@tomei/sso 0.15.5 → 0.15.6

package/src/components/login-user/login-user.ts

@@ -1,749 +1,749 @@
-import { LoginUserBase } from '@tomei/general';
-import { ISessionService } from '../../session/interfaces/session-service.interface';
-import { IUserAttr } from './interfaces/user-info.interface';
-import { UserRepository } from './user.repository';
-import { SystemRepository } from '../system/system.repository';
-import { SystemAccessRepository } from '../system-access/system-access.repository';
-import { LoginHistoryRepository } from '../login-history/login-history.repository';
-import { UserUserGroupRepository } from '../user-user-group/user-user-group.repository';
-import { PasswordHashService } from '../password-hash/password-hash.service';
-import { UserGroupRepository } from '../user-group/user-group.repository';
-import { SMTPMailer } from '@tomei/mailer';
-import { ISystemLogin } from '../../../src/interfaces/system-login.interface';
-import Staff from '../../models/staff.entity';
-import SystemPrivilege from '../../models/system-privilege.entity';
-import LoginHistory from '../../models/login-history.entity';
-import GroupSystemPrivilege from '../../models/group-system-privilege.entity';
-import GroupRolePrivilege from '../../models/group-role-privilege.entity';
-import UserGroup from '../../models/user-group.entity';
-import { YN } from '../../enum/yn.enum';
-
-export class LoginUser extends LoginUserBase {
-  ObjectId: string;
-  Email: string;
-  private _Password: string;
-  private _Status: string;
-  private _DefaultPasswordChangedYN: YN;
-  private _FirstLoginAt: Date;
-  private _LastLoginAt: Date;
-  private _MFAEnabled: number;
-  private _MFAConfig: string;
-  private _RecoveryEmail: string;
-  private _FailedLoginAttemptCount: number;
-  private _LastFailedLoginAt: Date;
-  private _LastPasswordChangedAt: Date;
-  private _NeedToChangePasswordYN: YN;
-  private _CreatedById: number;
-  private _CreatedAt: Date;
-  private _UpdatedById: number;
-  private _UpdatedAt: Date;
-  ObjectName = 'User';
-  TableName = 'sso_Users';
-  ObjectType = 'User';
-  staffs: any;
-
-  private _OriginIP: string;
-  private _SessionService: ISessionService;
-  private _PasswordHashService = new PasswordHashService();
-  private static _Repository = new UserRepository();
-  private static _SystemRepository = new SystemRepository();
-  private static _SystemAccessRepository = new SystemAccessRepository();
-  private static _LoginHistoryRepository = new LoginHistoryRepository();
-  private static _UserUserGroupRepository = new UserUserGroupRepository();
-  private static _UserGroupRepository = new UserGroupRepository();
-  private _dbTransaction: any;
-
-  get UserId(): number {
-    return parseInt(this.ObjectId);
-  }
-
-  private set UserId(value: number) {
-    this.ObjectId = value.toString();
-  }
-
-  get Password(): string {
-    return this._Password;
-  }
-
-  private set Password(value: string) {
-    this._Password = value;
-  }
-
-  get Status(): string {
-    return this._Status;
-  }
-
-  private set Status(value: string) {
-    this._Status = value;
-  }
-
-  get DefaultPasswordChangedYN(): YN {
-    return this._DefaultPasswordChangedYN;
-  }
-
-  private set DefaultPasswordChangedYN(value: YN) {
-    this._DefaultPasswordChangedYN = value;
-  }
-
-  get FirstLoginAt(): Date {
-    return this._FirstLoginAt;
-  }
-
-  private set FirstLoginAt(value: Date) {
-    this._FirstLoginAt = value;
-  }
-
-  get LastLoginAt(): Date {
-    return this._LastLoginAt;
-  }
-
-  private set LastLoginAt(value: Date) {
-    this._LastLoginAt = value;
-  }
-
-  get MFAEnabled(): number {
-    return this._MFAEnabled;
-  }
-
-  private set MFAEnabled(value: number) {
-    this._MFAEnabled = value;
-  }
-
-  get MFAConfig(): string {
-    return this._MFAConfig;
-  }
-
-  private set MFAConfig(value: string) {
-    this._MFAConfig = value;
-  }
-
-  get RecoveryEmail(): string {
-    return this._RecoveryEmail;
-  }
-
-  private set RecoveryEmail(value: string) {
-    this._RecoveryEmail = value;
-  }
-
-  get FailedLoginAttemptCount(): number {
-    return this._FailedLoginAttemptCount;
-  }
-
-  private set FailedLoginAttemptCount(value: number) {
-    this._FailedLoginAttemptCount = value;
-  }
-
-  get LastFailedLoginAt(): Date {
-    return this._LastFailedLoginAt;
-  }
-
-  private set LastFailedLoginAt(value: Date) {
-    this._LastFailedLoginAt = value;
-  }
-
-  get LastPasswordChangedAt(): Date {
-    return this._LastPasswordChangedAt;
-  }
-
-  private set LastPasswordChangedAt(value: Date) {
-    this._LastPasswordChangedAt = value;
-  }
-
-  get NeedToChangePasswordYN(): YN {
-    return this._NeedToChangePasswordYN;
-  }
-
-  private set NeedToChangePasswordYN(value: YN) {
-    this._NeedToChangePasswordYN = value;
-  }
-
-  get CreatedById(): number {
-    return this._CreatedById;
-  }
-
-  private set CreatedById(value: number) {
-    this._CreatedById = value;
-  }
-
-  get CreatedAt(): Date {
-    return this._CreatedAt;
-  }
-
-  private set CreatedAt(value: Date) {
-    this._CreatedAt = value;
-  }
-
-  get UpdatedById(): number {
-    return this._UpdatedById;
-  }
-
-  private set UpdatedById(value: number) {
-    this._UpdatedById = value;
-  }
-
-  get UpdatedAt(): Date {
-    return this._UpdatedAt;
-  }
-
-  private set UpdatedAt(value: Date) {
-    this._UpdatedAt = value;
-  }
-
-  async getDetails(): Promise<{
-    FullName: string;
-    IDNo: string;
-    IDType: string;
-    Email: string;
-    ContactNo: string;
-  }> {
-    return {
-      FullName: this.FullName,
-      IDNo: this.IDNo,
-      IDType: this.IDType,
-      Email: this.Email,
-      ContactNo: this.ContactNo,
-    };
-  }
-
-  private constructor(
-    sessionService: ISessionService,
-    dbTransaction?: any,
-    userInfo?: IUserAttr,
-  ) {
-    super();
-    this._SessionService = sessionService;
-
-    if (dbTransaction) {
-      this._dbTransaction = dbTransaction;
-    }
-    // set all the class properties
-    if (userInfo) {
-      this.UserId = userInfo.UserId;
-      this.FullName = userInfo.FullName;
-      this.IDNo = userInfo.IDNo;
-      this.Email = userInfo.Email;
-      this.ContactNo = userInfo.ContactNo;
-      this.Password = userInfo.Password;
-      this.staffs = userInfo.staffs;
-    }
-  }
-
-  static async init(
-    sessionService: ISessionService,
-    userId?: number,
-    dbTransaction = null,
-  ): Promise<LoginUser> {
-    if (userId) {
-      if (dbTransaction) {
-        LoginUser._Repository = new UserRepository();
-      }
-      const user = await LoginUser._Repository.findOne({
-        where: {
-          UserId: userId,
-        },
-        include: [
-          {
-            model: Staff,
-          },
-        ],
-      });
-
-      if (!user) {
-        throw new Error('Invalid credentials.');
-      }
-
-      if (user) {
-        const userAttr: IUserAttr = {
-          UserId: user.UserId,
-          FullName: user.Staff.FullName,
-          IDNo: user.Staff.IdNo,
-          ContactNo: user.Staff.Mobile,
-          Email: user.Email,
-          Password: user.Password,
-          Status: user.Status,
-          DefaultPasswordChangedYN: user.DefaultPasswordChangedYN,
-          FirstLoginAt: user.FirstLoginAt,
-          LastLoginAt: user.LastLoginAt,
-          MFAEnabled: user.MFAEnabled,
-          MFAConfig: user.MFAConfig,
-          RecoveryEmail: user.RecoveryEmail,
-          FailedLoginAttemptCount: user.FailedLoginAttemptCount,
-          LastFailedLoginAt: user.LastFailedLoginAt,
-          LastPasswordChangedAt: user.LastPasswordChangedAt,
-          NeedToChangePasswordYN: user.NeedToChangePasswordYN,
-          CreatedById: user.CreatedById,
-          CreatedAt: user.CreatedAt,
-          UpdatedById: user.UpdatedById,
-          UpdatedAt: user.UpdatedAt,
-          staffs: user.Staff,
-        };
-
-        return new LoginUser(sessionService, dbTransaction, userAttr);
-      } else {
-        throw new Error('User not found');
-      }
-    }
-    return new LoginUser(sessionService, dbTransaction);
-  }
-
-  async login(
-    systemCode: string,
-    email: string,
-    password: string,
-    ipAddress: string,
-  ): Promise<string> {
-    try {
-      //validate email
-      if (!this.ObjectId) {
-        const user = await LoginUser._Repository.findOne({
-          where: {
-            Email: email,
-          },
-          include: [
-            {
-              model: Staff,
-            },
-          ],
-        });
-
-        const userAttr: IUserAttr = {
-          UserId: user.UserId,
-          FullName: user.Staff.FullName,
-          IDNo: user.Staff.IdNo,
-          ContactNo: user.Staff.Mobile,
-          Email: user.Email,
-          Password: user.Password,
-          Status: user.Status,
-          DefaultPasswordChangedYN: user.DefaultPasswordChangedYN,
-          FirstLoginAt: user.FirstLoginAt,
-          LastLoginAt: user.LastLoginAt,
-          MFAEnabled: user.MFAEnabled,
-          MFAConfig: user.MFAConfig,
-          RecoveryEmail: user.RecoveryEmail,
-          FailedLoginAttemptCount: user.FailedLoginAttemptCount,
-          LastFailedLoginAt: user.LastFailedLoginAt,
-          LastPasswordChangedAt: user.LastPasswordChangedAt,
-          NeedToChangePasswordYN: user.NeedToChangePasswordYN,
-          CreatedById: user.CreatedById,
-          CreatedAt: user.CreatedAt,
-          UpdatedById: user.UpdatedById,
-          UpdatedAt: user.UpdatedAt,
-          staffs: user.Staff,
-        };
-
-        this.UserId = userAttr.UserId;
-        this.FullName = userAttr.FullName;
-        this.IDNo = userAttr.IDNo;
-        this.Email = userAttr.Email;
-        this.ContactNo = userAttr.ContactNo;
-        this.Password = userAttr.Password;
-        this.Status = userAttr.Status;
-        this.DefaultPasswordChangedYN = userAttr.DefaultPasswordChangedYN;
-        this.FirstLoginAt = userAttr.FirstLoginAt;
-        this.LastLoginAt = userAttr.LastLoginAt;
-        this.MFAEnabled = userAttr.MFAEnabled;
-        this.MFAConfig = userAttr.MFAConfig;
-        this.RecoveryEmail = userAttr.RecoveryEmail;
-        this.FailedLoginAttemptCount = userAttr.FailedLoginAttemptCount;
-        this.LastFailedLoginAt = userAttr.LastFailedLoginAt;
-        this.LastPasswordChangedAt = userAttr.LastPasswordChangedAt;
-        this.NeedToChangePasswordYN = userAttr.NeedToChangePasswordYN;
-        this.CreatedById = userAttr.CreatedById;
-        this.CreatedAt = userAttr.CreatedAt;
-        this.UpdatedById = userAttr.UpdatedById;
-        this.UpdatedAt = userAttr.UpdatedAt;
-        this.staffs = userAttr.staffs;
-      }
-
-      if (this.ObjectId && this.Email !== email) {
-        throw new Error('Invalid credentials.');
-      }
-
-      //validate password
-      const isPasswordValid = await this._PasswordHashService.verify(
-        password,
-        this.Password,
-      );
-
-      if (!isPasswordValid) {
-        throw new Error('Invalid credentials.');
-      }
-
-      //validate system code
-      const system = await LoginUser._SystemRepository.findOne({
-        where: {
-          code: systemCode,
-        },
-      });
-
-      if (!system) {
-        throw new Error('Invalid system code.');
-      }
-
-      //validate system access
-      await this.checkSystemAccess(this.UserId, system.id);
-      // alert user if new login
-      await this.alertNewLogin(this.ObjectId, system.id.toString(), ipAddress);
-
-      // fetch user session if exists
-      const userSession = await this._SessionService.retrieveUserSession(
-        this.ObjectId,
-      );
-      let systemLogin = userSession.systemLogins.find(
-        (system) => system.code === systemCode,
-      );
-
-      // generate new session id
-      const { randomUUID } = require('crypto');
-      const sessionId = randomUUID();
-
-      if (systemLogin) {
-        systemLogin = systemLogin.sessionId = sessionId;
-        userSession.systemLogins.map((system) =>
-          system.code === systemCode ? systemLogin : system,
-        );
-      } else {
-        // if not, add new system login into the userSession
-        const newLogin = {
-          id: system.id.toString(),
-          code: system.Code,
-          sessionId: sessionId,
-          privileges: await this.getPrivileges(system.Code),
-        };
-        userSession.systemLogins.push(newLogin);
-      }
-      // then update userSession inside the redis storage with 1 day duration of time-to-live
-      this._SessionService.setUserSession(this.ObjectId, userSession);
-
-      // record new login history
-      await LoginUser._LoginHistoryRepository.create({
-        UserId: this.UserId,
-        SystemId: system.id,
-        OriginIp: ipAddress,
-        CreatedAt: new Date(),
-      });
-
-      return `${this.UserId}:${sessionId}`;
-    } catch (error) {
-      throw error;
-    }
-  }
-
-  private async checkSystemAccess(
-    userId: number,
-    systemId: number,
-  ): Promise<void> {
-    try {
-      const systemAccess = await LoginUser._SystemAccessRepository.findOne({
-        where: {
-          UserId: userId,
-          SystemId: systemId,
-        },
-      });
-
-      if (!systemAccess) {
-        throw new Error("User don't have access to the system.");
-      }
-    } catch (error) {
-      throw error;
-    }
-  }
-
-  private async alertNewLogin(
-    userId: string,
-    systemId: string,
-    ipAddress: string,
-  ) {
-    try {
-      const userLogins = await LoginUser._LoginHistoryRepository.findAll({
-        where: {
-          UserId: userId,
-          SystemId: systemId,
-        },
-      });
-
-      const gotPreviousLogins = userLogins?.length !== 0;
-      let ipFound: LoginHistory | undefined = undefined;
-      if (gotPreviousLogins) {
-        ipFound = userLogins.find((item) => item.OriginIp === ipAddress);
-      }
-
-      if (gotPreviousLogins && !ipFound) {
-        const EMAIL_SENDER =
-          process.env.EMAIL_SENDER || 'itd-system@tomei.com.my';
-        const transporter = new SMTPMailer();
-
-        await transporter.sendMail({
-          from: EMAIL_SENDER,
-          to: this.Email,
-          subject: 'New Login Alert',
-          html: `<p>Dear ${this.FullName},</p>
-                  <p>There was a new login to your account from ${ipAddress} on ${new Date().toLocaleString()}.</p>
-                  <p>If this was you, you can safely ignore this email.</p>
-                  <p>If you suspect that someone else is trying to access your account, please contact us immediately at itd-support@tomei.com.my.</p>
-                  <p>Thank you!,</p>
-                  <p>
-                      Best Regards,
-                      IT Department
-                  </p>`,
-        });
-      }
-    } catch (error) {
-      throw error;
-    }
-  }
-
-  private async getPrivileges(systemCode: string): Promise<string[]> {
-    try {
-      const system = await LoginUser._SystemRepository.findOne({
-        where: {
-          Code: systemCode,
-        },
-      });
-
-      if (!system) {
-        throw new Error('Invalid system code.');
-      }
-
-      // retrive user userGroups with system privileges
-      const userUserGroups = await this.getUserUserGroupFromDB(system.id);
-
-      // get all userGroup data from user userGroups
-      const userGroupData = userUserGroups.map((u) => u.UserGroup);
-      // get all privileges from userGroup data
-      let privileges: string[] = [];
-      for (const userGroup of userGroupData) {
-        const groupSystemPrivileges = userGroup.GroupSystemPrivileges.map(
-          (g) => g.SystemPrivilege.Code,
-        );
-        const groupRolePrivileges = userGroup.GroupRolePrivileges.map(
-          (g) => g.SystemPrivilege.Code,
-        );
-
-        // if userGroup is not root, get all parent tree privileges
-        if (
-          userGroup.GroupLevel !== 0 &&
-          userGroup.AllowInheritFromParentYN === 'Y'
-        ) {
-          // get all parent tree privileges
-          const parentTreePrivileges = await this.getPrivilegesFromUserGroup(
-            userGroup.ParentGroupCode,
-          );
-
-          privileges = [...privileges, ...parentTreePrivileges];
-        }
-
-        privileges = [
-          ...privileges,
-          ...groupSystemPrivileges,
-          ...groupRolePrivileges,
-        ];
-      }
-
-      // retrive all user personal privileges
-      const userPrivileges = await this.getUserPersonalPrivileges(system.id);
-
-      privileges = [...privileges, ...userPrivileges];
-      privileges = [...new Set(privileges)];
-      return privileges;
-    } catch (error) {
-      throw error;
-    }
-  }
-
-  private async getPrivilegesFromUserGroup(
-    groupCode: string,
-  ): Promise<string[]> {
-    try {
-      // Retrieve userGroup from the database based on groupCode
-      const userGroup = await this.getUserGroupFromDB(groupCode);
-      let privileges: string[] = [];
-
-      // Add privileges from the userGroup to the privileges array
-      privileges = [
-        ...privileges,
-        ...userGroup.GroupSystemPrivileges.map((g) => g.SystemPrivilege.Code),
-        ...userGroup.GroupRolePrivileges.map((g) => g.SystemPrivilege.Code),
-      ];
-
-      // Recursive call if conditions are not met and ParentGroupCode exists
-      const isContinue =
-        userGroup.GroupLevel !== 0 &&
-        userGroup.AllowInheritFromParentYN === 'Y';
-      if (isContinue) {
-        const recursivePrivileges = await this.getPrivilegesFromUserGroup(
-          userGroup.ParentGroupCode,
-        );
-        privileges = privileges.concat(recursivePrivileges);
-      }
-
-      // return privileges array
-      return privileges;
-    } catch (error) {
-      throw error;
-    }
-  }
-
-  private async getUserGroupFromDB(groupCode: string): Promise<any> {
-    try {
-      const userGroup = await LoginUser._UserGroupRepository.findOne({
-        where: {
-          GroupCode: groupCode,
-        },
-        include: [
-          {
-            model: GroupSystemPrivilege,
-            include: {
-              model: SystemPrivilege,
-            },
-          },
-          {
-            model: GroupRolePrivilege,
-            include: {
-              model: SystemPrivilege,
-            },
-          },
-        ],
-      });
-      return userGroup;
-    } catch (error) {
-      throw error;
-    }
-  }
-
-  private async getUserUserGroupFromDB(systemCode: number) {
-    try {
-      return await LoginUser._UserUserGroupRepository.findAll({
-        where: {
-          UserId: this.UserId,
-          SystemId: systemCode,
-        },
-        include: {
-          model: UserGroup,
-          include: [
-            {
-              model: GroupSystemPrivilege,
-              include: {
-                model: SystemPrivilege,
-              },
-            },
-            {
-              model: GroupRolePrivilege,
-              include: {
-                model: SystemPrivilege,
-              },
-            },
-          ],
-        },
-      });
-    } catch (error) {
-      throw error;
-    }
-  }
-
-  private async getUserPersonalPrivileges(systemId: number): Promise<string[]> {
-    try {
-      const userRole = await LoginUser._Repository.findOne({
-        where: {
-          UserId: this.ObjectId,
-        },
-        include: {
-          model: SystemPrivilege,
-        },
-      });
-
-      //retrive all user systemPrevileges data from user roles
-      let userSystemPrivileges = userRole.SystemPrivileges;
-
-      userSystemPrivileges = userSystemPrivileges.filter(
-        (u) => u.SystemId === systemId,
-      );
-
-      const userPrivileges: string[] = userSystemPrivileges.map((u) => u.Code);
-      return userPrivileges;
-    } catch (error) {
-      throw error;
-    }
-  }
-
-  async checkPrivileges(
-    systemCode: string,
-    privilegeName: string,
-  ): Promise<boolean> {
-    try {
-      if (!this.ObjectId) {
-        throw new Error('ObjectId(UserId) is not set');
-      }
-
-      const userSession = await this._SessionService.retrieveUserSession(
-        this.ObjectId,
-      );
-
-      const systemLogin = userSession.systemLogins.find(
-        (system) => system.code === systemCode,
-      );
-
-      if (!systemLogin) {
-        return false;
-      }
-
-      const privileges = systemLogin.privileges;
-      const hasPrivilege = privileges.includes(privilegeName);
-      return hasPrivilege;
-    } catch (error) {
-      throw error;
-    }
-  }
-
-  async checkSession(
-    systemCode: string,
-    sessionId: string,
-    userId: string,
-  ): Promise<ISystemLogin> {
-    try {
-      const userSession = await this._SessionService.retrieveUserSession(
-        userId,
-      );
-
-      if (userSession.systemLogins.length === 0) {
-        throw new Error('Session expired.');
-      }
-
-      const systemLogin = userSession.systemLogins.find(
-        (sl) => sl.code === systemCode,
-      );
-
-      if (!systemLogin) {
-        throw new Error('Session expired.');
-      }
-
-      if (systemLogin.sessionId !== sessionId) {
-        throw new Error('Session expired.');
-      }
-
-      await this._SessionService.refreshDuration(userId);
-
-      return systemLogin;
-    } catch (error) {
-      throw error;
-    }
-  }
-
-  async logout(systemCode: string) {
-    try {
-      if (!this.ObjectId) {
-        throw new Error('ObjectId(UserId) is not set');
-      }
-      const userSession = await this._SessionService.retrieveUserSession(
-        this.ObjectId,
-      );
-      const index = userSession.systemLogins.findIndex(
-        (system) => system.code === systemCode,
-      );
-      userSession.systemLogins.splice(index, 1);
-      this._SessionService.setUserSession(this.ObjectId, userSession);
-    } catch (error) {
-      throw error;
-    }
-  }
-}
+import { LoginUserBase } from '@tomei/general';
+import { ISessionService } from '../../session/interfaces/session-service.interface';
+import { IUserAttr } from './interfaces/user-info.interface';
+import { UserRepository } from './user.repository';
+import { SystemRepository } from '../system/system.repository';
+import { SystemAccessRepository } from '../system-access/system-access.repository';
+import { LoginHistoryRepository } from '../login-history/login-history.repository';
+import { UserUserGroupRepository } from '../user-user-group/user-user-group.repository';
+import { PasswordHashService } from '../password-hash/password-hash.service';
+import { UserGroupRepository } from '../user-group/user-group.repository';
+import { SMTPMailer } from '@tomei/mailer';
+import { ISystemLogin } from '../../../src/interfaces/system-login.interface';
+import Staff from '../../models/staff.entity';
+import SystemPrivilege from '../../models/system-privilege.entity';
+import LoginHistory from '../../models/login-history.entity';
+import GroupSystemPrivilege from '../../models/group-system-privilege.entity';
+import GroupRolePrivilege from '../../models/group-role-privilege.entity';
+import UserGroup from '../../models/user-group.entity';
+import { YN } from '../../enum/yn.enum';
+
+export class LoginUser extends LoginUserBase {
+  ObjectId: string;
+  Email: string;
+  private _Password: string;
+  private _Status: string;
+  private _DefaultPasswordChangedYN: YN;
+  private _FirstLoginAt: Date;
+  private _LastLoginAt: Date;
+  private _MFAEnabled: number;
+  private _MFAConfig: string;
+  private _RecoveryEmail: string;
+  private _FailedLoginAttemptCount: number;
+  private _LastFailedLoginAt: Date;
+  private _LastPasswordChangedAt: Date;
+  private _NeedToChangePasswordYN: YN;
+  private _CreatedById: number;
+  private _CreatedAt: Date;
+  private _UpdatedById: number;
+  private _UpdatedAt: Date;
+  ObjectName = 'User';
+  TableName = 'sso_Users';
+  ObjectType = 'User';
+  staffs: any;
+
+  private _OriginIP: string;
+  private _SessionService: ISessionService;
+  private _PasswordHashService = new PasswordHashService();
+  private static _Repository = new UserRepository();
+  private static _SystemRepository = new SystemRepository();
+  private static _SystemAccessRepository = new SystemAccessRepository();
+  private static _LoginHistoryRepository = new LoginHistoryRepository();
+  private static _UserUserGroupRepository = new UserUserGroupRepository();
+  private static _UserGroupRepository = new UserGroupRepository();
+  private _dbTransaction: any;
+
+  get UserId(): number {
+    return parseInt(this.ObjectId);
+  }
+
+  private set UserId(value: number) {
+    this.ObjectId = value.toString();
+  }
+
+  get Password(): string {
+    return this._Password;
+  }
+
+  private set Password(value: string) {
+    this._Password = value;
+  }
+
+  get Status(): string {
+    return this._Status;
+  }
+
+  private set Status(value: string) {
+    this._Status = value;
+  }
+
+  get DefaultPasswordChangedYN(): YN {
+    return this._DefaultPasswordChangedYN;
+  }
+
+  private set DefaultPasswordChangedYN(value: YN) {
+    this._DefaultPasswordChangedYN = value;
+  }
+
+  get FirstLoginAt(): Date {
+    return this._FirstLoginAt;
+  }
+
+  private set FirstLoginAt(value: Date) {
+    this._FirstLoginAt = value;
+  }
+
+  get LastLoginAt(): Date {
+    return this._LastLoginAt;
+  }
+
+  private set LastLoginAt(value: Date) {
+    this._LastLoginAt = value;
+  }
+
+  get MFAEnabled(): number {
+    return this._MFAEnabled;
+  }
+
+  private set MFAEnabled(value: number) {
+    this._MFAEnabled = value;
+  }
+
+  get MFAConfig(): string {
+    return this._MFAConfig;
+  }
+
+  private set MFAConfig(value: string) {
+    this._MFAConfig = value;
+  }
+
+  get RecoveryEmail(): string {
+    return this._RecoveryEmail;
+  }
+
+  private set RecoveryEmail(value: string) {
+    this._RecoveryEmail = value;
+  }
+
+  get FailedLoginAttemptCount(): number {
+    return this._FailedLoginAttemptCount;
+  }
+
+  private set FailedLoginAttemptCount(value: number) {
+    this._FailedLoginAttemptCount = value;
+  }
+
+  get LastFailedLoginAt(): Date {
+    return this._LastFailedLoginAt;
+  }
+
+  private set LastFailedLoginAt(value: Date) {
+    this._LastFailedLoginAt = value;
+  }
+
+  get LastPasswordChangedAt(): Date {
+    return this._LastPasswordChangedAt;
+  }
+
+  private set LastPasswordChangedAt(value: Date) {
+    this._LastPasswordChangedAt = value;
+  }
+
+  get NeedToChangePasswordYN(): YN {
+    return this._NeedToChangePasswordYN;
+  }
+
+  private set NeedToChangePasswordYN(value: YN) {
+    this._NeedToChangePasswordYN = value;
+  }
+
+  get CreatedById(): number {
+    return this._CreatedById;
+  }
+
+  private set CreatedById(value: number) {
+    this._CreatedById = value;
+  }
+
+  get CreatedAt(): Date {
+    return this._CreatedAt;
+  }
+
+  private set CreatedAt(value: Date) {
+    this._CreatedAt = value;
+  }
+
+  get UpdatedById(): number {
+    return this._UpdatedById;
+  }
+
+  private set UpdatedById(value: number) {
+    this._UpdatedById = value;
+  }
+
+  get UpdatedAt(): Date {
+    return this._UpdatedAt;
+  }
+
+  private set UpdatedAt(value: Date) {
+    this._UpdatedAt = value;
+  }
+
+  async getDetails(): Promise<{
+    FullName: string;
+    IDNo: string;
+    IDType: string;
+    Email: string;
+    ContactNo: string;
+  }> {
+    return {
+      FullName: this.FullName,
+      IDNo: this.IDNo,
+      IDType: this.IDType,
+      Email: this.Email,
+      ContactNo: this.ContactNo,
+    };
+  }
+
+  private constructor(
+    sessionService: ISessionService,
+    dbTransaction?: any,
+    userInfo?: IUserAttr,
+  ) {
+    super();
+    this._SessionService = sessionService;
+
+    if (dbTransaction) {
+      this._dbTransaction = dbTransaction;
+    }
+    // set all the class properties
+    if (userInfo) {
+      this.UserId = userInfo.UserId;
+      this.FullName = userInfo.FullName;
+      this.IDNo = userInfo.IDNo;
+      this.Email = userInfo.Email;
+      this.ContactNo = userInfo.ContactNo;
+      this.Password = userInfo.Password;
+      this.staffs = userInfo.staffs;
+    }
+  }
+
+  static async init(
+    sessionService: ISessionService,
+    userId?: number,
+    dbTransaction = null,
+  ): Promise<LoginUser> {
+    if (userId) {
+      if (dbTransaction) {
+        LoginUser._Repository = new UserRepository();
+      }
+      const user = await LoginUser._Repository.findOne({
+        where: {
+          UserId: userId,
+        },
+        include: [
+          {
+            model: Staff,
+          },
+        ],
+      });
+
+      if (!user) {
+        throw new Error('Invalid credentials.');
+      }
+
+      if (user) {
+        const userAttr: IUserAttr = {
+          UserId: user.UserId,
+          FullName: user.Staff.FullName,
+          IDNo: user.Staff.IdNo,
+          ContactNo: user.Staff.Mobile,
+          Email: user.Email,
+          Password: user.Password,
+          Status: user.Status,
+          DefaultPasswordChangedYN: user.DefaultPasswordChangedYN,
+          FirstLoginAt: user.FirstLoginAt,
+          LastLoginAt: user.LastLoginAt,
+          MFAEnabled: user.MFAEnabled,
+          MFAConfig: user.MFAConfig,
+          RecoveryEmail: user.RecoveryEmail,
+          FailedLoginAttemptCount: user.FailedLoginAttemptCount,
+          LastFailedLoginAt: user.LastFailedLoginAt,
+          LastPasswordChangedAt: user.LastPasswordChangedAt,
+          NeedToChangePasswordYN: user.NeedToChangePasswordYN,
+          CreatedById: user.CreatedById,
+          CreatedAt: user.CreatedAt,
+          UpdatedById: user.UpdatedById,
+          UpdatedAt: user.UpdatedAt,
+          staffs: user.Staff,
+        };
+
+        return new LoginUser(sessionService, dbTransaction, userAttr);
+      } else {
+        throw new Error('User not found');
+      }
+    }
+    return new LoginUser(sessionService, dbTransaction);
+  }
+
+  async login(
+    systemCode: string,
+    email: string,
+    password: string,
+    ipAddress: string,
+  ): Promise<string> {
+    try {
+      //validate email
+      if (!this.ObjectId) {
+        const user = await LoginUser._Repository.findOne({
+          where: {
+            Email: email,
+          },
+          include: [
+            {
+              model: Staff,
+            },
+          ],
+        });
+
+        const userAttr: IUserAttr = {
+          UserId: user.UserId,
+          FullName: user.Staff.FullName,
+          IDNo: user.Staff.IdNo,
+          ContactNo: user.Staff.Mobile,
+          Email: user.Email,
+          Password: user.Password,
+          Status: user.Status,
+          DefaultPasswordChangedYN: user.DefaultPasswordChangedYN,
+          FirstLoginAt: user.FirstLoginAt,
+          LastLoginAt: user.LastLoginAt,
+          MFAEnabled: user.MFAEnabled,
+          MFAConfig: user.MFAConfig,
+          RecoveryEmail: user.RecoveryEmail,
+          FailedLoginAttemptCount: user.FailedLoginAttemptCount,
+          LastFailedLoginAt: user.LastFailedLoginAt,
+          LastPasswordChangedAt: user.LastPasswordChangedAt,
+          NeedToChangePasswordYN: user.NeedToChangePasswordYN,
+          CreatedById: user.CreatedById,
+          CreatedAt: user.CreatedAt,
+          UpdatedById: user.UpdatedById,
+          UpdatedAt: user.UpdatedAt,
+          staffs: user.Staff,
+        };
+
+        this.UserId = userAttr.UserId;
+        this.FullName = userAttr.FullName;
+        this.IDNo = userAttr.IDNo;
+        this.Email = userAttr.Email;
+        this.ContactNo = userAttr.ContactNo;
+        this.Password = userAttr.Password;
+        this.Status = userAttr.Status;
+        this.DefaultPasswordChangedYN = userAttr.DefaultPasswordChangedYN;
+        this.FirstLoginAt = userAttr.FirstLoginAt;
+        this.LastLoginAt = userAttr.LastLoginAt;
+        this.MFAEnabled = userAttr.MFAEnabled;
+        this.MFAConfig = userAttr.MFAConfig;
+        this.RecoveryEmail = userAttr.RecoveryEmail;
+        this.FailedLoginAttemptCount = userAttr.FailedLoginAttemptCount;
+        this.LastFailedLoginAt = userAttr.LastFailedLoginAt;
+        this.LastPasswordChangedAt = userAttr.LastPasswordChangedAt;
+        this.NeedToChangePasswordYN = userAttr.NeedToChangePasswordYN;
+        this.CreatedById = userAttr.CreatedById;
+        this.CreatedAt = userAttr.CreatedAt;
+        this.UpdatedById = userAttr.UpdatedById;
+        this.UpdatedAt = userAttr.UpdatedAt;
+        this.staffs = userAttr.staffs;
+      }
+
+      if (this.ObjectId && this.Email !== email) {
+        throw new Error('Invalid credentials.');
+      }
+
+      //validate password
+      const isPasswordValid = await this._PasswordHashService.verify(
+        password,
+        this.Password,
+      );
+
+      if (!isPasswordValid) {
+        throw new Error('Invalid credentials.');
+      }
+
+      //validate system code
+      const system = await LoginUser._SystemRepository.findOne({
+        where: {
+          code: systemCode,
+        },
+      });
+
+      if (!system) {
+        throw new Error('Invalid system code.');
+      }
+
+      //validate system access
+      await this.checkSystemAccess(this.UserId, system.id);
+      // alert user if new login
+      await this.alertNewLogin(this.ObjectId, system.id.toString(), ipAddress);
+
+      // fetch user session if exists
+      const userSession = await this._SessionService.retrieveUserSession(
+        this.ObjectId,
+      );
+      let systemLogin = userSession.systemLogins.find(
+        (system) => system.code === systemCode,
+      );
+
+      // generate new session id
+      const { randomUUID } = require('crypto');
+      const sessionId = randomUUID();
+
+      if (systemLogin) {
+        systemLogin = systemLogin.sessionId = sessionId;
+        userSession.systemLogins.map((system) =>
+          system.code === systemCode ? systemLogin : system,
+        );
+      } else {
+        // if not, add new system login into the userSession
+        const newLogin = {
+          id: system.id.toString(),
+          code: system.Code,
+          sessionId: sessionId,
+          privileges: await this.getPrivileges(system.Code),
+        };
+        userSession.systemLogins.push(newLogin);
+      }
+      // then update userSession inside the redis storage with 1 day duration of time-to-live
+      this._SessionService.setUserSession(this.ObjectId, userSession);
+
+      // record new login history
+      await LoginUser._LoginHistoryRepository.create({
+        UserId: this.UserId,
+        SystemId: system.id,
+        OriginIp: ipAddress,
+        CreatedAt: new Date(),
+      });
+
+      return `${this.UserId}:${sessionId}`;
+    } catch (error) {
+      throw error;
+    }
+  }
+
+  private async checkSystemAccess(
+    userId: number,
+    systemId: number,
+  ): Promise<void> {
+    try {
+      const systemAccess = await LoginUser._SystemAccessRepository.findOne({
+        where: {
+          UserId: userId,
+          SystemId: systemId,
+        },
+      });
+
+      if (!systemAccess) {
+        throw new Error("User don't have access to the system.");
+      }
+    } catch (error) {
+      throw error;
+    }
+  }
+
+  private async alertNewLogin(
+    userId: string,
+    systemId: string,
+    ipAddress: string,
+  ) {
+    try {
+      const userLogins = await LoginUser._LoginHistoryRepository.findAll({
+        where: {
+          UserId: userId,
+          SystemId: systemId,
+        },
+      });
+
+      const gotPreviousLogins = userLogins?.length !== 0;
+      let ipFound: LoginHistory | undefined = undefined;
+      if (gotPreviousLogins) {
+        ipFound = userLogins.find((item) => item.OriginIp === ipAddress);
+      }
+
+      if (gotPreviousLogins && !ipFound) {
+        const EMAIL_SENDER =
+          process.env.EMAIL_SENDER || 'itd-system@tomei.com.my';
+        const transporter = new SMTPMailer();
+
+        await transporter.sendMail({
+          from: EMAIL_SENDER,
+          to: this.Email,
+          subject: 'New Login Alert',
+          html: `<p>Dear ${this.FullName},</p>
+                  <p>There was a new login to your account from ${ipAddress} on ${new Date().toLocaleString()}.</p>
+                  <p>If this was you, you can safely ignore this email.</p>
+                  <p>If you suspect that someone else is trying to access your account, please contact us immediately at itd-support@tomei.com.my.</p>
+                  <p>Thank you!,</p>
+                  <p>
+                      Best Regards,
+                      IT Department
+                  </p>`,
+        });
+      }
+    } catch (error) {
+      throw error;
+    }
+  }
+
+  private async getPrivileges(systemCode: string): Promise<string[]> {
+    try {
+      const system = await LoginUser._SystemRepository.findOne({
+        where: {
+          Code: systemCode,
+        },
+      });
+
+      if (!system) {
+        throw new Error('Invalid system code.');
+      }
+
+      // retrive user userGroups with system privileges
+      const userUserGroups = await this.getUserUserGroupFromDB(system.id);
+
+      // get all userGroup data from user userGroups
+      const userGroupData = userUserGroups.map((u) => u.UserGroup);
+      // get all privileges from userGroup data
+      let privileges: string[] = [];
+      for (const userGroup of userGroupData) {
+        const groupSystemPrivileges = userGroup.GroupSystemPrivileges.map(
+          (g) => g.SystemPrivilege.Code,
+        );
+        const groupRolePrivileges = userGroup.GroupRolePrivileges.map(
+          (g) => g.SystemPrivilege.Code,
+        );
+
+        // if userGroup is not root, get all parent tree privileges
+        if (
+          userGroup.GroupLevel !== 0 &&
+          userGroup.AllowInheritFromParentYN === 'Y'
+        ) {
+          // get all parent tree privileges
+          const parentTreePrivileges = await this.getPrivilegesFromUserGroup(
+            userGroup.ParentGroupCode,
+          );
+
+          privileges = [...privileges, ...parentTreePrivileges];
+        }
+
+        privileges = [
+          ...privileges,
+          ...groupSystemPrivileges,
+          ...groupRolePrivileges,
+        ];
+      }
+
+      // retrive all user personal privileges
+      const userPrivileges = await this.getUserPersonalPrivileges(system.id);
+
+      privileges = [...privileges, ...userPrivileges];
+      privileges = [...new Set(privileges)];
+      return privileges;
+    } catch (error) {
+      throw error;
+    }
+  }
+
+  private async getPrivilegesFromUserGroup(
+    groupCode: string,
+  ): Promise<string[]> {
+    try {
+      // Retrieve userGroup from the database based on groupCode
+      const userGroup = await this.getUserGroupFromDB(groupCode);
+      let privileges: string[] = [];
+
+      // Add privileges from the userGroup to the privileges array
+      privileges = [
+        ...privileges,
+        ...userGroup.GroupSystemPrivileges.map((g) => g.SystemPrivilege.Code),
+        ...userGroup.GroupRolePrivileges.map((g) => g.SystemPrivilege.Code),
+      ];
+
+      // Recursive call if conditions are not met and ParentGroupCode exists
+      const isContinue =
+        userGroup.GroupLevel !== 0 &&
+        userGroup.AllowInheritFromParentYN === 'Y';
+      if (isContinue) {
+        const recursivePrivileges = await this.getPrivilegesFromUserGroup(
+          userGroup.ParentGroupCode,
+        );
+        privileges = privileges.concat(recursivePrivileges);
+      }
+
+      // return privileges array
+      return privileges;
+    } catch (error) {
+      throw error;
+    }
+  }
+
+  private async getUserGroupFromDB(groupCode: string): Promise<any> {
+    try {
+      const userGroup = await LoginUser._UserGroupRepository.findOne({
+        where: {
+          GroupCode: groupCode,
+        },
+        include: [
+          {
+            model: GroupSystemPrivilege,
+            include: {
+              model: SystemPrivilege,
+            },
+          },
+          {
+            model: GroupRolePrivilege,
+            include: {
+              model: SystemPrivilege,
+            },
+          },
+        ],
+      });
+      return userGroup;
+    } catch (error) {
+      throw error;
+    }
+  }
+
+  private async getUserUserGroupFromDB(systemCode: number) {
+    try {
+      return await LoginUser._UserUserGroupRepository.findAll({
+        where: {
+          UserId: this.UserId,
+          SystemId: systemCode,
+        },
+        include: {
+          model: UserGroup,
+          include: [
+            {
+              model: GroupSystemPrivilege,
+              include: {
+                model: SystemPrivilege,
+              },
+            },
+            {
+              model: GroupRolePrivilege,
+              include: {
+                model: SystemPrivilege,
+              },
+            },
+          ],
+        },
+      });
+    } catch (error) {
+      throw error;
+    }
+  }
+
+  private async getUserPersonalPrivileges(systemId: number): Promise<string[]> {
+    try {
+      const userRole = await LoginUser._Repository.findOne({
+        where: {
+          UserId: this.ObjectId,
+        },
+        include: {
+          model: SystemPrivilege,
+        },
+      });
+
+      //retrive all user systemPrevileges data from user roles
+      let userSystemPrivileges = userRole.SystemPrivileges;
+
+      userSystemPrivileges = userSystemPrivileges.filter(
+        (u) => u.SystemId === systemId,
+      );
+
+      const userPrivileges: string[] = userSystemPrivileges.map((u) => u.Code);
+      return userPrivileges;
+    } catch (error) {
+      throw error;
+    }
+  }
+
+  async checkPrivileges(
+    systemCode: string,
+    privilegeName: string,
+  ): Promise<boolean> {
+    try {
+      if (!this.ObjectId) {
+        throw new Error('ObjectId(UserId) is not set');
+      }
+
+      const userSession = await this._SessionService.retrieveUserSession(
+        this.ObjectId,
+      );
+
+      const systemLogin = userSession.systemLogins.find(
+        (system) => system.code === systemCode,
+      );
+
+      if (!systemLogin) {
+        return false;
+      }
+
+      const privileges = systemLogin.privileges;
+      const hasPrivilege = privileges.includes(privilegeName);
+      return hasPrivilege;
+    } catch (error) {
+      throw error;
+    }
+  }
+
+  async checkSession(
+    systemCode: string,
+    sessionId: string,
+    userId: string,
+  ): Promise<ISystemLogin> {
+    try {
+      const userSession = await this._SessionService.retrieveUserSession(
+        userId,
+      );
+
+      if (userSession.systemLogins.length === 0) {
+        throw new Error('Session expired.');
+      }
+
+      const systemLogin = userSession.systemLogins.find(
+        (sl) => sl.code === systemCode,
+      );
+
+      if (!systemLogin) {
+        throw new Error('Session expired.');
+      }
+
+      if (systemLogin.sessionId !== sessionId) {
+        throw new Error('Session expired.');
+      }
+
+      await this._SessionService.refreshDuration(userId);
+
+      return systemLogin;
+    } catch (error) {
+      throw error;
+    }
+  }
+
+  async logout(systemCode: string) {
+    try {
+      if (!this.ObjectId) {
+        throw new Error('ObjectId(UserId) is not set');
+      }
+      const userSession = await this._SessionService.retrieveUserSession(
+        this.ObjectId,
+      );
+      const index = userSession.systemLogins.findIndex(
+        (system) => system.code === systemCode,
+      );
+      userSession.systemLogins.splice(index, 1);
+      this._SessionService.setUserSession(this.ObjectId, userSession);
+    } catch (error) {
+      throw error;
+    }
+  }
+}