@tomei/sso 0.34.2 → 0.34.6

package/src/components/login-user/user.ts

@@ -0,0 +1,2343 @@
+import { ClassError, LoginUserBase, UserBase } from '@tomei/general';
+import { ISessionService } from '../../session/interfaces/session-service.interface';
+import { IUserAttr, IUserInfo } from './interfaces/user-info.interface';
+import { UserRepository } from './user.repository';
+import { SystemRepository } from '../system/system.repository';
+import { LoginHistoryRepository } from '../login-history/login-history.repository';
+import { PasswordHashService } from '../password-hash/password-hash.service';
+import { UserGroupRepository } from '../user-group/user-group.repository';
+import { SMTPMailer } from '@tomei/mailer';
+import { ISystemLogin } from '../../../src/interfaces/system-login.interface';
+import Staff from '../../models/staff.entity';
+import SystemPrivilege from '../../models/system-privilege.entity';
+import LoginHistory from '../../models/login-history.entity';
+import { YN } from '../../enum/yn.enum';
+import { UserStatus } from '../../enum';
+import { ApplicationConfig, ComponentConfig } from '@tomei/config';
+import { ICheckUserInfoDuplicatedQuery } from './interfaces/check-user-info-duplicated.interface';
+import { Op, where } from 'sequelize';
+import { ActionEnum, Activity } from '@tomei/activity-history';
+import UserModel from '../../models/user.entity';
+import GroupModel from '../../models/group.entity';
+import { GroupSystemAccessRepository } from '../group-system-access/group-system-access.repository';
+import { GroupRepository } from '../group/group.repository';
+import SystemModel from '../../models/system.entity';
+import { ISystemAccess } from './interfaces/system-access.interface';
+import { UserSystemAccessRepository } from '../user-system-access/user-system-access.repository';
+import GroupSystemAccessModel from '../../models/group-system-access.entity';
+import { UserPrivilegeRepository } from '../user-privilege/user-privilege.repository';
+import { UserObjectPrivilegeRepository } from '../user-object-privilege/user-object-privilege.repository';
+import GroupPrivilegeModel from '../../models/group-privilege.entity';
+import { GroupObjectPrivilegeRepository } from '../group-object-privilege/group-object-privilege.repository';
+import * as speakeasy from 'speakeasy';
+import { LoginStatusEnum } from '../../enum/login-status.enum';
+import { RedisService } from '../../redis-client/redis.service';
+import { LoginUser } from './login-user';
+
+export class User extends UserBase {
+  ObjectId: string;
+  Email: string;
+  private _UserName: string;
+  private _Password: string;
+  private _Status: UserStatus;
+  private _DefaultPasswordChangedYN: YN;
+  private _FirstLoginAt: Date;
+  private _LastLoginAt: Date;
+  private _MFAEnabled: number;
+  private _MFAConfig: string;
+  private _RecoveryEmail: string;
+  private _FailedLoginAttemptCount: number;
+  private _LastFailedLoginAt: Date;
+  private _LastPasswordChangedAt: Date;
+  private _NeedToChangePasswordYN: YN;
+  private _CreatedById: number;
+  private _CreatedAt: Date;
+  private _UpdatedById: number;
+  private _UpdatedAt: Date;
+  ObjectName = 'User';
+  TableName = 'sso_Users';
+  ObjectType = 'User';
+  staffs: any;
+
+  private _OriginIP: string;
+  protected _SessionService: ISessionService;
+  protected static _RedisService: RedisService;
+  protected static _Repository = new UserRepository();
+
+  private static _LoginHistoryRepository = new LoginHistoryRepository();
+  protected static _UserGroupRepo = new UserGroupRepository();
+  private static _UserPrivilegeRepo = new UserPrivilegeRepository();
+  private static _UserObjectPrivilegeRepo = new UserObjectPrivilegeRepository();
+  private static _GroupObjectPrivilegeRepo =
+    new GroupObjectPrivilegeRepository();
+
+  private static _SystemRepository = new SystemRepository();
+  protected static _UserSystemAccessRepo = new UserSystemAccessRepository();
+  private static _GroupSystemAccessRepo = new GroupSystemAccessRepository();
+  private static _GroupRepo = new GroupRepository();
+
+  private _dbTransaction: any;
+
+  get SessionService(): ISessionService {
+    return this._SessionService;
+  }
+
+  get UserId(): number {
+    return parseInt(this.ObjectId);
+  }
+
+  private set UserId(value: number) {
+    this.ObjectId = value.toString();
+  }
+
+  get Password(): string {
+    return this._Password;
+  }
+
+  private set Password(value: string) {
+    this._Password = value;
+  }
+
+  get Status(): UserStatus {
+    return this._Status;
+  }
+
+  private set Status(value: UserStatus) {
+    this._Status = value;
+  }
+
+  get UserName(): string {
+    return this._UserName;
+  }
+
+  set UserName(value: string) {
+    this._UserName = value;
+  }
+
+  get DefaultPasswordChangedYN(): YN {
+    return this._DefaultPasswordChangedYN;
+  }
+
+  private set DefaultPasswordChangedYN(value: YN) {
+    this._DefaultPasswordChangedYN = value;
+  }
+
+  get FirstLoginAt(): Date {
+    return this._FirstLoginAt;
+  }
+
+  private set FirstLoginAt(value: Date) {
+    this._FirstLoginAt = value;
+  }
+
+  get LastLoginAt(): Date {
+    return this._LastLoginAt;
+  }
+
+  private set LastLoginAt(value: Date) {
+    this._LastLoginAt = value;
+  }
+
+  get MFAEnabled(): number {
+    return this._MFAEnabled;
+  }
+
+  private set MFAEnabled(value: number) {
+    this._MFAEnabled = value;
+  }
+
+  get MFAConfig(): string {
+    return this._MFAConfig;
+  }
+
+  private set MFAConfig(value: string) {
+    this._MFAConfig = value;
+  }
+
+  get RecoveryEmail(): string {
+    return this._RecoveryEmail;
+  }
+
+  private set RecoveryEmail(value: string) {
+    this._RecoveryEmail = value;
+  }
+
+  get FailedLoginAttemptCount(): number {
+    return this._FailedLoginAttemptCount;
+  }
+
+  private set FailedLoginAttemptCount(value: number) {
+    this._FailedLoginAttemptCount = value;
+  }
+
+  get LastFailedLoginAt(): Date {
+    return this._LastFailedLoginAt;
+  }
+
+  private set LastFailedLoginAt(value: Date) {
+    this._LastFailedLoginAt = value;
+  }
+
+  get LastPasswordChangedAt(): Date {
+    return this._LastPasswordChangedAt;
+  }
+
+  private set LastPasswordChangedAt(value: Date) {
+    this._LastPasswordChangedAt = value;
+  }
+
+  get NeedToChangePasswordYN(): YN {
+    return this._NeedToChangePasswordYN;
+  }
+
+  private set NeedToChangePasswordYN(value: YN) {
+    this._NeedToChangePasswordYN = value;
+  }
+
+  get CreatedById(): number {
+    return this._CreatedById;
+  }
+
+  private set CreatedById(value: number) {
+    this._CreatedById = value;
+  }
+
+  get CreatedAt(): Date {
+    return this._CreatedAt;
+  }
+
+  private set CreatedAt(value: Date) {
+    this._CreatedAt = value;
+  }
+
+  get UpdatedById(): number {
+    return this._UpdatedById;
+  }
+
+  private set UpdatedById(value: number) {
+    this._UpdatedById = value;
+  }
+
+  get UpdatedAt(): Date {
+    return this._UpdatedAt;
+  }
+
+  private set UpdatedAt(value: Date) {
+    this._UpdatedAt = value;
+  }
+
+  async getDetails(): Promise<{
+    FullName: string;
+    UserName: string;
+    IDNo: string;
+    IDType: string;
+    Email: string;
+    ContactNo: string;
+  }> {
+    return {
+      FullName: this.FullName,
+      UserName: this.UserName,
+      IDNo: this.IDNo,
+      IDType: this.IDType,
+      Email: this.Email,
+      ContactNo: this.ContactNo,
+    };
+  }
+
+  constructor(
+    sessionService: ISessionService,
+    dbTransaction?: any,
+    userInfo?: IUserAttr,
+  ) {
+    super();
+    this._SessionService = sessionService;
+
+    if (dbTransaction) {
+      this._dbTransaction = dbTransaction;
+    }
+    // set all the class properties
+    if (userInfo) {
+      this.UserId = userInfo.UserId;
+      this.UserName = userInfo.FullName;
+      this.FullName = userInfo.FullName;
+      this.IDNo = userInfo.IDNo;
+      this.Email = userInfo.Email;
+      this.ContactNo = userInfo.ContactNo;
+      this.Password = userInfo.Password;
+      this.staffs = userInfo.staffs;
+      this.Status = userInfo.Status;
+      this.DefaultPasswordChangedYN = userInfo.DefaultPasswordChangedYN;
+      this.FirstLoginAt = userInfo.FirstLoginAt;
+      this.LastLoginAt = userInfo.LastLoginAt;
+      this.MFAEnabled = userInfo.MFAEnabled;
+      this.MFAConfig = userInfo.MFAConfig;
+      this.RecoveryEmail = userInfo.RecoveryEmail;
+      this.FailedLoginAttemptCount = userInfo.FailedLoginAttemptCount;
+      this.LastFailedLoginAt = userInfo.LastFailedLoginAt;
+      this.LastPasswordChangedAt = userInfo.LastPasswordChangedAt;
+      this.NeedToChangePasswordYN = userInfo.NeedToChangePasswordYN;
+      this.CreatedById = userInfo.CreatedById;
+      this.CreatedAt = userInfo.CreatedAt;
+      this.UpdatedById = userInfo.UpdatedById;
+      this.UpdatedAt = userInfo.UpdatedAt;
+    }
+  }
+
+  static async init(
+    sessionService: ISessionService,
+    userId?: number,
+    dbTransaction = null,
+  ): Promise<User> {
+    User._RedisService = await RedisService.init();
+    if (userId) {
+      if (dbTransaction) {
+        User._Repository = new UserRepository();
+      }
+      const user = await User._Repository.findOne({
+        where: {
+          UserId: userId,
+        },
+        include: [
+          {
+            model: Staff,
+          },
+        ],
+        transaction: dbTransaction,
+      });
+
+      if (!user) {
+        throw new Error('Invalid credentials.');
+      }
+
+      if (user) {
+        const userAttr: IUserAttr = {
+          UserId: user.UserId,
+          UserName: user.UserName,
+          FullName: user?.Staff?.FullName,
+          IDNo: user?.Staff?.IdNo,
+          ContactNo: user?.Staff?.Mobile,
+          Email: user.Email,
+          Password: user.Password,
+          Status: user.Status,
+          DefaultPasswordChangedYN: user.DefaultPasswordChangedYN,
+          FirstLoginAt: user.FirstLoginAt,
+          LastLoginAt: user.LastLoginAt,
+          MFAEnabled: user.MFAEnabled,
+          MFAConfig: user.MFAConfig,
+          RecoveryEmail: user.RecoveryEmail,
+          FailedLoginAttemptCount: user.FailedLoginAttemptCount,
+          LastFailedLoginAt: user.LastFailedLoginAt,
+          LastPasswordChangedAt: user.LastPasswordChangedAt,
+          NeedToChangePasswordYN: user.NeedToChangePasswordYN,
+          CreatedById: user.CreatedById,
+          CreatedAt: user.CreatedAt,
+          UpdatedById: user.UpdatedById,
+          UpdatedAt: user.UpdatedAt,
+          staffs: user?.Staff,
+        };
+
+        return new User(sessionService, dbTransaction, userAttr);
+      } else {
+        throw new Error('User not found');
+      }
+    }
+    return new User(sessionService, dbTransaction);
+  }
+
+  async setEmail(email: string, dbTransaction): Promise<void> {
+    try {
+      //Check if email is not the same as the current email if it is, skip all the steps
+      if (this.Email === email) {
+        return;
+      }
+
+      //Check if email is duplicated, if yes, throw error
+      const user = await User._Repository.findOne({
+        where: {
+          Email: email,
+        },
+        transaction: dbTransaction,
+      });
+
+      if (user) {
+        throw new ClassError(
+          'LoginUser',
+          'LoginUserErrMsg0X',
+          'Email already exists',
+        );
+      }
+
+      //Update the email
+      this.Email = email;
+    } catch (error) {
+      throw error;
+    }
+  }
+
+  async login(
+    systemCode: string,
+    email: string,
+    password: string,
+    ipAddress: string,
+    dbTransaction,
+  ): Promise<LoginUser> {
+    try {
+      //validate email
+      if (!this.ObjectId) {
+        // 1.1: Retrieve user data by calling _Repo.findOne with below parameter
+        const user = await User._Repository.findOne({
+          transaction: dbTransaction,
+          where: {
+            Email: email,
+            Status: {
+              [Op.or]: [UserStatus.ACTIVE, UserStatus.LOCKED],
+            },
+          },
+          include: [
+            {
+              model: Staff,
+            },
+          ],
+        });
+
+        // 1.2: If Exist populate all of the object attributes with the user data retrieved from previous step. if not throw Class Error
+        if (user) {
+          const userAttr: IUserAttr = {
+            UserId: user.UserId,
+            UserName: user.UserName,
+            FullName: user?.Staff?.FullName || null,
+            IDNo: user?.Staff?.IdNo || null,
+            ContactNo: user?.Staff?.Mobile || null,
+            Email: user.Email,
+            Password: user.Password,
+            Status: user.Status,
+            DefaultPasswordChangedYN: user.DefaultPasswordChangedYN,
+            FirstLoginAt: user.FirstLoginAt,
+            LastLoginAt: user.LastLoginAt,
+            MFAEnabled: user.MFAEnabled,
+            MFAConfig: user.MFAConfig,
+            RecoveryEmail: user.RecoveryEmail,
+            FailedLoginAttemptCount: user.FailedLoginAttemptCount,
+            LastFailedLoginAt: user.LastFailedLoginAt,
+            LastPasswordChangedAt: user.LastPasswordChangedAt,
+            NeedToChangePasswordYN: user.NeedToChangePasswordYN,
+            CreatedById: user.CreatedById,
+            CreatedAt: user.CreatedAt,
+            UpdatedById: user.UpdatedById,
+            UpdatedAt: user.UpdatedAt,
+            staffs: user?.Staff || null,
+          };
+
+          this.UserId = userAttr.UserId;
+          this.FullName = userAttr.FullName;
+          this.IDNo = userAttr.IDNo;
+          this.Email = userAttr.Email;
+          this.ContactNo = userAttr.ContactNo;
+          this.Password = userAttr.Password;
+          this.Status = userAttr.Status;
+          this.DefaultPasswordChangedYN = userAttr.DefaultPasswordChangedYN;
+          this.FirstLoginAt = userAttr.FirstLoginAt;
+          this.LastLoginAt = userAttr.LastLoginAt;
+          this.MFAEnabled = userAttr.MFAEnabled;
+          this.MFAConfig = userAttr.MFAConfig;
+          this.RecoveryEmail = userAttr.RecoveryEmail;
+          this.FailedLoginAttemptCount = userAttr.FailedLoginAttemptCount;
+          this.LastFailedLoginAt = userAttr.LastFailedLoginAt;
+          this.LastPasswordChangedAt = userAttr.LastPasswordChangedAt;
+          this.NeedToChangePasswordYN = userAttr.NeedToChangePasswordYN;
+          this.CreatedById = userAttr.CreatedById;
+          this.CreatedAt = userAttr.CreatedAt;
+          this.UpdatedById = userAttr.UpdatedById;
+          this.UpdatedAt = userAttr.UpdatedAt;
+          this.staffs = userAttr.staffs;
+        } else {
+          throw new ClassError('User', 'UserErrMsg0X', 'Invalid Credentials');
+        }
+      }
+
+      if (this.ObjectId && this.Email !== email) {
+        throw new Error('Invalid credentials.');
+      }
+
+      //Call LoginUser.check2FA
+      const check2FA = await User.check2FA(this, dbTransaction);
+
+      //validate system code
+
+      // 1.3: From here on until step 1.8. If any of the validation is failed, skip the other step and call incrementFailedLoginAttemptCount
+
+      try {
+        // 1.4: Validate the system user trying to access by calling __SystemRepository.findOne with below parameter.
+        // If system does not exist, skip all below step and return to step 3
+        const system = await User._SystemRepository.findOne({
+          where: {
+            SystemCode: systemCode,
+            Status: 'Active',
+          },
+        });
+        if (!system) {
+          throw new Error('Invalid credentials.');
+        }
+
+        // 1.5: Instantiate new PasswordHashService object and call PasswordHashService.verify method to check whether the param.Password is correct.
+        // If not, skip all below step and return to step 3.
+        const passwordHashService = new PasswordHashService();
+        const isPasswordValid = await passwordHashService.verify(
+          password,
+          this.Password,
+        );
+        if (!isPasswordValid) {
+          throw new Error('Invalid credentials.');
+        }
+
+        // 1.6: Validate the user access to the system by calling . if it return false, skip all below step and return to step 3
+        await this.checkSystemAccess(
+          this.UserId,
+          system.SystemCode,
+          dbTransaction,
+        );
+
+        // 1.7: f this.Status = "Locked" , call shouldReleaseLock
+        if (this.Status === UserStatus.LOCKED) {
+          const isReleaseLock = User.shouldReleaseLock(this.LastFailedLoginAt);
+          // 1.8: if the previous step returns true, call releaseLock then update this.Status = "Active". if false, skip all below step and return to step 3
+          if (isReleaseLock) {
+            await User.releaseLock(this.UserId, dbTransaction);
+            this.Status = UserStatus.ACTIVE;
+          } else {
+            throw new Error('Invalid credentials.');
+          }
+        }
+      } catch (error) {
+        await this.incrementFailedLoginAttemptCount(dbTransaction);
+      }
+
+      // 2.1:  Call alertNewLogin to check whether the ip used is new ip and alert the user if it's new.
+      const system = await User._SystemRepository.findOne({
+        where: {
+          SystemCode: systemCode,
+        },
+      });
+      await this.alertNewLogin(this.ObjectId, system.SystemCode, ipAddress);
+
+      // 2.2 : Set below properties :
+      // FailedLoginAttemptCount: 0.
+      // If FirstLoginAt is empty, this.FirstLoginAt = <current timestamp>
+      // LastLoginAt = <current timestamp>
+      this.FailedLoginAttemptCount = 0;
+      this.LastLoginAt = new Date();
+      if (!this.FirstLoginAt) {
+        this.FirstLoginAt = new Date();
+      }
+
+      // 2.3: Call _Repo.update and update user data in the db to the current object properties value. Dont forget to use dbTransaction.
+      await User._Repository.update(
+        {
+          FullName: this.FullName,
+          UserName: this.UserName,
+          IDNo: this.IDNo,
+          Email: this.Email,
+          ContactNo: this.ContactNo,
+          Password: this.Password,
+          Status: this.Status,
+          DefaultPasswordChangedYN: this.DefaultPasswordChangedYN,
+          FirstLoginAt: this.FirstLoginAt,
+          LastLoginAt: this.LastLoginAt,
+          MFAEnabled: this.MFAEnabled,
+          MFAConfig: this.MFAConfig,
+          RecoveryEmail: this.RecoveryEmail,
+          FailedLoginAttemptCount: this.FailedLoginAttemptCount,
+          LastFailedLoginAt: this.LastFailedLoginAt,
+          LastPasswordChangedAt: this.LastPasswordChangedAt,
+          NeedToChangePasswordYN: this.NeedToChangePasswordYN,
+        },
+        {
+          where: {
+            UserId: this.UserId,
+          },
+          transaction: dbTransaction,
+        },
+      );
+
+      // fetch user session if exists
+      const userSession = await this._SessionService.retrieveUserSession(
+        this.ObjectId,
+      );
+      let systemLogin = userSession.systemLogins.find(
+        (system) => system.code === systemCode,
+      );
+
+      // generate new session id
+      const { randomUUID } = require('crypto');
+      const sessionId = randomUUID();
+
+      if (systemLogin) {
+        systemLogin = systemLogin.sessionId = sessionId;
+        userSession.systemLogins.map((system) =>
+          system.code === systemCode ? systemLogin : system,
+        );
+      } else {
+        // if not, add new system login into the userSession
+        const newLogin = {
+          id: system.SystemCode,
+          code: system.SystemCode,
+          sessionId: sessionId,
+          privileges: await this.getPrivileges(
+            system.SystemCode,
+            dbTransaction,
+          ),
+        };
+        userSession.systemLogins.push(newLogin);
+      }
+      // then update userSession inside the redis storage with 1 day duration of time-to-live
+      this._SessionService.setUserSession(this.ObjectId, userSession);
+
+      // record new login history
+      await User._LoginHistoryRepository.create(
+        {
+          UserId: this.UserId,
+          SystemCode: system.SystemCode,
+          OriginIp: ipAddress,
+          CreatedAt: new Date(),
+          LoginStatus: LoginStatusEnum.SUCCESS,
+        },
+        {
+          transaction: dbTransaction,
+        },
+      );
+
+      // Retrieve is2FAEnabledYN from sso-config with ComponentConfig.
+      const is2FAEnabledYN = ComponentConfig.getComponentConfigValue(
+        '@tomei/sso',
+        'is2FAEnabledYN',
+      );
+      const loginUser = await LoginUser.init(
+        this.SessionService,
+        this.UserId,
+        dbTransaction,
+      );
+
+      if (is2FAEnabledYN === 'Y') {
+        loginUser.session.Id = `${this.UserId}:`;
+      } else {
+        loginUser.session.Id = `${this.UserId}:${sessionId}`;
+      }
+
+      return loginUser;
+    } catch (error) {
+      if (this.ObjectId) {
+        await User._LoginHistoryRepository.create(
+          {
+            UserId: this.UserId,
+            SystemCode: systemCode,
+            OriginIp: ipAddress,
+            LoginStatus: LoginStatusEnum.FAILURE,
+            CreatedAt: new Date(),
+          },
+          {
+            transaction: dbTransaction,
+          },
+        );
+      }
+      throw error;
+    }
+  }
+
+  protected async checkSystemAccess(
+    userId: number,
+    systemCode: string,
+    dbTransaction?: any,
+  ): Promise<void> {
+    try {
+      let isUserHaveAccess = false;
+
+      const systemAccess = await User._UserSystemAccessRepo.findOne({
+        where: {
+          UserId: userId,
+          SystemCode: systemCode,
+          Status: 'Active',
+        },
+        dbTransaction,
+      });
+
+      if (systemAccess) {
+        isUserHaveAccess = true;
+      } else {
+        const userGroups = await User._UserGroupRepo.findAll({
+          where: {
+            UserId: userId,
+            InheritGroupAccessYN: 'Y',
+            Status: 'Active',
+          },
+          include: [
+            {
+              model: GroupModel,
+            },
+          ],
+          dbTransaction,
+        });
+
+        for (const usergroup of userGroups) {
+          const group = usergroup.Group;
+          const groupSystemAccess = await User.getInheritedSystemAccess(
+            dbTransaction,
+            group,
+          );
+
+          for (const system of groupSystemAccess) {
+            if (system.SystemCode === systemCode) {
+              isUserHaveAccess = true;
+              break;
+            }
+          }
+        }
+      }
+
+      if (!isUserHaveAccess) {
+        throw new Error("User don't have access to the system.");
+      }
+    } catch (error) {
+      throw error;
+    }
+  }
+
+  async checkPrivileges(
+    systemCode: string,
+    privilegeName: string,
+  ): Promise<boolean> {
+    try {
+      if (!this.ObjectId) {
+        throw new Error('ObjectId(UserId) is not set');
+      }
+
+      const userSession = await this._SessionService.retrieveUserSession(
+        this.ObjectId,
+      );
+
+      const systemLogin = userSession.systemLogins.find(
+        (system) => system.code === systemCode,
+      );
+
+      if (!systemLogin) {
+        return false;
+      }
+
+      const privileges = systemLogin.privileges;
+      const hasPrivilege = privileges.includes(privilegeName);
+      return hasPrivilege;
+    } catch (error) {
+      throw error;
+    }
+  }
+
+  private async alertNewLogin(
+    userId: string,
+    systemCode: string,
+    ipAddress: string,
+  ) {
+    try {
+      const userLogins = await User._LoginHistoryRepository.findAll({
+        where: {
+          UserId: userId,
+          SystemCode: systemCode,
+        },
+      });
+
+      const gotPreviousLogins = userLogins?.length !== 0;
+      let ipFound: LoginHistory | undefined = undefined;
+      if (gotPreviousLogins) {
+        ipFound = userLogins.find((item) => item.OriginIp === ipAddress);
+      }
+
+      // if (gotPreviousLogins && !ipFound) {
+      //   const EMAIL_SENDER =
+      //     process.env.EMAIL_SENDER || 'itd-system@tomei.com.my';
+      //   const transporter = new SMTPMailer();
+
+      //   await transporter.sendMail({
+      //     from: EMAIL_SENDER,
+      //     to: this.Email,
+      //     subject: 'New Login Alert',
+      //     html: `<p>Dear ${this.FullName},</p>
+      //             <p>There was a new login to your account from ${ipAddress} on ${new Date().toLocaleString()}.</p>
+      //             <p>If this was you, you can safely ignore this email.</p>
+      //             <p>If you suspect that someone else is trying to access your account, please contact us immediately at itd-support@tomei.com.my.</p>
+      //             <p>Thank you!,</p>
+      //             <p>
+      //                 Best Regards,
+      //                 IT Department
+      //             </p>`,
+      //   });
+      // }
+    } catch (error) {
+      throw error;
+    }
+  }
+
+  private async getPrivileges(
+    systemCode: string,
+    dbTransaction?: any,
+  ): Promise<string[]> {
+    try {
+      const system = await User._SystemRepository.findOne({
+        where: {
+          SystemCode: systemCode,
+        },
+        transaction: dbTransaction,
+      });
+
+      if (!system) {
+        throw new Error('Invalid system code.');
+      }
+
+      /**
+       * Ways user can get privileges:
+       * 1. Privileges directly assigned to the user using UserPrivilege
+       * 2. User have object that have privileges
+       * 3. User have group that can inherit privileges
+       * 3. User have group that have parent group that can inherit privileges to said group
+       */
+
+      //Retrive privileges directly assigned to the user
+      const userPrivileges = await this.getUserPersonalPrivileges(
+        systemCode,
+        dbTransaction,
+      );
+
+      //Retrieve privileges from object that user have
+      const objectPrivileges = await this.getObjectPrivileges(
+        systemCode,
+        dbTransaction,
+      );
+
+      //Retrieve privileges from group that able to inherit privileges to user
+      //Retrieve all user groups own by user that can inherit privileges for the system
+      const userGroupOwnByUser = await User._UserGroupRepo.findAll({
+        where: {
+          UserId: this.UserId,
+          InheritGroupSystemAccessYN: 'Y',
+          InheritGroupPrivilegeYN: 'Y',
+          Status: 'Active',
+        },
+        include: [
+          {
+            model: GroupModel,
+            where: {
+              Status: 'Active',
+            },
+            include: [
+              {
+                model: GroupSystemAccessModel,
+                where: {
+                  SystemCode: systemCode,
+                },
+              },
+            ],
+          },
+        ],
+        transaction: dbTransaction,
+      });
+
+      //Get all privileges from groups data
+      let groupsPrivileges: string[] = [];
+      for (const userGroup of userGroupOwnByUser) {
+        const gp: string[] = await this.getInheritedPrivileges(
+          userGroup.GroupCode,
+          systemCode,
+          dbTransaction,
+        );
+        groupsPrivileges = [...groupsPrivileges, ...gp];
+      }
+
+      //Map all privileges to a single array
+      const privileges: string[] = [
+        ...userPrivileges,
+        ...objectPrivileges,
+        ...groupsPrivileges,
+      ];
+      return privileges;
+    } catch (error) {
+      throw error;
+    }
+  }
+
+  private async getInheritedPrivileges(
+    groupCode: string,
+    systemCode: string,
+    dbTransaction?: string,
+  ): Promise<string[]> {
+    try {
+      // Retrieve Group from the database based on groupCode
+      const group = await User._GroupRepo.findOne({
+        where: {
+          GroupCode: groupCode,
+          Status: 'Active',
+        },
+        include: [
+          {
+            model: GroupPrivilegeModel,
+            where: {
+              Status: 'Active',
+            },
+            include: [
+              {
+                model: SystemPrivilege,
+                where: {
+                  SystemCode: systemCode,
+                  Status: 'Active',
+                },
+              },
+            ],
+          },
+        ],
+        transaction: dbTransaction,
+      });
+
+      // retrieve group ObjectPrivileges
+      const objectPrivileges = await User._GroupObjectPrivilegeRepo.findAll({
+        where: {
+          GroupCode: groupCode,
+        },
+        include: {
+          model: SystemPrivilege,
+          where: {
+            SystemCode: systemCode,
+            Status: 'Active',
+          },
+        },
+        transaction: dbTransaction,
+      });
+
+      let privileges: string[] = [];
+      // Add privileges from the group to the privileges array
+      const groupPrivileges: string[] = [];
+      for (const groupPrivilege of group.GroupPrivileges) {
+        groupPrivileges.push(groupPrivilege.Privilege.PrivilegeCode);
+      }
+
+      const ops: string[] = [];
+      for (const objectPrivilege of objectPrivileges) {
+        ops.push(objectPrivilege.Privilege.PrivilegeCode);
+      }
+
+      privileges = [...privileges, ...groupPrivileges, ...ops];
+
+      // Recursive call if not root and allow inherit privileges from parent group
+      if (group.ParentGroupCode && group.InheritParentPrivilegeYN === 'Y') {
+        const parentGroupPrivileges = await this.getInheritedPrivileges(
+          group.ParentGroupCode,
+          systemCode,
+          dbTransaction,
+        );
+        privileges = [...privileges, ...parentGroupPrivileges];
+      }
+
+      return privileges;
+    } catch (error) {
+      throw error;
+    }
+  }
+
+  private async getUserPersonalPrivileges(
+    systemCode: string,
+    dbTransaction?: any,
+  ): Promise<string[]> {
+    try {
+      const userPrivileges = await User._UserPrivilegeRepo.findAll({
+        where: {
+          UserId: this.UserId,
+          Status: 'Active',
+        },
+        include: {
+          model: SystemPrivilege,
+          where: {
+            SystemCode: systemCode,
+            Status: 'Active',
+          },
+        },
+        transaction: dbTransaction,
+      });
+
+      const privileges: string[] = userPrivileges.map(
+        (u) => u.Privilege.PrivilegeCode,
+      );
+      return privileges;
+    } catch (error) {
+      throw error;
+    }
+  }
+
+  private async getObjectPrivileges(
+    systemCode: string,
+    dbTransaction?: any,
+  ): Promise<string[]> {
+    try {
+      const userObjectPrivileges = await User._UserObjectPrivilegeRepo.findAll({
+        where: {
+          UserId: this.UserId,
+        },
+        include: {
+          model: SystemPrivilege,
+          where: {
+            SystemCode: systemCode,
+            Status: 'Active',
+          },
+        },
+        transaction: dbTransaction,
+      });
+
+      const privilegesCodes: string[] = userObjectPrivileges.map(
+        (u) => u.Privilege.PrivilegeCode,
+      );
+      return privilegesCodes;
+    } catch (error) {
+      throw error;
+    }
+  }
+
+  private static async checkUserInfoDuplicated(
+    dbTransaction: any,
+    query: ICheckUserInfoDuplicatedQuery,
+  ) {
+    //This method if check if duplicate user info found.
+    try {
+      //Part 1: Prepare Query Params
+      //Params is all optional but at least one is required.
+      const { Email, UserName, IdType, IdNo, ContactNo } = query;
+      //Prepare the Params to be used as OR operation in SQL query.
+      const where = {
+        [Op.or]: {},
+      };
+      if (Email) {
+        where[Op.or]['Email'] = Email;
+      }
+
+      if (UserName) {
+        where[Op.or]['UserName'] = UserName;
+      }
+      //If Params.IdNo is not null, then Params.IdType is required and vice versa.
+      if (IdType && IdNo) {
+        where[Op.or]['IdType'] = IdType;
+        where[Op.or]['IdNo'] = IdNo;
+      }
+      if (ContactNo) {
+        where[Op.or]['ContactNo'] = ContactNo;
+      }
+      //Call LoginUser._Repo findOne method by passing the OR operation object based on query params in Part 1. Code example can be referred at bottom part. Make sure to pass the dbTransaction
+      const user = await User._Repository.findAll({
+        where,
+        transaction: dbTransaction,
+      });
+
+      if (user && user.length > 0) {
+        throw new ClassError(
+          'LoginUser',
+          'LoginUserErrMsg0X',
+          'User info already exists',
+        );
+      }
+    } catch (error) {
+      throw error;
+    }
+  }
+
+  private static generateDefaultPassword(): string {
+    //This method will generate default password for user.
+    try {
+      //Part 1: Retrieve Password Policy
+      //Retrieve all password policy from component config, call ComponentConfig.getComponentConfigValue method
+      const passwordPolicy = ComponentConfig.getComponentConfigValue(
+        '@tomei/sso',
+        'passwordPolicy',
+      );
+
+      //Make sure all passwordPolicy keys got values, if not throw new ClassError
+      if (
+        !passwordPolicy ||
+        !passwordPolicy.maxLen ||
+        !passwordPolicy.minLen ||
+        !passwordPolicy.nonAcceptableChar ||
+        !passwordPolicy.numOfCapitalLetters ||
+        !passwordPolicy.numOfNumbers ||
+        !passwordPolicy.numOfSpecialChars
+      ) {
+        throw new ClassError(
+          'LoginUser',
+          'LoginUserErrMsg0X',
+          'Missing password policy. Please set in config file.',
+        );
+      }
+
+      if (
+        passwordPolicy.numOfCapitalLetters +
+          passwordPolicy.numOfNumbers +
+          passwordPolicy.numOfSpecialChars >
+        passwordPolicy.maxLen
+      ) {
+        throw new ClassError(
+          'LoginUser',
+          'LoginUserErrMsg0X',
+          'Password policy is invalid. Please set in config file.',
+        );
+      }
+
+      //Part 2: Generate Random Password and returns
+      //Generate random password based on passwordPolicy
+      const {
+        maxLen,
+        minLen,
+        nonAcceptableChar,
+        numOfCapitalLetters,
+        numOfNumbers,
+        numOfSpecialChars,
+      } = passwordPolicy;
+      const passwordLength =
+        Math.floor(Math.random() * (maxLen - minLen + 1)) + minLen;
+      const words = 'abcdefghijklmnopqrstuvwxyz';
+      const capitalLetters = words.toUpperCase();
+      const numbers = '0123456789';
+      const specialChars = '!@#$%^&*()_+-={}[]|:;"<>,.?/~`';
+      const nonAcceptableChars: string[] = nonAcceptableChar.split(',');
+
+      const filteredWords: string[] = words
+        .split('')
+        .filter((word) => !nonAcceptableChars.includes(word));
+      const filteredCapitalLetters: string[] = capitalLetters
+        .split('')
+        .filter((word) => !nonAcceptableChars.includes(word));
+      const filteredNumbers: string[] = numbers
+        .split('')
+        .filter((word) => !nonAcceptableChars.includes(word));
+      const filteredSpecialChars: string[] = specialChars
+        .split('')
+        .filter((word) => !nonAcceptableChars.includes(word));
+
+      const generatedCapitalLetters: string[] = [];
+      const generatedNumbers: string[] = [];
+      const generatedSpecialChars: string[] = [];
+      const generatedWords: string[] = [];
+
+      for (let i = 0; i < numOfCapitalLetters; i++) {
+        const randomIndex = Math.floor(
+          Math.random() * filteredCapitalLetters.length,
+        );
+        generatedCapitalLetters.push(filteredCapitalLetters[randomIndex]);
+      }
+
+      for (let i = 0; i < numOfNumbers; i++) {
+        const randomIndex = Math.floor(Math.random() * filteredNumbers.length);
+        generatedNumbers.push(filteredNumbers[randomIndex]);
+      }
+
+      for (let i = 0; i < numOfSpecialChars; i++) {
+        const randomIndex = Math.floor(
+          Math.random() * filteredSpecialChars.length,
+        );
+        generatedSpecialChars.push(filteredSpecialChars[randomIndex]);
+      }
+
+      for (
+        let i = 0;
+        i <
+        passwordLength -
+          (numOfCapitalLetters + numOfNumbers + numOfSpecialChars);
+        i++
+      ) {
+        const randomIndex = Math.floor(Math.random() * filteredWords.length);
+        generatedWords.push(filteredWords[randomIndex]);
+      }
+
+      //Combine all generated words, capitalLetters, numbers and specialChars and shuffle it
+      let generatedPassword = '';
+      const allGeneratedChars = generatedCapitalLetters.concat(
+        generatedNumbers,
+        generatedSpecialChars,
+        generatedWords,
+      );
+      allGeneratedChars.sort(() => Math.random() - 0.5);
+      generatedPassword = allGeneratedChars.join('');
+      return generatedPassword;
+    } catch (error) {
+      throw error;
+    }
+  }
+
+  private static async setPassword(
+    dbTransaction: any,
+    user: User,
+    password: string,
+  ): Promise<User> {
+    //This method will set password for the user.
+    try {
+      //Part 1: Verify Password
+      //Retrieve all password policy from component config
+      const passwordPolicy = ComponentConfig.getComponentConfigValue(
+        '@tomei/sso',
+        'passwordPolicy',
+      );
+
+      //Make sure all passwordPolicy keys got values, if not throw a ClassError
+      if (
+        !passwordPolicy ||
+        !passwordPolicy.maxLen ||
+        !passwordPolicy.minLen ||
+        !passwordPolicy.nonAcceptableChar ||
+        !passwordPolicy.numOfCapitalLetters ||
+        !passwordPolicy.numOfNumbers ||
+        !passwordPolicy.numOfSpecialChars
+      ) {
+        throw new ClassError(
+          'LoginUser',
+          'LoginUserErrMsg0X',
+          'Missing password policy. Please set in config file.',
+        );
+      }
+
+      //Compare Params.password with the password policy. If not matched, throw new ClassError
+      try {
+        //Check if password length is more than passwordPolicy.minLen
+        if (password.length < passwordPolicy.minLen) {
+          throw Error('Password is too short');
+        }
+
+        //Check if password length is less than passwordPolicy.maxLen
+        if (password.length > passwordPolicy.maxLen) {
+          throw Error('Password is too long');
+        }
+
+        //Check if password contains nonAcceptableChar
+        const nonAcceptableChars: string[] =
+          passwordPolicy.nonAcceptableChar.split(',');
+        const nonAcceptableCharsFound = nonAcceptableChars.some((char) =>
+          password.includes(char),
+        );
+        if (nonAcceptableCharsFound) {
+          throw Error('Password contains unacceptable characters');
+        }
+
+        //Check if password contains the correct amount of capital letter required from numOfCapitalLetters
+        const capitalLetters = 'ABCDEFGHIJKLMNOPQRSTUVWXYZ';
+        const numOfCapitalLetters = passwordPolicy.numOfCapitalLetters;
+        const capitalLettersFound = capitalLetters
+          .split('')
+          .filter((char) => password.includes(char)).length;
+        if (capitalLettersFound < numOfCapitalLetters) {
+          throw Error('Password does not contain enough capital letters');
+        }
+
+        //Check if password contains the correct amount of numbers required from numOfNumbers
+        const numbers = '0123456789';
+        const numOfNumbers = passwordPolicy.numOfNumbers;
+        const numbersFound = numbers
+          .split('')
+          .filter((char) => password.includes(char)).length;
+        if (numbersFound < numOfNumbers) {
+          throw Error('Password does not contain enough numbers');
+        }
+
+        //Check if password contains the correct amount of special characters required from numOfSpecialChars
+        const specialChars = '!@#$%^&*()_+-={}[]|:;"<>,.?/~`';
+        const numOfSpecialChars = passwordPolicy.numOfSpecialChars;
+        const specialCharsFound = specialChars
+          .split('')
+          .filter((char) => password.includes(char)).length;
+        if (specialCharsFound < numOfSpecialChars) {
+          throw Error('Password does not contain enough special characters');
+        }
+      } catch (error) {
+        throw new ClassError(
+          'LoginUser',
+          'LoginUserErrMsg0X',
+          "Your password doesn't meet security requirements. Try using a mix of uppercase and lowercase letters, numbers, and symbols.",
+        );
+      }
+
+      //Part 2: Hash Password
+      //Hash the Params.password using PasswordHashService.hashPassword method
+      const passwordHashService = new PasswordHashService();
+      const hashedPassword = await passwordHashService.hashPassword(password);
+
+      //Part 3: Return Updated User Instance
+      user._Password = hashedPassword;
+      return user;
+    } catch (error) {
+      throw error;
+    }
+  }
+
+  public static async create(
+    loginUser: User,
+    dbTransaction: any,
+    user: User,
+  ): Promise<User> {
+    try {
+      //This method will insert new user record
+      //Part 1: Privilege Checking
+      const systemCode =
+        ApplicationConfig.getComponentConfigValue('system-code');
+      const isPrivileged = await loginUser.checkPrivileges(
+        systemCode,
+        'User - Create',
+      );
+
+      //If user does not have privilege to create user, throw a ClassError
+      if (!isPrivileged) {
+        throw new ClassError(
+          'LoginUser',
+          'LoginUserErrMsg0X',
+          'You do not have the privilege to create user',
+        );
+      }
+
+      //Part 2: Validation
+      //Make sure Params.user.Email got values. If not, throw new ClassError
+      if (!user.Email && !user.UserName) {
+        throw new ClassError(
+          'LoginUser',
+          'LoginUserErrMsg0X',
+          'Email and Username is required',
+        );
+      }
+      //Check if user info exists, call LoginUser.CheckUserInfoDuplicated method
+      await User.checkUserInfoDuplicated(dbTransaction, {
+        Email: user.Email,
+        UserName: user.UserName,
+        IdType: user.IDType,
+        IdNo: user.IDNo,
+        ContactNo: user.ContactNo,
+      });
+
+      //Part 3: Generate Default Password
+      const defaultPassword = User.generateDefaultPassword();
+      user = await User.setPassword(dbTransaction, user, defaultPassword);
+      //Part 4: Insert User Record
+      //Set userToBeCreated to the instantiation of new LoginUser (using private constructor)
+      const userInfo: IUserAttr = {
+        UserName: user.UserName,
+        FullName: user.FullName,
+        IDNo: user.IDNo,
+        Email: user.Email,
+        ContactNo: user.ContactNo,
+        Password: user.Password,
+        Status: UserStatus.ACTIVE,
+        FirstLoginAt: null,
+        LastLoginAt: null,
+        MFAEnabled: null,
+        MFAConfig: null,
+        RecoveryEmail: null,
+        FailedLoginAttemptCount: 0,
+        LastFailedLoginAt: null,
+        LastPasswordChangedAt: null,
+        DefaultPasswordChangedYN: YN.No,
+        NeedToChangePasswordYN: YN.Yes,
+        CreatedById: loginUser.UserId,
+        CreatedAt: new Date(),
+        UpdatedById: loginUser.UserId,
+        UpdatedAt: new Date(),
+        UserId: null,
+      };
+      //Call LoginUser._Repo create method to insert new user record
+      const newUser = await User._Repository.create(
+        {
+          Email: userInfo.Email,
+          UserName: userInfo.UserName,
+          Password: userInfo.Password,
+          Status: userInfo.Status,
+          DefaultPasswordChangedYN: userInfo.DefaultPasswordChangedYN,
+          FirstLoginAt: userInfo.FirstLoginAt,
+          LastLoginAt: userInfo.LastLoginAt,
+          MFAEnabled: userInfo.MFAEnabled,
+          MFAConfig: userInfo.MFAConfig,
+          RecoveryEmail: userInfo.RecoveryEmail,
+          FailedLoginAttemptCount: userInfo.FailedLoginAttemptCount,
+          LastFailedLoginAt: userInfo.LastFailedLoginAt,
+          LastPasswordChangedAt: userInfo.LastPasswordChangedAt,
+          NeedToChangePasswordYN: userInfo.NeedToChangePasswordYN,
+          CreatedById: userInfo.CreatedById,
+          CreatedAt: userInfo.CreatedAt,
+          UpdatedById: userInfo.UpdatedById,
+          UpdatedAt: userInfo.UpdatedAt,
+        },
+        {
+          transaction: dbTransaction,
+        },
+      );
+
+      userInfo.UserId = newUser.UserId;
+      const userToBeCreated = new User(
+        loginUser.SessionService,
+        dbTransaction,
+        userInfo,
+      );
+
+      //Part 5: Record Create User Activity
+      const activity = new Activity();
+      activity.ActivityId = activity.createId();
+      activity.Action = ActionEnum.ADD;
+      activity.Description = 'Create User';
+      activity.EntityType = 'LoginUser';
+      activity.EntityId = newUser.UserId.toString();
+      activity.EntityValueBefore = JSON.stringify({});
+      activity.EntityValueAfter = JSON.stringify(newUser.get({ plain: true }));
+
+      await activity.create(loginUser.ObjectId, dbTransaction);
+      return userToBeCreated;
+    } catch (error) {
+      throw error;
+    }
+  }
+
+  private async incrementFailedLoginAttemptCount(dbTransaction: any) {
+    // This method is used to process all the necessary step after login failed by invalid credential
+
+    // 1. Retrieve maxFailedLoginAttempts and autoReleaseYN from component config, call ComponentConfig.getComponentConfigValue
+    const maxFailedLoginAttempts = ComponentConfig.getComponentConfigValue(
+      '@tomei/sso',
+      'maxFailedLoginAttempts',
+    );
+
+    const autoReleaseYN = ComponentConfig.getComponentConfigValue(
+      '@tomei/sso',
+      'autoReleaseYN',
+    );
+
+    // 2. Make sure all maxFailedLoginAttempts keys got values
+    if (!maxFailedLoginAttempts || !autoReleaseYN) {
+      throw new ClassError(
+        'LoginUser',
+        'LoginUserErrMsg0X',
+        'Missing maxFailedLoginAttempts and or autoReleaseYN. Please set in config file.',
+      );
+    }
+
+    // 3. Set below object property FailedLoginAttemptCount & LastFailedLoginAt
+    const FailedLoginAttemptCount = this.FailedLoginAttemptCount + 1;
+    const LastFailedLoginAt = new Date();
+
+    // 4. If this.FailedLoginAttemptCount > config.maxFailedLogginAttempts, then set this.Status = 'Locked'
+    if (FailedLoginAttemptCount > maxFailedLoginAttempts) {
+      this.Status = UserStatus.LOCKED;
+    }
+
+    // 5. Update the user data by calling _Repo.update with these parameter
+    await User._Repository.update(
+      {
+        FailedLoginAttemptCount: FailedLoginAttemptCount,
+        LastFailedLoginAt: LastFailedLoginAt,
+        Status: this.Status,
+      },
+      {
+        where: {
+          UserId: this.UserId,
+        },
+        transaction: dbTransaction,
+      },
+    );
+
+    // 6. Depending on the Status and config.AutoReleaseYN, throw below error:
+
+    // 6.1 If Status = "Locked" and config.AutoReleaseYN = "Y", throws below error:
+    if (this.Status === UserStatus.LOCKED && autoReleaseYN === 'Y') {
+      throw new ClassError(
+        'LoginUser',
+        'LoginUserErrMsg0X',
+        'Your account has been temporarily locked due to too many failed login attempts, please try again later.',
+      );
+    }
+
+    // 6.2 If Status = "Locked" and config.AutoReleaseYN = "N", throws below error:
+    if (this.Status === UserStatus.LOCKED && autoReleaseYN === 'N') {
+      throw new ClassError(
+        'LoginUser',
+        'LoginUserErrMsg0X',
+        'Your account has been locked due to too many failed login attempts, please contact IT Support for instructions on how to unlock your account',
+      );
+    }
+
+    // 6.2 If Status = "Locked" and config.AutoReleaseYN = "N", throws below error:
+    if (this.Status == UserStatus.LOCKED) {
+      throw new ClassError(
+        'LoginUser',
+        'LoginUserErrMsg0X',
+        'Invalid credentials.',
+      );
+    }
+  }
+
+  public static shouldReleaseLock(LastFailedLoginAt) {
+    // This method is used to check whether the account is eligible to be unlocked.
+
+    // 1. Retrieve maxFailedLoginAttempts and autoReleaseYN from component config, call ComponentConfig.getComponentConfigValue
+    const minuteToAutoRelease = ComponentConfig.getComponentConfigValue(
+      '@tomei/sso',
+      'minuteToAutoRelease',
+    );
+
+    const autoReleaseYN = ComponentConfig.getComponentConfigValue(
+      '@tomei/sso',
+      'autoReleaseYN',
+    );
+
+    // 2. Make sure all maxFailedLoginAttempts keys got values
+    if (!minuteToAutoRelease || !autoReleaseYN) {
+      throw new ClassError(
+        'LoginUser',
+        'LoginUserErrMsg0X',
+        'Missing minuteToAutoRelease and or autoReleaseYN. Please set in config file.',
+      );
+    }
+
+    // 6. Depending on the config.AutoReleaseYN, do the following :
+
+    // 6.1 If config.AutoReleaseYN = "Y":
+    if (autoReleaseYN === 'Y') {
+      const lastFailedDate = new Date(LastFailedLoginAt);
+      const currentDate = new Date();
+      const timeDifferenceInMillis =
+        currentDate.getTime() - lastFailedDate.getTime();
+      const timeDifferenceInMinutes: number =
+        timeDifferenceInMillis / (1000 * 60);
+
+      if (timeDifferenceInMinutes > +minuteToAutoRelease) {
+        return true;
+      } else {
+        return false;
+      }
+      // 6.2 If config.AutoReleaseYN = "N":
+    } else if (autoReleaseYN === 'N') {
+      return false;
+    }
+  }
+
+  private static releaseLock(UserId: number, dbTransaction: any) {
+    // This method is used to process all the necessary step after login failed by invalid credential
+
+    // 1. Update User Status and FailedLoginAttemptCount
+    this._Repository.update(
+      {
+        FailedLoginAttemptCount: 0,
+        Status: UserStatus.ACTIVE,
+      },
+      {
+        where: {
+          UserId: UserId,
+        },
+        transaction: dbTransaction,
+      },
+    );
+  }
+
+  public static async getGroups(loginUser: User, dbTransaction: any) {
+    // This method will retrieve all user groups.
+
+    // Part 1: Privilege Checking
+    const systemCode = ApplicationConfig.getComponentConfigValue('system-code');
+    const isPrivileged = await loginUser.checkPrivileges(
+      systemCode,
+      'UserGroup - List Own',
+    );
+    if (!isPrivileged) {
+      throw new Error('You do not have permission to list UserGroup.');
+    }
+
+    // Part 2: Retrieve User Groups & Returns
+    const userGroups = await User._UserGroupRepo.findAll({
+      where: {
+        UserId: loginUser.ObjectId,
+        Status: 'Active',
+      },
+      include: [{ model: UserModel, as: 'User' }, { model: GroupModel }],
+      transaction: dbTransaction,
+    });
+
+    return userGroups;
+  }
+
+  protected static async getInheritedSystemAccess(
+    dbTransaction: any,
+    group: GroupModel,
+  ) {
+    // This method is a recursive method that will returns group system access with its parent group system access if applicable.
+    // Part 1: Retrieve Group System Access
+    const dataSystemAccesses = await User._GroupSystemAccessRepo.findAll({
+      where: {
+        GroupCode: group.GroupCode,
+        Status: 'Active',
+      },
+      include: [{ model: SystemModel }],
+      transaction: dbTransaction,
+    });
+    let systemAccesses = dataSystemAccesses;
+
+    // Part 2: Retrieve Parent Group System Access If Applicable
+    // 2.1 Check if Params.group.InheritParentSystemAccessYN is "Y" and Params.group.ParentGroupCode is not empty
+    if (group.InheritParentPrivilegeYN === 'Y' && group.ParentGroupCode) {
+      const GroupCode = group.ParentGroupCode;
+      const parentGroup = await User._GroupRepo.findByPk(
+        GroupCode,
+        dbTransaction,
+      );
+      const dataParentSystemAccesses = await User.getInheritedSystemAccess(
+        dbTransaction,
+        parentGroup,
+      );
+
+      const parentSystemAccesses = dataParentSystemAccesses;
+
+      systemAccesses = systemAccesses.concat(parentSystemAccesses);
+    }
+    // Part 3: Return Array
+    return systemAccesses;
+  }
+
+  private static async combineSystemAccess(
+    loginUser: User,
+    dbTransaction: any,
+    groups: any,
+  ) {
+    // Part 1: Retrieve User System Access
+    const userAccess = await User._UserSystemAccessRepo.findAll({
+      where: {
+        UserId: loginUser.ObjectId,
+        Status: 'Active',
+      },
+      include: [{ model: SystemModel }],
+      transaction: dbTransaction,
+    });
+
+    // Part 2: Create Group System Access Promises
+    const groupAccessPromises = groups.map(async (e) => {
+      if (e.InheritParentSystemAccessYN) {
+        return await this.getInheritedSystemAccess(dbTransaction, e);
+      } else {
+        return [];
+      }
+    });
+
+    // Part 3: Resolve Promises and Flatten the Results
+    const groupAccess = (await Promise.all(groupAccessPromises)).flat(); // Combine all group
+
+    // Part 4: Combine, Remove Duplicates & Returns
+    const allAccess = userAccess.concat(groupAccess);
+    const uniqueAccess = new Set(
+      allAccess.filter((value, index, self) => {
+        // Check for duplicates based on object properties (replace with your actual comparison logic)
+        return self.some((prev) => prev.SystemCode === value.SystemCode);
+      }),
+    );
+    return Array.from(uniqueAccess) as ISystemAccess[];
+  }
+
+  public static async getSystems(loginUser: User, dbTransaction: any) {
+    // This method will retrieve all system records which user has accessed to.
+
+    // Part 1: Privilege Checking
+    const systemCode = ApplicationConfig.getComponentConfigValue('system-code');
+    const isPrivileged = await loginUser.checkPrivileges(
+      systemCode,
+      'System – List Own',
+    );
+    if (!isPrivileged) {
+      throw new Error('You do not have permission to list UserGroup.');
+    }
+
+    // Part 2: Retrieve System Access
+    const groups = await User.getGroups(loginUser, dbTransaction);
+    const systemAccess = await User.combineSystemAccess(
+      loginUser,
+      dbTransaction,
+      groups,
+    );
+    const output = [];
+    if (systemAccess) {
+      for (let i = 0; i < systemAccess.length; i++) {
+        const system = await User._SystemRepository.findOne({
+          where: {
+            SystemCode: systemAccess[i].SystemCode,
+            Status: 'Active',
+          },
+        });
+        output.push({
+          UserSystemAccessId: systemAccess[i].UserSystemAccessId,
+          UserId: systemAccess[i].UserId,
+          SystemCode: systemAccess[i].SystemCode,
+          Status: systemAccess[i].Status,
+          CreatedById: systemAccess[i].CreatedById,
+          UpdatedById: systemAccess[i].UpdatedById,
+          CreatedAt: systemAccess[i].CreatedAt,
+          UpdatedAt: systemAccess[i].UpdatedAt,
+          System: system,
+        });
+      }
+    }
+
+    // Part 3: Map Result to System Object
+    return output;
+  }
+
+  //This method will check if user enable 2FA or not.
+  private static async check2FA(loginUser: User, dbTransaction: any) {
+    try {
+      //Use LoginUser._Repo findOne() method
+      const user = await User._Repository.findOne({
+        where: {
+          UserId: loginUser.UserId,
+        },
+        transaction: dbTransaction,
+      });
+
+      //From the return record, if MFAEnabled value is 1 then return true else return false.
+      if (user.MFAEnabled === 1) {
+        return true;
+      }
+      return false;
+    } catch (error) {
+      throw error;
+    }
+  }
+
+  //This method will set the 2FA setting for the login user
+  public static async setup2FA(userId: number, dbTransaction: any) {
+    // 1. Retrieve system code from app config using ApplicationConfig.
+    const systemCode = ApplicationConfig.getComponentConfigValue('system-code');
+
+    // 2. Retrieve user data by calling LoginUser._Repository.findOne with UserId
+    const user = await User._Repository.findOne({
+      where: {
+        UserId: userId,
+      },
+    });
+
+    // 3. If user data not found then return throw Class Error
+    if (!user) {
+      throw new ClassError(
+        'LoginUser',
+        'LoginUserErrMsg0X',
+        'Invalid Credentials',
+      );
+    }
+
+    // 4. Generate the 2FA secret code by calling speakeasy.generateSecret with parameter
+    const secretCode = speakeasy.generateSecret({ name: systemCode });
+
+    // parse MFA Config
+    let userMFAConfig = null;
+    if (user?.MFAConfig !== null && typeof user?.MFAConfig === 'string') {
+      try {
+        userMFAConfig = JSON.parse(user?.MFAConfig);
+      } catch (error) {
+        console.error('Invalid JSON string on MFAConfig:', error);
+      }
+    }
+
+    // 5. Set MFAConfig
+    const MFAConfig = {
+      totp: {
+        enabled: true,
+        secret: secretCode.base32,
+        issuer: systemCode,
+      },
+      sms: {
+        enabled: userMFAConfig?.sms?.enable || false,
+        phoneNumber: userMFAConfig?.sms?.phoneNumber || '',
+      },
+      email: {
+        enabled: userMFAConfig?.email?.enable || false,
+        emailAddress: userMFAConfig?.email?.emailAddress || '',
+      },
+    };
+
+    // 6. Set login user properties
+    user.MFAEnabled = 0;
+    user.MFAConfig = JSON.stringify(MFAConfig);
+
+    // 7. Update the user data by calling LoginUser._Repository.Update
+    await User._Repository.update(
+      {
+        MFAEnabled: user.MFAEnabled,
+        MFAConfig: user.MFAConfig,
+      },
+      {
+        where: {
+          UserId: userId,
+        },
+        transaction: dbTransaction,
+      },
+    );
+
+    // 8. return <result from step 2>.otpauth_url
+    return secretCode.otpauth_url;
+  }
+
+  //This method will verify whether 2FA have been set correctly
+  public async verify2FASetup(
+    userId: number,
+    mfaToken: string,
+    dbTransaction: any,
+  ) {
+    // 1. Retrieve user data by calling LoginUser._Repository.findOne with UserId
+    const user = await User._Repository.findOne({
+      where: {
+        UserId: userId,
+      },
+    });
+
+    // 2. If user data not found then return throw Class Error
+    if (!user) {
+      throw new ClassError(
+        'LoginUser',
+        'LoginUserErrMsg0X',
+        'Invalid Credentials',
+      );
+    }
+
+    // parse MFA Config
+    let userMFAConfig = null;
+    if (user?.MFAConfig !== null && typeof user?.MFAConfig === 'string') {
+      try {
+        userMFAConfig = JSON.parse(user?.MFAConfig);
+      } catch (error) {
+        console.error('Invalid JSON string on MFAConfig:', error);
+      }
+    }
+
+    // 3. Verify the mfaToken by calling speakeasy.totp.verify
+    const isVerified = await speakeasy.totp.verify({
+      secret: userMFAConfig.totp.secret,
+      encoding: 'base32',
+      token: mfaToken,
+    });
+
+    // 4. if not verified, then return false. if verified, Call LoginUser._Repo.update and update user data in database
+    if (!isVerified) {
+      return false;
+    }
+
+    await User._Repository.update(
+      {
+        MFAEnabled: 1,
+      },
+      {
+        where: {
+          UserId: userId,
+        },
+        transaction: dbTransaction,
+      },
+    );
+
+    // 5. Retrieve Session
+    const userSession = await this._SessionService.retrieveUserSession(
+      `${userId}`,
+    );
+    const systemCode = ApplicationConfig.getComponentConfigValue('system-code');
+
+    const systemLogin = userSession.systemLogins.find(
+      (e) => e.code === systemCode,
+    );
+    return `${userId}:${systemLogin.sessionId}`;
+  }
+
+  // This method will verify  2FA codes
+  public async verify2FACode(
+    userId: number,
+    mfaToken: string,
+    dbTransaction: any,
+  ) {
+    // 1. Retrieve user data by calling LoginUser._Repository.findOne with UserId
+    const user = await User._Repository.findOne({
+      where: {
+        UserId: userId,
+      },
+      transaction: dbTransaction,
+    });
+
+    // 2. If user data not found then return throw Class Error
+    if (!user) {
+      throw new ClassError(
+        'LoginUser',
+        'LoginUserErrMsg0X',
+        'Invalid Credentials',
+      );
+    }
+
+    // parse MFA Config
+    let userMFAConfig = null;
+    if (user?.MFAConfig !== null && typeof user?.MFAConfig === 'string') {
+      try {
+        userMFAConfig = JSON.parse(user?.MFAConfig);
+      } catch (error) {
+        console.error('Invalid JSON string on MFAConfig:', error);
+      }
+    }
+
+    // 3. Verify the mfaToken by calling speakeasy.totp.verify
+    const isVerified = await speakeasy.totp.verify({
+      secret: userMFAConfig.totp.secret,
+      encoding: 'base32',
+      token: mfaToken,
+    });
+
+    // 4. if not verified, then return false. if verified, Call LoginUser._Repo.update and update user data in database
+    if (!isVerified) {
+      return false;
+    }
+
+    // 5. Retrieve Session
+    const userSession = await this._SessionService.retrieveUserSession(
+      `${userId}`,
+    );
+    const systemCode = ApplicationConfig.getComponentConfigValue('system-code');
+
+    const systemLogin = userSession.systemLogins.find(
+      (e) => e.code === systemCode,
+    );
+    return `${userId}:${systemLogin.sessionId}`;
+  }
+
+  public async addUserGroup(
+    GroupCode: string,
+    loginUser: User,
+    dbTransaction: any,
+  ) {
+    // 1. Retrieve group data by calling LoginUser._GroupRepo.findOne with GroupCode
+    const group = await User._GroupRepo.findOne({
+      where: {
+        GroupCode,
+      },
+      transaction: dbTransaction,
+    });
+
+    // 2. If group data not found then return throw Class Error
+    if (!group) {
+      throw new ClassError(
+        'LoginUser',
+        'LoginUserErrMsg0X',
+        'Invalid Group Code',
+      );
+    }
+
+    //3. Create new UserGroup record
+    const entityValueAfter = {
+      UserId: this.UserId,
+      GroupCode: group.GroupCode,
+      CreatedAt: new Date(),
+      CreatedById: loginUser.UserId,
+      UpdatedAt: new Date(),
+      UpdatedById: loginUser.UserId,
+    };
+    await User._UserGroupRepo.create(entityValueAfter, {
+      transaction: dbTransaction,
+    });
+
+    //4. Record Create UserGroup Activity
+    const activity = new Activity();
+    activity.ActivityId = activity.createId();
+    activity.Action = ActionEnum.ADD;
+    activity.Description = 'Add User Group';
+    activity.EntityType = 'UserGroup';
+    activity.EntityId = group.GroupCode;
+    activity.EntityValueBefore = JSON.stringify({});
+    activity.EntityValueAfter = JSON.stringify(entityValueAfter);
+
+    await activity.create(loginUser.ObjectId, dbTransaction);
+  }
+
+  public async update(
+    data: {
+      UserName: string;
+      Email: string;
+      Status: UserStatus;
+      RecoveryEmail: string;
+      BuildingCode?: string;
+      CompanyCode?: string;
+      DepartmentCode?: string;
+    },
+    loginUser: User,
+    dbTransaction: any,
+  ) {
+    //Part 1: Privilege Checking
+    const systemCode = ApplicationConfig.getComponentConfigValue('system-code');
+    const isPrivileged = await loginUser.checkPrivileges(
+      systemCode,
+      'User - Update',
+    );
+
+    //If user does not have privilege to update user, throw a ClassError
+    if (!isPrivileged) {
+      throw new ClassError(
+        'LoginUser',
+        'LoginUserErrMsg0X',
+        'You do not have the privilege to update user',
+      );
+    }
+
+    //Part 2: Validation
+    //Make sure UserId got values. If not, throw new ClassError
+    if (!this.UserId) {
+      throw new ClassError(
+        'LoginUser',
+        'LoginUserErrMsg0X',
+        'UserId is required',
+      );
+    }
+
+    //Make sure email is unique, call LoginUser.CheckUserInfoDuplicated method
+    if (data.Email !== this.Email || data.UserName !== this.UserName) {
+      await User.checkUserInfoDuplicated(dbTransaction, {
+        Email: data.Email,
+        UserName: data.UserName,
+      });
+    }
+
+    //Part 3: Update Building, Company, Department
+    //If Params.BuildingCode is not null,
+    if (data.BuildingCode) {
+      //Check if BuildingCode is valid, call GroupModel.findOne method
+      const building = await GroupModel.findOne({
+        where: {
+          Type: 'Building',
+          GroupCode: data.BuildingCode,
+        },
+        transaction: dbTransaction,
+      });
+
+      //If BuildingCode is invalid, throw new ClassError
+      if (!building) {
+        throw new ClassError(
+          'LoginUser',
+          'LoginUserErrMsg0X',
+          'Invalid Building Code',
+        );
+      }
+
+      //If BuildingCode is valid, call UserGroup.findOne method to find the user building record
+      const userBuilding = await User._UserGroupRepo.findOne({
+        where: {
+          UserId: this.UserId,
+        },
+        include: [
+          {
+            model: GroupModel,
+            where: {
+              Type: 'Building',
+            },
+          },
+        ],
+        transaction: dbTransaction,
+      });
+
+      //If user building record found, call UserGroup.update method to update the record if not found, call UserGroup.create method to create new record
+      if (userBuilding) {
+        await User._UserGroupRepo.update(
+          {
+            GroupCode: data.BuildingCode,
+            UpdatedAt: new Date(),
+            UpdatedById: loginUser.UserId,
+          },
+          {
+            where: {
+              UserId: this.UserId,
+              GroupCode: userBuilding.GroupCode,
+            },
+            transaction: dbTransaction,
+          },
+        );
+      } else {
+        await User._UserGroupRepo.create(
+          {
+            UserId: this.UserId,
+            GroupCode: data.BuildingCode,
+            CreatedAt: new Date(),
+            CreatedById: loginUser.UserId,
+            UpdatedAt: new Date(),
+            UpdatedById: loginUser.UserId,
+          },
+          {
+            transaction: dbTransaction,
+          },
+        );
+      }
+    }
+
+    //If Params.CompanyCode is not null,
+    if (data.CompanyCode) {
+      //Check if CompanyCode is valid, call GroupModel.findOne method
+      const company = await GroupModel.findOne({
+        where: {
+          Type: 'Company',
+          GroupCode: data.CompanyCode,
+        },
+        transaction: dbTransaction,
+      });
+
+      //If CompanyCode is invalid, throw a ClassError
+      if (!company) {
+        throw new ClassError(
+          'LoginUser',
+          'LoginUserErrMsg0X',
+          'Invalid Company Code',
+        );
+      }
+
+      //If CompanyCode is valid, call UserGroup.findOne method to find the user company record
+      const userCompany = await User._UserGroupRepo.findOne({
+        where: {
+          UserId: this.UserId,
+        },
+        include: [
+          {
+            model: GroupModel,
+            where: {
+              Type: 'Company',
+            },
+          },
+        ],
+        transaction: dbTransaction,
+      });
+
+      //If user company record found, call UserGroup.update method to update the record if not found, call UserGroup.create method to create new record
+      if (userCompany) {
+        await User._UserGroupRepo.update(
+          {
+            GroupCode: data.CompanyCode,
+            UpdatedAt: new Date(),
+            UpdatedById: loginUser.UserId,
+          },
+          {
+            where: {
+              UserId: this.UserId,
+              GroupCode: userCompany.GroupCode,
+            },
+            transaction: dbTransaction,
+          },
+        );
+      } else {
+        await User._UserGroupRepo.create(
+          {
+            UserId: this.UserId,
+            GroupCode: data.CompanyCode,
+            CreatedAt: new Date(),
+            CreatedById: loginUser.UserId,
+            UpdatedAt: new Date(),
+            UpdatedById: loginUser.UserId,
+          },
+          {
+            transaction: dbTransaction,
+          },
+        );
+      }
+    }
+
+    //If Params.DepartmentCode is not null,
+    if (data.DepartmentCode) {
+      //Check if DepartmentCode is valid, call GroupModel.findOne method
+      const department = await GroupModel.findOne({
+        where: {
+          Type: 'Department',
+          GroupCode: data.DepartmentCode,
+        },
+        transaction: dbTransaction,
+      });
+
+      //If DepartmentCode is invalid, throw a ClassError
+      if (!department) {
+        throw new ClassError(
+          'LoginUser',
+          'LoginUserErrMsg0X',
+          'Invalid Department Code',
+        );
+      }
+
+      //If DepartmentCode is valid, call UserGroup.findOne method to find the user department record
+      const userDepartment = await User._UserGroupRepo.findOne({
+        where: {
+          UserId: this.UserId,
+        },
+        include: [
+          {
+            model: GroupModel,
+            where: {
+              Type: 'Department',
+            },
+          },
+        ],
+        transaction: dbTransaction,
+      });
+
+      //If user department record found, call UserGroup.update method to update the record if not found, call UserGroup.create method to create new record
+      if (userDepartment) {
+        await User._UserGroupRepo.update(
+          {
+            GroupCode: data.DepartmentCode,
+            UpdatedAt: new Date(),
+            UpdatedById: loginUser.UserId,
+          },
+          {
+            where: {
+              UserId: this.UserId,
+              GroupCode: userDepartment.GroupCode,
+            },
+            transaction: dbTransaction,
+          },
+        );
+      } else {
+        await User._UserGroupRepo.create(
+          {
+            UserId: this.UserId,
+            GroupCode: data.DepartmentCode,
+            CreatedAt: new Date(),
+            CreatedById: loginUser.UserId,
+            UpdatedAt: new Date(),
+            UpdatedById: loginUser.UserId,
+          },
+          {
+            transaction: dbTransaction,
+          },
+        );
+      }
+    }
+
+    //Part 4: Update User Record
+    //Set EntityValueBefore
+    const entityValueBefore = {
+      UserId: this.UserId,
+      UserName: this.UserName,
+      Email: this.Email,
+      Password: this.Password,
+      Status: this.Status,
+      DefaultPasswordChangedYN: this.DefaultPasswordChangedYN,
+      FirstLoginAt: this.FirstLoginAt,
+      LastLoginAt: this.LastLoginAt,
+      MFAEnabled: this.MFAEnabled,
+      MFAConfig: this.MFAConfig,
+      RecoveryEmail: this.RecoveryEmail,
+      FailedLoginAttemptCount: this.FailedLoginAttemptCount,
+      LastFailedLoginAt: this.LastFailedLoginAt,
+      LastPasswordChangedAt: this.LastPasswordChangedAt,
+      NeedToChangePasswordYN: this.NeedToChangePasswordYN,
+      CreatedById: this.CreatedById,
+      CreatedAt: this.CreatedAt,
+      UpdatedById: this.UpdatedById,
+      UpdatedAt: this.UpdatedAt,
+    };
+
+    //Update user record
+    this.UserName = data.UserName;
+    this.Email = data.Email;
+    this.Status = data.Status;
+    this.RecoveryEmail = data.RecoveryEmail;
+    this.UpdatedAt = new Date();
+    this.UpdatedById = loginUser.UserId;
+    //Call LoginUser._Repo update method to update user record
+    await User._Repository.update(
+      {
+        UserName: this.UserName,
+        Email: this.Email,
+        Status: this.Status,
+        RecoveryEmail: this.RecoveryEmail,
+        UpdatedById: this.UpdatedById,
+        UpdatedAt: this.UpdatedAt,
+      },
+      {
+        where: {
+          UserId: this.UserId,
+        },
+        transaction: dbTransaction,
+      },
+    );
+
+    //Part 5: Record Update User Activity
+    //Set EntityValueAfter
+    const entityValueAfter = {
+      UserId: this.UserId,
+      UserName: this.UserName,
+      Email: this.Email,
+      Password: this.Password,
+      Status: this.Status,
+      DefaultPasswordChangedYN: this.DefaultPasswordChangedYN,
+      FirstLoginAt: this.FirstLoginAt,
+      LastLoginAt: this.LastLoginAt,
+      MFAEnabled: this.MFAEnabled,
+      MFAConfig: this.MFAConfig,
+      RecoveryEmail: this.RecoveryEmail,
+      FailedLoginAttemptCount: this.FailedLoginAttemptCount,
+      LastFailedLoginAt: this.LastFailedLoginAt,
+      LastPasswordChangedAt: this.LastPasswordChangedAt,
+      NeedToChangePasswordYN: this.NeedToChangePasswordYN,
+      CreatedById: this.CreatedById,
+      CreatedAt: this.CreatedAt,
+      UpdatedById: this.UpdatedById,
+      UpdatedAt: this.UpdatedAt,
+    };
+
+    //Call Activity.create method to create new activity record
+    const activity = new Activity();
+    activity.ActivityId = activity.createId();
+    activity.Action = ActionEnum.UPDATE;
+    activity.Description = 'Update User';
+    activity.EntityType = 'LoginUser';
+    activity.EntityId = this.UserId.toString();
+    activity.EntityValueBefore = JSON.stringify(entityValueBefore);
+    activity.EntityValueAfter = JSON.stringify(entityValueAfter);
+
+    await activity.create(loginUser.ObjectId, dbTransaction);
+
+    //Return Updated User Instance
+    return this;
+  }
+
+  public static async findById(
+    loginUser: LoginUser,
+    dbTransaction: any,
+    UserId: string,
+  ) {
+    const systemCode = ApplicationConfig.getComponentConfigValue('system-code');
+    const isPrivileged = await loginUser.checkPrivileges(
+      systemCode,
+      'USER_VIEW',
+    );
+
+    //If user does not have privilege to update user, throw a ClassError
+    if (!isPrivileged) {
+      throw new ClassError(
+        'LoginUser',
+        'LoginUserErrMsg0X',
+        'You do not have the privilege to find user',
+      );
+    }
+
+    const user = await User._Repository.findOne({
+      where: {
+        UserId: UserId,
+        Status: 'Active',
+      },
+      transaction: dbTransaction,
+    });
+    const userAttr: IUserAttr = {
+      UserId: user.UserId,
+      UserName: user.UserName,
+      FullName: user?.Staff?.FullName || null,
+      IDNo: user?.Staff?.IdNo || null,
+      ContactNo: user?.Staff?.Mobile || null,
+      Email: user.Email,
+      Password: user.Password,
+      Status: user.Status,
+      DefaultPasswordChangedYN: user.DefaultPasswordChangedYN,
+      FirstLoginAt: user.FirstLoginAt,
+      LastLoginAt: user.LastLoginAt,
+      MFAEnabled: user.MFAEnabled,
+      MFAConfig: user.MFAConfig,
+      RecoveryEmail: user.RecoveryEmail,
+      FailedLoginAttemptCount: user.FailedLoginAttemptCount,
+      LastFailedLoginAt: user.LastFailedLoginAt,
+      LastPasswordChangedAt: user.LastPasswordChangedAt,
+      NeedToChangePasswordYN: user.NeedToChangePasswordYN,
+      CreatedById: user.CreatedById,
+      CreatedAt: user.CreatedAt,
+      UpdatedById: user.UpdatedById,
+      UpdatedAt: user.UpdatedAt,
+      staffs: user?.Staff || null,
+    };
+    return new User(null, dbTransaction, userAttr);
+  }
+}