceptUrl }) {
+export function getInvitationEmailForm({ username, email, acceptUrl }) {
   return `
   <html lang="en">
     <head>

package/server/templates/verification-email.ts

@@ -1,4 +1,4 @@
-export function getVerificationEmailForm({ name, verifyUrl }) {
+export function getVerificationEmailForm({ username, name, verifyUrl }) {
   return `
   <html lang="en">
     <head>

package/server/utils/check-user-has-role.ts

@@ -0,0 +1,29 @@
+import { Domain, getRepository } from '@things-factory/shell'
+
+import { User } from '../service/user/user'
+import { Role } from 'service'
+
+/**
+ * @description 사용자가 특정 도메인 또는 상위 도메인에서 특정 역할을 가지고 있는지 확인합니다.
+ *
+ * @param roleId 확인할 역할의 ID
+ * @param domain 역할을 확인할 도메인
+ * @param user 역할을 확인할 사용자
+ *
+ * @returns 사용자가 도메인 또는 상위 도메인에서 역할을 가지고 있는지 여부를 나타내는 boolean을 반환하는 Promise
+ */
+export async function checkUserHasRole(roleId: string, domain: Domain, user: User): Promise<Boolean> {
+  if (!roleId) {
+    return true
+  }
+
+  const me = await getRepository(User).findOne({
+    where: { id: user.id },
+    relations: ['roles']
+  })
+
+  return me.roles
+    .filter(role => role.domainId === domain.id || (domain.parentId && role.domainId === domain.parentId))
+    .map(role => role.id)
+    .includes(roleId)
+}