npm - @things-factory/auth-base - Versions diffs - 8.0.0-beta.8 → 8.0.0 - Mend

@things-factory/auth-base 8.0.0-beta.8 → 8.0.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (212) hide show

package/client/actions/auth.ts +24 -0
package/client/auth.ts +272 -0
package/client/bootstrap.ts +47 -0
package/client/directive/privileged.ts +28 -0
package/client/index.ts +3 -0
package/client/profiled.ts +83 -0
package/client/reducers/auth.ts +31 -0
package/dist-client/index.d.ts +0 -1
package/dist-client/index.js +0 -1
package/dist-client/index.js.map +1 -1
package/dist-client/tsconfig.tsbuildinfo +1 -1
package/dist-server/constants/error-code.d.ts +0 -2
package/dist-server/constants/error-code.js +1 -3
package/dist-server/constants/error-code.js.map +1 -1
package/dist-server/controllers/change-pwd.js +2 -2
package/dist-server/controllers/change-pwd.js.map +1 -1
package/dist-server/controllers/delete-user.js +12 -13
package/dist-server/controllers/delete-user.js.map +1 -1
package/dist-server/controllers/invitation.d.ts +1 -2
package/dist-server/controllers/invitation.js +5 -30
package/dist-server/controllers/invitation.js.map +1 -1
package/dist-server/controllers/profile.d.ts +3 -4
package/dist-server/controllers/profile.js +2 -20
package/dist-server/controllers/profile.js.map +1 -1
package/dist-server/controllers/signin.d.ts +1 -4
package/dist-server/controllers/signin.js +1 -17
package/dist-server/controllers/signin.js.map +1 -1
package/dist-server/controllers/signup.js +4 -13
package/dist-server/controllers/signup.js.map +1 -1
package/dist-server/controllers/unlock-user.js +0 -1
package/dist-server/controllers/unlock-user.js.map +1 -1
package/dist-server/controllers/verification.js +0 -1
package/dist-server/controllers/verification.js.map +1 -1
package/dist-server/middlewares/signin-middleware.js +4 -9
package/dist-server/middlewares/signin-middleware.js.map +1 -1
package/dist-server/middlewares/webauthn-middleware.js.map +1 -1
package/dist-server/migrations/1548206416130-SeedUser.js +1 -2
package/dist-server/migrations/1548206416130-SeedUser.js.map +1 -1
package/dist-server/router/auth-checkin-router.js +2 -8
package/dist-server/router/auth-checkin-router.js.map +1 -1
package/dist-server/router/auth-private-process-router.js +7 -12
package/dist-server/router/auth-private-process-router.js.map +1 -1
package/dist-server/router/auth-public-process-router.js +9 -20
package/dist-server/router/auth-public-process-router.js.map +1 -1
package/dist-server/router/auth-signin-router.js +3 -3
package/dist-server/router/auth-signin-router.js.map +1 -1
package/dist-server/router/webauthn-router.js +1 -51
package/dist-server/router/webauthn-router.js.map +1 -1
package/dist-server/service/invitation/invitation-mutation.d.ts +2 -3
package/dist-server/service/invitation/invitation-mutation.js +8 -20
package/dist-server/service/invitation/invitation-mutation.js.map +1 -1
package/dist-server/service/user/user-mutation.d.ts +9 -10
package/dist-server/service/user/user-mutation.js +54 -112
package/dist-server/service/user/user-mutation.js.map +1 -1
package/dist-server/service/user/user-types.d.ts +0 -1
package/dist-server/service/user/user-types.js +0 -4
package/dist-server/service/user/user-types.js.map +1 -1
package/dist-server/service/user/user.d.ts +0 -1
package/dist-server/service/user/user.js +14 -40
package/dist-server/service/user/user.js.map +1 -1
package/dist-server/templates/account-unlock-email.d.ts +1 -2
package/dist-server/templates/account-unlock-email.js +1 -1
package/dist-server/templates/account-unlock-email.js.map +1 -1
package/dist-server/templates/invitation-email.d.ts +1 -2
package/dist-server/templates/invitation-email.js +1 -1
package/dist-server/templates/invitation-email.js.map +1 -1
package/dist-server/templates/verification-email.d.ts +1 -2
package/dist-server/templates/verification-email.js +1 -1
package/dist-server/templates/verification-email.js.map +1 -1
package/dist-server/tsconfig.tsbuildinfo +1 -1
package/package.json +6 -6
package/server/constants/error-code.ts +20 -0
package/server/constants/error-message.ts +0 -0
package/server/constants/max-age.ts +1 -0
package/server/controllers/auth.ts +5 -0
package/server/controllers/change-pwd.ts +99 -0
package/server/controllers/checkin.ts +21 -0
package/server/controllers/delete-user.ts +68 -0
package/server/controllers/invitation.ts +132 -0
package/server/controllers/profile.ts +28 -0
package/server/controllers/reset-password.ts +126 -0
package/server/controllers/signin.ts +79 -0
package/server/controllers/signup.ts +60 -0
package/server/controllers/unlock-user.ts +61 -0
package/server/controllers/utils/make-invitation-token.ts +5 -0
package/server/controllers/utils/make-verification-token.ts +4 -0
package/server/controllers/utils/password-rule.ts +120 -0
package/server/controllers/utils/save-invitation-token.ts +10 -0
package/server/controllers/utils/save-verification-token.ts +12 -0
package/server/controllers/verification.ts +83 -0
package/server/errors/auth-error.ts +24 -0
package/server/errors/index.ts +2 -0
package/server/errors/user-domain-not-match-error.ts +29 -0
package/server/index.ts +37 -0
package/server/middlewares/authenticate-401-middleware.ts +114 -0
package/server/middlewares/domain-authenticate-middleware.ts +78 -0
package/server/middlewares/graphql-authenticate-middleware.ts +13 -0
package/server/middlewares/index.ts +67 -0
package/server/middlewares/jwt-authenticate-middleware.ts +84 -0
package/server/middlewares/signin-middleware.ts +55 -0
package/server/middlewares/webauthn-middleware.ts +127 -0
package/server/migrations/1548206416130-SeedUser.ts +59 -0
package/server/migrations/1566805283882-SeedPrivilege.ts +28 -0
package/server/migrations/index.ts +9 -0
package/server/router/auth-checkin-router.ts +107 -0
package/server/router/auth-private-process-router.ts +107 -0
package/server/router/auth-public-process-router.ts +302 -0
package/server/router/auth-signin-router.ts +55 -0
package/server/router/auth-signup-router.ts +95 -0
package/server/router/index.ts +9 -0
package/server/router/oauth2/index.ts +2 -0
package/server/router/oauth2/oauth2-authorize-router.ts +81 -0
package/server/router/oauth2/oauth2-router.ts +165 -0
package/server/router/oauth2/oauth2-server.ts +262 -0
package/server/router/oauth2/passport-oauth2-client-password.ts +87 -0
package/server/router/oauth2/passport-refresh-token.ts +87 -0
package/server/router/path-base-domain-router.ts +8 -0
package/server/router/site-root-router.ts +48 -0
package/server/router/webauthn-router.ts +87 -0
package/server/routes.ts +80 -0
package/server/service/app-binding/app-binding-mutation.ts +22 -0
package/server/service/app-binding/app-binding-query.ts +92 -0
package/server/service/app-binding/app-binding-types.ts +11 -0
package/server/service/app-binding/app-binding.ts +17 -0
package/server/service/app-binding/index.ts +4 -0
package/server/service/appliance/appliance-mutation.ts +113 -0
package/server/service/appliance/appliance-query.ts +76 -0
package/server/service/appliance/appliance-types.ts +56 -0
package/server/service/appliance/appliance.ts +133 -0
package/server/service/appliance/index.ts +6 -0
package/server/service/application/application-mutation.ts +104 -0
package/server/service/application/application-query.ts +98 -0
package/server/service/application/application-types.ts +76 -0
package/server/service/application/application.ts +216 -0
package/server/service/application/index.ts +6 -0
package/server/service/auth-provider/auth-provider-mutation.ts +159 -0
package/server/service/auth-provider/auth-provider-parameter-spec.ts +24 -0
package/server/service/auth-provider/auth-provider-query.ts +88 -0
package/server/service/auth-provider/auth-provider-type.ts +67 -0
package/server/service/auth-provider/auth-provider.ts +155 -0
package/server/service/auth-provider/index.ts +7 -0
package/server/service/domain-generator/domain-generator-mutation.ts +117 -0
package/server/service/domain-generator/domain-generator-types.ts +46 -0
package/server/service/domain-generator/index.ts +3 -0
package/server/service/granted-role/granted-role-mutation.ts +156 -0
package/server/service/granted-role/granted-role-query.ts +60 -0
package/server/service/granted-role/granted-role.ts +27 -0
package/server/service/granted-role/index.ts +6 -0
package/server/service/index.ts +90 -0
package/server/service/invitation/index.ts +6 -0
package/server/service/invitation/invitation-mutation.ts +63 -0
package/server/service/invitation/invitation-query.ts +33 -0
package/server/service/invitation/invitation-types.ts +11 -0
package/server/service/invitation/invitation.ts +63 -0
package/server/service/login-history/index.ts +5 -0
package/server/service/login-history/login-history-query.ts +51 -0
package/server/service/login-history/login-history-type.ts +12 -0
package/server/service/login-history/login-history.ts +45 -0
package/server/service/partner/index.ts +6 -0
package/server/service/partner/partner-mutation.ts +61 -0
package/server/service/partner/partner-query.ts +102 -0
package/server/service/partner/partner-types.ts +11 -0
package/server/service/partner/partner.ts +57 -0
package/server/service/password-history/index.ts +3 -0
package/server/service/password-history/password-history.ts +16 -0
package/server/service/privilege/index.ts +6 -0
package/server/service/privilege/privilege-directive.ts +77 -0
package/server/service/privilege/privilege-mutation.ts +92 -0
package/server/service/privilege/privilege-query.ts +94 -0
package/server/service/privilege/privilege-types.ts +60 -0
package/server/service/privilege/privilege.ts +102 -0
package/server/service/role/index.ts +6 -0
package/server/service/role/role-mutation.ts +109 -0
package/server/service/role/role-query.ts +155 -0
package/server/service/role/role-types.ts +81 -0
package/server/service/role/role.ts +72 -0
package/server/service/user/domain-query.ts +24 -0
package/server/service/user/index.ts +7 -0
package/server/service/user/user-mutation.ts +413 -0
package/server/service/user/user-query.ts +145 -0
package/server/service/user/user-types.ts +97 -0
package/server/service/user/user.ts +354 -0
package/server/service/users-auth-providers/index.ts +5 -0
package/server/service/users-auth-providers/users-auth-providers.ts +71 -0
package/server/service/verification-token/index.ts +3 -0
package/server/service/verification-token/verification-token.ts +60 -0
package/server/service/web-auth-credential/index.ts +3 -0
package/server/service/web-auth-credential/web-auth-credential.ts +67 -0
package/server/templates/account-unlock-email.ts +65 -0
package/server/templates/invitation-email.ts +66 -0
package/server/templates/reset-password-email.ts +65 -0
package/server/templates/verification-email.ts +66 -0
package/server/types.ts +21 -0
package/server/utils/accepts.ts +11 -0
package/server/utils/access-token-cookie.ts +61 -0
package/server/utils/check-permission.ts +52 -0
package/server/utils/check-user-belongs-domain.ts +19 -0
package/server/utils/check-user-has-role.ts +29 -0
package/server/utils/encrypt-state.ts +22 -0
package/server/utils/get-aes-256-key.ts +13 -0
package/server/utils/get-domain-from-hostname.ts +7 -0
package/server/utils/get-domain-users.ts +38 -0
package/server/utils/get-secret.ts +13 -0
package/server/utils/get-user-domains.ts +112 -0
package/translations/en.json +1 -5
package/translations/ja.json +1 -5
package/translations/ko.json +3 -6
package/translations/ms.json +1 -5
package/translations/zh.json +1 -5
package/dist-client/verify-webauthn.d.ts +0 -13
package/dist-client/verify-webauthn.js +0 -72
package/dist-client/verify-webauthn.js.map +0 -1

package/server/service/user/user-mutation.ts ADDED Viewed

@@ -0,0 +1,413 @@
+import { Arg, Ctx, Directive, Mutation, Resolver } from 'type-graphql'
+import { GraphQLEmailAddress } from 'graphql-scalars'
+import { ILike, In, SelectQueryBuilder, EntityManager } from 'typeorm'
+import { config } from '@things-factory/env'
+import { Domain, getRepository, ObjectRef } from '@things-factory/shell'
+import { deleteUser as commonDeleteUser, deleteUsers as commonDeleteUsers } from '../../controllers/delete-user'
+import { buildDomainUsersQueryBuilder } from '../../utils/get-domain-users'
+import { Role } from '../role/role'
+import { User, UserStatus } from './user'
+import { NewUser, UserPatch } from './user-types'
+@Resolver(User)
+export class UserMutation {
+  @Directive('@privilege(category: "user", privilege: "mutation", domainOwnerGranted: true)')
+  @Directive('@transaction')
+  @Mutation(returns => User, { description: 'To create new user' })
+  async createUser(@Arg('user') user: NewUser, @Ctx() context: ResolverContext) {
+    const { domain, tx } = context.state
+    const { defaultPassword } = config.get('password')
+    const { email } = user
+    user.email = email.trim()
+    const oldUser: User = await getRepository(User, tx).findOne({ where: { email: ILike(user.email) } })
+    if (oldUser) {
+      throw new Error(context.t('error.x already exists in y', { x: context.t('field.user'), y: 'operato' }))
+    }
+    if (!user.password && !defaultPassword) {
+      throw new Error(context.t('error.initial password or default password should be supported'))
+    }
+    // consider if validation password rule is required
+    /* check if password is following the rule */
+    // User.validatePasswordByRule(user.password, context.lng)
+    const salt = User.generateSalt()
+    return await getRepository(User, tx).save({
+      creator: context.state.user,
+      updater: context.state.user,
+      ...user,
+      domains: [domain],
+      roles:
+        user.roles && user.roles.length
+          ? await getRepository(Role, tx).findBy({
+              id: In(user.roles.map(role => role.id)),
+              domain: { id: domain.id }
+            })
+          : [],
+      salt,
+      passwordUpdatedAt: new Date(),
+      password: user.password ? User.encode(user.password, salt) : User.encode(defaultPassword, salt)
+    })
+  }
+  @Directive('@privilege(category: "user", privilege: "mutation", domainOwnerGranted: true)')
+  @Directive('@transaction')
+  @Mutation(returns => User, { description: 'To modify user information' })
+  async updateUser(
+    @Arg('email', type => GraphQLEmailAddress) email: string,
+    @Arg('patch') patch: UserPatch,
+    @Ctx() context: ResolverContext
+  ) {
+    const { domain, user: updater, tx }: { domain: Domain; user: User; tx?: EntityManager } = context.state
+    const qb: SelectQueryBuilder<User> = buildDomainUsersQueryBuilder(domain.id, 'USER')
+    const user: User = await qb
+      .andWhere('LOWER(USER.email) = :email', { email: email?.toLowerCase().trim() || '' })
+      .leftJoinAndSelect('USER.roles', 'ROLES')
+      .leftJoinAndSelect('ROLES.domain', 'R_DOMAIN')
+      .getOne()
+    if (patch.roles) {
+      patch.roles = await getRepository(Role, tx).find({
+        where: { id: In(patch.roles.map((r: Partial<Role>) => r.id)) }
+      })
+    }
+    if (patch.status && patch.status === 'activated') {
+      user.status = UserStatus.ACTIVATED
+    }
+    return await getRepository(User, tx).save({
+      ...user,
+      ...patch,
+      updater
+    } as any)
+  }
+  @Directive('@privilege(category: "user", privilege: "mutation", domainOwnerGranted: true)')
+  @Directive('@transaction')
+  @Mutation(returns => [User], { description: 'To modify multiple users information' })
+  async updateMultipleUser(@Arg('patches', type => [UserPatch]) patches: UserPatch[], @Ctx() context: ResolverContext) {
+    const { domain, user, tx } = context.state
+    const userRepo = getRepository(User, tx)
+    let results = []
+    const _createRecords = patches.filter((patch: any) => patch.cuFlag.toUpperCase() === '+')
+    const _updateRecords = patches.filter((patch: any) => patch.cuFlag.toUpperCase() === 'M')
+    if (_createRecords.length > 0) {
+      for (let i = 0; i < _createRecords.length; i++) {
+        const newRecord = _createRecords[i]
+        // consider if validation password rule is required
+        /* check if password is following the rule */
+        // User.validatePasswordByRule(newRecord.password, context.lng)
+        const salt = User.generateSalt()
+        const result = await userRepo.save({
+          ...(newRecord as any),
+          domains: [domain],
+          salt,
+          password: User.encode(newRecord.password, salt),
+          passwordUpdatedAt: new Date(),
+          creator: user,
+          updater: user
+        })
+        // repository api는 작동하지 않음.
+        // await tx
+        //   .createQueryBuilder()
+        //   .insert()
+        //   .into('users_domains')
+        //   .values({
+        //     usersId: result.id,
+        //     domainsId: domain.id
+        //   })
+        //   .execute()
+        results.push({ ...result, cuFlag: '+' })
+      }
+    }
+    if (_updateRecords.length > 0) {
+      for (let i = 0; i < _updateRecords.length; i++) {
+        const updateRecord = _updateRecords[i]
+        // consider if validation password rule is required
+        /* check if password is following the rule */
+        // User.validatePasswordByRule(updateRecord.password, context.lng)
+        const user = await userRepo.findOne({ where: { id: updateRecord.id }, relations: ['domains'] })
+        var domains = user.domains.find(d => d.id === domain.id) ? user.domains : [...user.domains, domain]
+        const result = await userRepo.save({
+          ...user,
+          ...(updateRecord as any),
+          domains,
+          password: updateRecord.password ? User.encode(updateRecord.password, user.salt) : user.password,
+          updater: user
+        })
+        if (!updateRecord.status) {
+          continue
+        }
+        // const domain = await user.domain
+        // if (!domain) {
+        //   continue
+        // }
+        // const domainId = domain.id
+        // const domains = await user.domains
+        // if (!domains.find(domain => domain.id == domainId)) {
+        //   await tx
+        //     .createQueryBuilder()
+        //     .insert()
+        //     .into('users_domains')
+        //     .values({
+        //       usersId: user.id,
+        //       domainsId: domain.id
+        //     })
+        //     .execute()
+        // }
+        results.push({ ...result, cuFlag: 'M' })
+      }
+    }
+    return results
+  }
+  @Directive('@privilege(category: "user", privilege: "mutation", domainOwnerGranted: true)')
+  @Directive('@transaction')
+  @Mutation(returns => Boolean, { description: 'To delete a user' })
+  async deleteUser(@Arg('email', type => GraphQLEmailAddress) email: string, @Ctx() context: ResolverContext) {
+    const { tx } = context.state
+    await commonDeleteUser({ email }, tx)
+    return true
+  }
+  @Directive('@privilege(category: "user", privilege: "mutation", domainOwnerGranted: true)')
+  @Directive('@transaction')
+  @Mutation(returns => Boolean, { description: 'To delete some users' })
+  async deleteUsers(@Arg('emails', type => [String]) emails: string[], @Ctx() context: ResolverContext) {
+    const { tx } = context.state
+    await commonDeleteUsers({ emails }, tx)
+    return true
+  }
+  @Directive('@transaction')
+  @Mutation(returns => Boolean, { description: 'To invite new user' })
+  async inviteUser(
+    @Arg('email', type => GraphQLEmailAddress) email: string,
+    @Ctx() context: ResolverContext
+  ): Promise<boolean> {
+    const { domain, tx } = context.state
+    const invitee: User = await getRepository(User, tx).findOne({
+      where: { email: ILike(email) },
+      relations: ['domains']
+    })
+    if (!invitee) {
+      throw new Error(context.t('error.failed to find x', { x: context.t('field.user') }))
+    }
+    const existingDomains: Domain[] = invitee.domains
+    if (existingDomains.find((d: Domain) => d.id === domain.id)) {
+      throw new Error(context.t('error.x already exists in y', { x: context.t('field.user'), y: domain.name }))
+    }
+    invitee.domains = [...existingDomains, domain]
+    await getRepository(User, tx).save(invitee)
+    return true
+  }
+  @Directive('@transaction')
+  @Directive('@privilege(category: "user", privilege: "mutation", domainOwnerGranted: true)')
+  @Mutation(returns => Boolean, { description: 'To delete domain user' })
+  async deleteDomainUser(
+    @Arg('email', type => GraphQLEmailAddress) email: string,
+    @Ctx() context: ResolverContext
+  ): Promise<boolean> {
+    const { tx, domain } = context.state
+    let user: User = await getRepository(User, tx).findOne({
+      where: { email: ILike(email) },
+      relations: ['domains', 'roles', 'roles.domain']
+    })
+    if (!user) {
+      throw new Error(context.t('error.failed to find x', { x: context.t('field.user') }))
+    }
+    const targetDomainIdx: number = user.domains.findIndex((userDomain: Domain) => userDomain.id === domain.id)
+    if (targetDomainIdx < 0) {
+      throw new Error(context.t('error.x is not a member of y', { x: user.name, y: domain.name }))
+    }
+    // Remove domain relation with user
+    user.domains.splice(targetDomainIdx, 1)
+    // Remove domain's roles that user has
+    user.roles = user.roles.filter((role: Role) => role.domain.id !== domain.id)
+    await getRepository(User, tx).save(user)
+    return true
+  }
+  @Directive('@privilege(domainOwnerGranted: true, superUserGranted: true)')
+  @Directive('@transaction')
+  @Mutation(returns => Boolean, { description: 'To transfer owner of domain' })
+  async transferOwner(
+    @Arg('email', type => GraphQLEmailAddress) email: string,
+    @Ctx() context: ResolverContext
+  ): Promise<boolean> {
+    const { domain, tx } = context.state
+    const user: User = await getRepository(User, tx).findOne({
+      where: { email: ILike(email) },
+      relations: ['domains', 'roles']
+    })
+    if (!user) {
+      throw new Error('Failed to find user')
+    }
+    if (user.status !== UserStatus.ACTIVATED) {
+      throw new Error('Only activated users are eligible to receive admin privileges.')
+    }
+    if (user.domains.map((d: Domain) => d.id).indexOf(domain.id) < 0) {
+      throw new Error(`User is not belongs to current domain`)
+    }
+    if (user.roles.filter((r: Role) => r.domainId == domain.id).length == 0) {
+      throw new Error(`Only users with at least one role in this domain are eligible to receive admin privileges.`)
+    }
+    domain.owner = user.id
+    await getRepository(Domain, tx).save(domain)
+    return true
+  }
+  @Directive('@privilege(category: "user", privilege: "mutation", domainOwnerGranted: true)')
+  @Directive('@transaction')
+  @Mutation(returns => Boolean, { description: 'To activate user' })
+  async activateUser(@Arg('userId') userId: string, @Ctx() context: ResolverContext): Promise<boolean> {
+    const { tx, domain } = context.state
+    const targetUser: User = await getRepository(User, tx).findOne({
+      where: { id: userId },
+      relations: ['domains']
+    })
+    if (!targetUser) {
+      throw new Error('No user found')
+    }
+    if (!targetUser?.domains?.find((userDomain: Domain) => userDomain.id === domain.id)) {
+      throw new Error('User is not belong to domain')
+    }
+    targetUser.failCount = 0
+    targetUser.status = UserStatus.ACTIVATED
+    await getRepository(User, tx).save(targetUser)
+    return true
+  }
+  @Directive('@privilege(category: "user", privilege: "mutation", domainOwnerGranted: true)')
+  @Directive('@transaction')
+  @Mutation(returns => Boolean, { description: 'To inactivate user' })
+  async inactivateUser(@Arg('userId') userId: string, @Ctx() context: ResolverContext): Promise<boolean> {
+    const { tx, domain } = context.state
+    const targetUser: User = await getRepository(User, tx).findOne({
+      where: { id: userId },
+      relations: ['domains']
+    })
+    if (!targetUser) {
+      throw new Error('No user found')
+    }
+    if (!targetUser?.domains?.find((userDomain: Domain) => userDomain.id === domain.id)) {
+      throw new Error('User is not belong to domain')
+    }
+    if (targetUser.userType == 'admin' || targetUser.id === domain.owner) {
+      throw new Error('Admin deactivation not allowed')
+    }
+    targetUser.status = UserStatus.INACTIVE
+    await getRepository(User, tx).save(targetUser)
+    return true
+  }
+  @Directive('@privilege(category: "user", privilege: "mutation", domainOwnerGranted: true)')
+  @Directive('@transaction')
+  @Mutation(returns => Boolean, { description: 'To reset password to default' })
+  async resetPasswordToDefault(@Arg('userId') userId: string, @Ctx() context: ResolverContext): Promise<boolean> {
+    const { tx, domain } = context.state
+    const { defaultPassword } = config.get('password')
+    if (!defaultPassword) {
+      throw new Error('No default password found')
+    }
+    const targetUser: User = await getRepository(User, tx).findOne({
+      where: { id: userId },
+      relations: ['domains']
+    })
+    if (!targetUser) {
+      throw new Error('No user found')
+    }
+    if (!targetUser?.domains?.find((userDomain: Domain) => userDomain.id === domain.id)) {
+      throw new Error('User is not belong to domain')
+    }
+    targetUser.salt = User.generateSalt()
+    targetUser.password = User.encode(defaultPassword, targetUser.salt)
+    await getRepository(User, tx).save(targetUser)
+    return true
+  }
+  @Directive('@privilege(category: "user", privilege: "mutation", domainOwnerGranted: true)')
+  @Directive('@transaction')
+  @Mutation(returns => User, { description: 'To update roles for a user' })
+  async updateUserRoles(
+    @Arg('userId') userId: string,
+    @Arg('availableRoles', type => [ObjectRef]) availableRoles: ObjectRef[],
+    @Arg('selectedRoles', type => [ObjectRef]) selectedRoles: ObjectRef[],
+    @Ctx() context: ResolverContext
+  ) {
+    const { domain, tx } = context.state
+    let user: User = await getRepository(User, tx).findOne({
+      where: { id: userId },
+      relations: ['domains', 'roles']
+    })
+    if (!user) {
+      throw new Error('Failed to find user')
+    }
+    if (user.domains.map((d: Domain) => d.id).indexOf(domain.id) < 0) {
+      throw new Error(`User is not belongs to current domain`)
+    }
+    const availableRoleIds: string[] = availableRoles.map((r: Role) => r.id)
+    user.roles = user.roles.filter((r: Role) => availableRoleIds.indexOf(r.id) < 0)
+    user.roles = user.roles.concat(selectedRoles as Role[])
+    return await getRepository(User, tx).save(user)
+  }
+}

package/server/service/user/user-query.ts ADDED Viewed

@@ -0,0 +1,145 @@
+import { Arg, Args, Ctx, Directive, FieldResolver, Query, Resolver, Root } from 'type-graphql'
+import { GraphQLEmailAddress } from 'graphql-scalars'
+import { ILike, SelectQueryBuilder } from 'typeorm'
+import { config } from '@things-factory/env'
+import { getRepository, ListParam, getQueryBuilderFromListParams } from '@things-factory/shell'
+import { checkUserBelongsDomain } from '../../utils/check-user-belongs-domain'
+import { buildDomainUsersQueryBuilder } from '../../utils/get-domain-users'
+import { User } from './user'
+import { PasswordRule, UserList } from './user-types'
+const passwordRule = config.get('password') || {
+  lowerCase: true,
+  upperCase: true,
+  digit: true,
+  specialCharacter: true,
+  allowRepeat: false,
+  useTightPattern: true,
+  useLoosePattern: false,
+  tightCharacterLength: 8,
+  looseCharacterLength: 15
+}
+@Resolver(User)
+export class UserQuery {
+  @Query(returns => PasswordRule, {
+    description:
+      'Retrieves the current password rule configuration for the system, such as required character types and minimum length.'
+  })
+  passwordRule(@Ctx() context: ResolverContext): PasswordRule {
+    return passwordRule
+  }
+  @Directive('@privilege(category: "user", privilege: "query", domainOwnerGranted: true, superUserGranted: true)')
+  @Query(returns => User, { description: 'Fetches a user by their email address within the current domain.' })
+  async user(@Arg('email', type => GraphQLEmailAddress) email: string, @Ctx() context: ResolverContext): Promise<User> {
+    const { domain } = context.state
+    const qb: SelectQueryBuilder<User> = buildDomainUsersQueryBuilder(domain.id, 'USER')
+    qb.andWhere(`LOWER(USER.email) = :email`, { email: email.toLowerCase().trim() })
+    return qb.getOne()
+  }
+  @Directive('@privilege(category: "user", privilege: "query", domainOwnerGranted: true, superUserGranted: true)')
+  @Query(returns => UserList, {
+    description: 'Fetches a list of users based on provided search parameters within the current domain.'
+  })
+  async users(@Args(type => ListParam) params: ListParam, @Ctx() context: ResolverContext): Promise<UserList> {
+    const { domain } = context.state
+    const qb = getQueryBuilderFromListParams({
+      repository: getRepository(User),
+      params,
+      alias: 'USER',
+      searchables: ['name', 'email', 'description']
+    })
+    qb.select().andWhere(qb => {
+      const subQuery = qb
+        .subQuery()
+        .select('USERS_DOMAINS.users_id')
+        .from('users_domains', 'USERS_DOMAINS')
+        .where('USERS_DOMAINS.domains_id = :domainId', { domainId: domain.id })
+        .getQuery()
+      return 'USER.id IN ' + subQuery
+    })
+    const [items, total] = await qb.getManyAndCount()
+    const foundUsers: User[] = items.map((item: User) => {
+      item.owner = item.id === domain.owner
+      return item
+    })
+    return { items: foundUsers, total }
+  }
+  @Query(returns => Boolean, { description: 'Checks if the current authenticated user belongs to the current domain.' })
+  async checkUserBelongsDomain(@Ctx() context: ResolverContext): Promise<Boolean> {
+    const { user, domain } = context.state
+    if (user) {
+      return await checkUserBelongsDomain(domain, user)
+    } else {
+      throw new Error(`Failed to get current user information.`)
+    }
+  }
+  @Query(returns => Boolean, {
+    description: 'Determines whether the system provides a default password when creating a new user.'
+  })
+  async checkResettablePasswordToDefault(@Ctx() context: ResolverContext): Promise<Boolean> {
+    const { defaultPassword } = config.get('password')
+    return Boolean(defaultPassword)
+  }
+  @Query(returns => Boolean, {
+    description: 'Checks if the system is configured to provide a default password for new users.'
+  })
+  async checkDefaultPassword(@Ctx() context: ResolverContext): Promise<Boolean> {
+    const { defaultPassword } = config.get('password')
+    return Boolean(defaultPassword)
+  }
+  @Directive('@privilege(category: "user", privilege: "query")')
+  @Query(returns => Boolean, { description: 'Checks if a user with the given email address exists in the system.' })
+  async checkUserExistence(@Arg('email', type => GraphQLEmailAddress) email: string): Promise<Boolean> {
+    return Boolean(await getRepository(User).count({ where: { email: ILike(email) } }))
+  }
+  @FieldResolver()
+  async domains(@Root() user: User) {
+    return (
+      await getRepository(User).findOne({
+        where: { id: user.id },
+        relations: ['domains']
+      })
+    ).domains
+  }
+  @FieldResolver()
+  async roles(@Root() user: User) {
+    return (
+      await getRepository(User).findOne({
+        where: { id: user.id },
+        relations: ['roles']
+      })
+    ).roles
+  }
+  @FieldResolver()
+  async updater(@Root() user: User): Promise<User> {
+    return await getRepository(User).findOneBy({ id: user.updaterId })
+  }
+  @FieldResolver()
+  async creator(@Root() user: User): Promise<User> {
+    return await getRepository(User).findOneBy({ id: user.creatorId })
+  }
+}

package/server/service/user/user-types.ts ADDED Viewed

@@ -0,0 +1,97 @@
+import { ObjectType, InputType, Field, ID, Int } from 'type-graphql'
+import { GraphQLEmailAddress } from 'graphql-scalars'
+import { ObjectRef } from '@things-factory/shell'
+import { User } from './user'
+@ObjectType()
+export class PasswordRule {
+  @Field({ nullable: true })
+  lowerCase?: boolean
+  @Field({ nullable: true })
+  upperCase?: boolean
+  @Field({ nullable: true })
+  digit?: boolean
+  @Field({ nullable: true })
+  specialCharacter?: boolean
+  @Field({ nullable: true })
+  allowRepeat?: boolean
+  @Field({ nullable: true })
+  useTightPattern?: boolean
+  @Field({ nullable: true })
+  useLoosePattern?: boolean
+  @Field({ nullable: true })
+  tightCharacterLength?: number
+  @Field({ nullable: true })
+  looseCharacterLength?: number
+}
+@InputType()
+export class NewUser {
+  @Field()
+  name: string
+  @Field({ nullable: true })
+  description?: string
+  @Field(type => GraphQLEmailAddress)
+  email: string
+  @Field({ nullable: true })
+  password?: string
+  @Field({ nullable: true })
+  userType?: string
+  @Field(type => [ObjectRef], { nullable: true })
+  roles?: ObjectRef[]
+}
+@InputType()
+export class UserPatch {
+  @Field(type => ID, { nullable: true })
+  id?: string
+  @Field({ nullable: true })
+  name?: string
+  @Field(type => [ObjectRef], { nullable: true })
+  domains?: [ObjectRef]
+  @Field({ nullable: true })
+  description?: string
+  @Field(type => GraphQLEmailAddress, { nullable: true })
+  email?: string
+  @Field({ nullable: true })
+  password?: string
+  @Field({ nullable: true })
+  status?: string
+  @Field(type => [ObjectRef], { nullable: true })
+  roles?: ObjectRef[]
+  @Field({ nullable: true })
+  userType?: string
+  @Field({ nullable: true })
+  cuFlag?: string
+}
+@ObjectType()
+export class UserList {
+  @Field(type => [User], { nullable: true })
+  items: User[]
+  @Field(type => Int, { nullable: true })
+  total: number
+}