ecrs-auth-core 1.0.105 → 1.0.108

package/dist/auth-customer.controller.d.ts

@@ -25,6 +25,8 @@ export declare class AuthCustomerController {
                 parentId: number;
                 lastLoginTime: Date | null;
                 is_reset_password: number;
+                is_ecrs_employee: boolean;
+                userId: number;
                 profile_photo_url: string;
             };
         };

package/dist/auth-customer.service.d.ts

@@ -55,10 +55,13 @@ export declare class AuthCustomerService {
                 parentId: number;
                 lastLoginTime: Date | null;
                 is_reset_password: number;
+                is_ecrs_employee: boolean;
+                userId: number;
                 profile_photo_url: string;
             };
         };
         access_token: string;
     }>;
     findUserById(id: number): Promise<UserCustomer | null>;
+    findEcrsEmployeeInCustomer(ecrsEmployeeId: number): Promise<UserCustomer | null>;
 }

package/dist/auth-customer.service.js

@@ -71,8 +71,8 @@ let AuthCustomerService = class AuthCustomerService {
         const normalizedEmail = email.trim().toLowerCase();
         const whereClause = {
             email: (0, typeorm_1.ILike)(normalizedEmail),
-            deletedBy: null,
-            deletedAt: null,
+            deletedBy: (0, typeorm_1.IsNull)(),
+            deletedAt: (0, typeorm_1.IsNull)(),
             status: 1,
         };
         const user = await this.userRepo.findOne({ where: whereClause });
@@ -91,12 +91,12 @@ let AuthCustomerService = class AuthCustomerService {
         if (!Number.isFinite(moduleId))
             return false;
         try {
-            const result = await this.moduleAccessRepo.query(`SELECT 1
-         FROM tbl_c_users_customer_module_access_new
-         WHERE customer_user_id = $1
-         AND module_id = $2
-         AND status = 1
-         AND is_deleted = 0
+            const result = await this.moduleAccessRepo.query(`SELECT 1
+         FROM tbl_c_users_customer_module_access_new
+         WHERE customer_user_id = $1
+         AND module_id = $2
+         AND status = 1
+         AND is_deleted = 0
          LIMIT 1`, [userId, moduleId]);
             return result.length > 0;
         }
@@ -285,6 +285,8 @@ let AuthCustomerService = class AuthCustomerService {
             parentId: user.parentId,
             lastLoginTime,
             is_reset_password,
+            is_ecrs_employee: user.is_ecrs_employee ?? false, // ✅ ADD THIS
+            userId: user.userId, // ✅ ADD THIS
         };
         return {
             status: true,
@@ -305,6 +307,8 @@ let AuthCustomerService = class AuthCustomerService {
                     parentId: user.parentId,
                     lastLoginTime,
                     is_reset_password,
+                    is_ecrs_employee: user.is_ecrs_employee ?? false,
+                    userId: user.userId,
                     profile_photo_url: `${this.uploadPhotoDir}/${user.userImage}`,
                 },
             },
@@ -314,6 +318,18 @@ let AuthCustomerService = class AuthCustomerService {
     async findUserById(id) {
         return this.userRepo.findOne({ where: { id } });
     }
+    // In auth-customer.service.ts — add this new method
+    async findEcrsEmployeeInCustomer(ecrsEmployeeId) {
+        return this.userRepo.findOne({
+            where: {
+                is_ecrs_employee: true,
+                referenceId: ecrsEmployeeId, // referenceId holds the ecrs employee id
+                status: 1,
+                deletedBy: (0, typeorm_1.IsNull)(),
+                deletedAt: (0, typeorm_1.IsNull)(),
+            },
+        });
+    }
 };
 exports.AuthCustomerService = AuthCustomerService;
 exports.AuthCustomerService = AuthCustomerService = __decorate([

package/dist/entities/login-details-customer.entity.d.ts

@@ -1,19 +1,4 @@
-export interface LoginDetailData {
-    login_time: string;
-    logout_time?: string;
-    status: "success" | "failed" | "blocked";
-    ip_address: string;
-    browser?: string;
-    device_type?: string;
-    operating_system?: string;
-    location?: string;
-    module_id?: number;
-    ip_address_name?: string;
-    failure_reason?: string;
-    user_agent?: string;
-    session_duration_ms?: number;
-    metadata?: Record<string, any>;
-}
+import { LoginDetailData } from "./login-details.entity";
 export declare class LoginCustomerDetailsEntity {
     id: number;
     customer_user_id: number;

package/dist/entities/user-customer-module-access.entity.d.ts

@@ -0,0 +1,13 @@
+export declare class UserCustomerModuleAccess {
+    id: number;
+    customer_user_id: number;
+    moduleId: number;
+    accessLevel: string;
+    status: number;
+    permissions: string[];
+    createdAt: Date;
+    updatedAt: Date;
+    createdBy: number;
+    updatedBy?: number;
+    isDeleted: number;
+}

package/dist/entities/user-customer-module-access.entity.js

@@ -0,0 +1,76 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.UserCustomerModuleAccess = void 0;
+// src/entities/user-module-access.entity.ts
+const typeorm_1 = require("typeorm");
+let UserCustomerModuleAccess = class UserCustomerModuleAccess {
+};
+exports.UserCustomerModuleAccess = UserCustomerModuleAccess;
+__decorate([
+    (0, typeorm_1.PrimaryGeneratedColumn)(),
+    __metadata("design:type", Number)
+], UserCustomerModuleAccess.prototype, "id", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ name: "customer_user_id" }),
+    __metadata("design:type", Number)
+], UserCustomerModuleAccess.prototype, "customer_user_id", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ name: "module_id" }),
+    __metadata("design:type", Number)
+], UserCustomerModuleAccess.prototype, "moduleId", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ name: "access_level", default: "view" }),
+    __metadata("design:type", String)
+], UserCustomerModuleAccess.prototype, "accessLevel", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ type: "smallint", default: 1 }),
+    __metadata("design:type", Number)
+], UserCustomerModuleAccess.prototype, "status", void 0);
+__decorate([
+    (0, typeorm_1.Column)({
+        name: "permissions",
+        type: "json",
+        nullable: true,
+    }),
+    __metadata("design:type", Array)
+], UserCustomerModuleAccess.prototype, "permissions", void 0);
+__decorate([
+    (0, typeorm_1.Column)({
+        name: "created_at",
+        type: "timestamp",
+        default: () => "CURRENT_TIMESTAMP",
+    }),
+    __metadata("design:type", Date)
+], UserCustomerModuleAccess.prototype, "createdAt", void 0);
+__decorate([
+    (0, typeorm_1.Column)({
+        name: "updated_at",
+        type: "timestamp",
+        default: () => "CURRENT_TIMESTAMP",
+    }),
+    __metadata("design:type", Date)
+], UserCustomerModuleAccess.prototype, "updatedAt", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ name: "created_by" }),
+    __metadata("design:type", Number)
+], UserCustomerModuleAccess.prototype, "createdBy", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ name: "updated_by", nullable: true }),
+    __metadata("design:type", Number)
+], UserCustomerModuleAccess.prototype, "updatedBy", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ name: "is_deleted", type: "smallint", default: 0 }),
+    __metadata("design:type", Number)
+], UserCustomerModuleAccess.prototype, "isDeleted", void 0);
+exports.UserCustomerModuleAccess = UserCustomerModuleAccess = __decorate([
+    (0, typeorm_1.Entity)({ name: "tbl_c_users_customer_module_access_new" })
+], UserCustomerModuleAccess);

package/dist/entities/user-customer.entity.d.ts

@@ -1,3 +1,8 @@
+export declare enum CustomerEmployeeType {
+    BOTH = "BOTH",
+    SPOT = "SPOT",
+    ETS = "ETS"
+}
 export declare class UserCustomer {
     id: number;
     firstName: string;
@@ -10,6 +15,9 @@ export declare class UserCustomer {
     roleId: number;
     parentId: number;
     referenceId: number;
+    is_ecrs_employee: boolean;
+    is_employee_type: CustomerEmployeeType | null;
+    userId: number;
     notificationToken: string;
     apiToken: string;
     deviceDetails: string;
@@ -20,8 +28,8 @@ export declare class UserCustomer {
     token_version: number;
     createdBy: number;
     updatedBy: number;
-    deletedBy: number;
+    deletedBy: number | null;
     createdAt: Date;
     updatedAt: Date;
-    deletedAt: Date;
+    deletedAt: Date | null;
 }

package/dist/entities/user-customer.entity.js

@@ -9,9 +9,15 @@ var __metadata = (this && this.__metadata) || function (k, v) {
     if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.UserCustomer = void 0;
+exports.UserCustomer = exports.CustomerEmployeeType = void 0;
 // src/entities/user.entity.ts
 const typeorm_1 = require("typeorm");
+var CustomerEmployeeType;
+(function (CustomerEmployeeType) {
+    CustomerEmployeeType["BOTH"] = "BOTH";
+    CustomerEmployeeType["SPOT"] = "SPOT";
+    CustomerEmployeeType["ETS"] = "ETS";
+})(CustomerEmployeeType || (exports.CustomerEmployeeType = CustomerEmployeeType = {}));
 let UserCustomer = class UserCustomer {
 };
 exports.UserCustomer = UserCustomer;
@@ -59,6 +65,23 @@ __decorate([
     (0, typeorm_1.Column)({ type: "int", nullable: true }),
     __metadata("design:type", Number)
 ], UserCustomer.prototype, "referenceId", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ type: "boolean", default: false }),
+    __metadata("design:type", Boolean)
+], UserCustomer.prototype, "is_ecrs_employee", void 0);
+__decorate([
+    (0, typeorm_1.Column)({
+        type: "enum",
+        enum: CustomerEmployeeType,
+        nullable: true,
+        default: CustomerEmployeeType.SPOT,
+    }),
+    __metadata("design:type", Object)
+], UserCustomer.prototype, "is_employee_type", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ type: "int", nullable: true }),
+    __metadata("design:type", Number)
+], UserCustomer.prototype, "userId", void 0);
 __decorate([
     (0, typeorm_1.Column)({ type: "text", nullable: true }),
     __metadata("design:type", String)
@@ -101,7 +124,7 @@ __decorate([
 ], UserCustomer.prototype, "updatedBy", void 0);
 __decorate([
     (0, typeorm_1.Column)({ nullable: true }),
-    __metadata("design:type", Number)
+    __metadata("design:type", Object)
 ], UserCustomer.prototype, "deletedBy", void 0);
 __decorate([
     (0, typeorm_1.Column)({ type: "timestamp", default: () => "CURRENT_TIMESTAMP" }),
@@ -113,7 +136,7 @@ __decorate([
 ], UserCustomer.prototype, "updatedAt", void 0);
 __decorate([
     (0, typeorm_1.Column)({ type: "timestamp", nullable: true }),
-    __metadata("design:type", Date)
+    __metadata("design:type", Object)
 ], UserCustomer.prototype, "deletedAt", void 0);
 exports.UserCustomer = UserCustomer = __decorate([
     (0, typeorm_1.Entity)({ name: "tbl_users_customer" })

package/dist/entities/user-feature-access.entity.js

@@ -20,69 +20,77 @@ __decorate([
     __metadata("design:type", Number)
 ], UserFeatureAccess.prototype, "id", void 0);
 __decorate([
-    (0, typeorm_1.Column)({ name: 'user_id' }),
+    (0, typeorm_1.Column)({ name: "user_id" }),
     __metadata("design:type", Number)
 ], UserFeatureAccess.prototype, "userId", void 0);
 __decorate([
-    (0, typeorm_1.Column)({ name: 'module_id' }),
+    (0, typeorm_1.Column)({ name: "module_id" }),
     __metadata("design:type", Number)
 ], UserFeatureAccess.prototype, "moduleId", void 0);
 __decorate([
-    (0, typeorm_1.Column)({ name: 'feature_id' }),
+    (0, typeorm_1.Column)({ name: "feature_id" }),
     __metadata("design:type", Number)
 ], UserFeatureAccess.prototype, "featureId", void 0);
 __decorate([
-    (0, typeorm_1.Column)({ name: 'access_level', default: 'view' }),
+    (0, typeorm_1.Column)({ name: "access_level", default: "view" }),
     __metadata("design:type", String)
 ], UserFeatureAccess.prototype, "accessLevel", void 0);
 __decorate([
-    (0, typeorm_1.Column)({ name: 'can_view', default: false }),
+    (0, typeorm_1.Column)({ name: "can_view", default: false }),
     __metadata("design:type", Boolean)
 ], UserFeatureAccess.prototype, "canView", void 0);
 __decorate([
-    (0, typeorm_1.Column)({ name: 'can_create', default: false }),
+    (0, typeorm_1.Column)({ name: "can_create", default: false }),
     __metadata("design:type", Boolean)
 ], UserFeatureAccess.prototype, "canCreate", void 0);
 __decorate([
-    (0, typeorm_1.Column)({ name: 'can_modify', default: false }),
+    (0, typeorm_1.Column)({ name: "can_modify", default: false }),
     __metadata("design:type", Boolean)
 ], UserFeatureAccess.prototype, "canModify", void 0);
 __decorate([
-    (0, typeorm_1.Column)({ name: 'can_delete', default: false }),
+    (0, typeorm_1.Column)({ name: "can_delete", default: false }),
     __metadata("design:type", Boolean)
 ], UserFeatureAccess.prototype, "canDelete", void 0);
 __decorate([
-    (0, typeorm_1.Column)({ name: 'can_import', default: false }),
+    (0, typeorm_1.Column)({ name: "can_import", default: false }),
     __metadata("design:type", Boolean)
 ], UserFeatureAccess.prototype, "canImport", void 0);
 __decorate([
-    (0, typeorm_1.Column)({ name: 'can_export', default: false }),
+    (0, typeorm_1.Column)({ name: "can_export", default: false }),
     __metadata("design:type", Boolean)
 ], UserFeatureAccess.prototype, "canExport", void 0);
 __decorate([
-    (0, typeorm_1.Column)({ type: 'smallint', default: 1 }),
+    (0, typeorm_1.Column)({ type: "smallint", default: 1 }),
     __metadata("design:type", Number)
 ], UserFeatureAccess.prototype, "status", void 0);
 __decorate([
-    (0, typeorm_1.Column)({ name: 'created_at', type: 'timestamp', default: () => 'CURRENT_TIMESTAMP' }),
+    (0, typeorm_1.Column)({
+        name: "created_at",
+        type: "timestamp",
+        default: () => "CURRENT_TIMESTAMP",
+    }),
     __metadata("design:type", Date)
 ], UserFeatureAccess.prototype, "createdAt", void 0);
 __decorate([
-    (0, typeorm_1.Column)({ name: 'updated_at', type: 'timestamp', default: () => 'CURRENT_TIMESTAMP' }),
+    (0, typeorm_1.Column)({
+        name: "updated_at",
+        type: "timestamp",
+        default: () => "CURRENT_TIMESTAMP",
+    }),
     __metadata("design:type", Date)
 ], UserFeatureAccess.prototype, "updatedAt", void 0);
 __decorate([
-    (0, typeorm_1.Column)({ name: 'created_by' }),
+    (0, typeorm_1.Column)({ name: "created_by" }),
     __metadata("design:type", Number)
 ], UserFeatureAccess.prototype, "createdBy", void 0);
 __decorate([
-    (0, typeorm_1.Column)({ name: 'updated_by', nullable: true }),
+    (0, typeorm_1.Column)({ name: "updated_by", nullable: true }),
     __metadata("design:type", Number)
 ], UserFeatureAccess.prototype, "updatedBy", void 0);
 __decorate([
-    (0, typeorm_1.Column)({ name: 'is_deleted', type: 'smallint', default: 0 }),
+    (0, typeorm_1.Column)({ name: "is_deleted", type: "smallint", default: 0 }),
     __metadata("design:type", Number)
 ], UserFeatureAccess.prototype, "isDeleted", void 0);
 exports.UserFeatureAccess = UserFeatureAccess = __decorate([
-    (0, typeorm_1.Entity)({ name: 'tbl_c_user_feature_access' })
+    (0, typeorm_1.Entity)({ name: "tbl_c_user_feature_access" })
 ], UserFeatureAccess);

package/dist/index.d.ts

@@ -1,36 +1,41 @@
-export * from './auth.module';
-export * from './auth.service';
-export * from './auth-customer.module';
-export * from './auth-customer.service';
-export * from './jwt/jwt-customer.strategy';
-export * from './jwt/jwt-customer.guard';
-export * from './dtos/login.dto';
-export * from './dtos/login-response.dto';
-export * from './decorators/current-user.decorator';
-export * from './decorators/feature.decorator';
-export * from './decorators/has-permission.decorator';
-export * from './decorators/roles.decorator';
-export * from './decorators/route-permission.decorator';
-export * from './decorators/api-key.decorator';
-export * from './guards/module.guard';
-export * from './guards/roles.guard';
-export * from './guards/feature.guard';
-export * from './guards/route.guard';
-export * from './guards/permission.guard';
-export * from './guards/api-key.guard';
-export * from './jwt/jwt.guard';
-export * from './jwt/jwt.strategy';
-export * from './interfaces/auth-core-options.interface';
-export * from './interfaces/auth-customer-options.interface';
-export * from './entities/user.entity';
-export * from './entities/role.entity';
-export * from './entities/module.entity';
-export * from './entities/feature.entity';
-export * from './entities/module-route.entity';
-export * from './entities/user-module-access.entity';
-export * from './entities/module-screen-permission.entity';
-export * from './entities/api-key.entity';
-export * from './entities/user-last-login.entity';
-export * from './entities/login-details.entity';
-export * from './entities/ip-access.entity';
-export * from './entities/work-profile.entity';
+export * from "./auth.module";
+export * from "./auth.service";
+export * from "./auth-customer.module";
+export * from "./auth-customer.service";
+export * from "./jwt/jwt-customer.strategy";
+export * from "./jwt/jwt-customer.guard";
+export * from "./dtos/login.dto";
+export * from "./dtos/login-response.dto";
+export * from "./decorators/current-user.decorator";
+export * from "./decorators/feature.decorator";
+export * from "./decorators/has-permission.decorator";
+export * from "./decorators/roles.decorator";
+export * from "./decorators/route-permission.decorator";
+export * from "./decorators/api-key.decorator";
+export * from "./guards/module.guard";
+export * from "./guards/roles.guard";
+export * from "./guards/feature.guard";
+export * from "./guards/route.guard";
+export * from "./guards/permission.guard";
+export * from "./guards/api-key.guard";
+export * from "./jwt/jwt.guard";
+export * from "./jwt/jwt.strategy";
+export * from "./interfaces/auth-core-options.interface";
+export * from "./interfaces/auth-customer-options.interface";
+export * from "./entities/user.entity";
+export * from "./entities/role.entity";
+export * from "./entities/module.entity";
+export * from "./entities/feature.entity";
+export * from "./entities/module-route.entity";
+export * from "./entities/user-module-access.entity";
+export * from "./entities/module-screen-permission.entity";
+export * from "./entities/api-key.entity";
+export * from "./entities/user-last-login.entity";
+export * from "./entities/login-details.entity";
+export * from "./entities/ip-access.entity";
+export * from "./entities/work-profile.entity";
+export * from "./entities/user-customer.entity";
+export * from "./entities/role-customer.entity";
+export * from "./entities/user-customer-module-access.entity";
+export * from "./entities/user-customer-last-login.entity";
+export * from "./entities/login-details-customer.entity";

package/dist/index.js

@@ -59,3 +59,9 @@ __exportStar(require("./entities/user-last-login.entity"), exports);
 __exportStar(require("./entities/login-details.entity"), exports);
 __exportStar(require("./entities/ip-access.entity"), exports);
 __exportStar(require("./entities/work-profile.entity"), exports);
+// ✅ Customer entities (needed by etscustomer backend)
+__exportStar(require("./entities/user-customer.entity"), exports);
+__exportStar(require("./entities/role-customer.entity"), exports);
+__exportStar(require("./entities/user-customer-module-access.entity"), exports);
+__exportStar(require("./entities/user-customer-last-login.entity"), exports);
+__exportStar(require("./entities/login-details-customer.entity"), exports);

package/dist/interfaces/auth-customer-options.interface.d.ts

@@ -1,7 +1,7 @@
 import { Repository } from "typeorm";
 import { UserCustomer } from "../entities/user-customer.entity";
 import { CustomerRole } from "../entities/role-customer.entity";
-import { UserCustomerModuleAccess } from "../entities/user-customer-module-access.entity copy";
+import { UserCustomerModuleAccess } from "../entities/user-customer-module-access.entity";
 import { UserCustomerLastLoginEntity } from "../entities/user-customer-last-login.entity";
 import { LoginCustomerDetailsEntity } from "../entities/login-details-customer.entity";
 export interface CustomerRepositories {

package/dist/jwt/jwt-customer.strategy.d.ts

@@ -9,6 +9,8 @@ export declare class JwtCustomerStrategy extends JwtCustomerStrategy_base {
         email: string;
         roleId: number;
         moduleId: any;
+        is_ecrs_employee: boolean;
+        referenceId: number;
     }>;
 }
 export {};

package/dist/jwt/jwt-customer.strategy.js

@@ -24,16 +24,33 @@ let JwtCustomerStrategy = class JwtCustomerStrategy extends (0, passport_1.Passp
         this.authCustomerService = authCustomerService;
     }
     async validate(payload) {
+        // 1. Find user in tbl_users_customer
         const user = await this.authCustomerService.findUserById(payload.id);
         if (!user) {
             throw new common_1.UnauthorizedException("INVALID_USER");
         }
-        // Token version check — rejects tokens issued before a password change / logout-all
+        // 2. Token version check — catches password change / logout-all
         if (user.token_version !== payload.tokenVersion) {
-            console.warn(`⚠️ Token version mismatch for customer ${user.id}. Expected ${user.token_version}, got ${payload.tokenVersion}`);
+            console.warn(`⚠️ Token version mismatch for customer ${user.id}. ` +
+                `Expected ${user.token_version}, got ${payload.tokenVersion}`);
             throw new common_1.UnauthorizedException("TOKEN_EXPIRED");
         }
-        // Module access check
+        // 3. ECRS employee extra check
+        //    - Normal customer login   → payload.is_ecrs_employee = false  → skip
+        //    - Portal token exchange   → payload.is_ecrs_employee = true   → verify
+        if (payload.is_ecrs_employee === true) {
+            // Re-verify the record is still active in tbl_users_customer
+            if (!user.is_ecrs_employee || // flag must still be true in DB
+                user.status !== 1 || // must be active
+                user.deletedAt !== null // must not be soft-deleted
+            ) {
+                console.warn(`⚠️ ECRS employee ${user.id} (referenceId: ${user.referenceId}) ` +
+                    `no longer has customer portal access`);
+                throw new common_1.UnauthorizedException("CUSTOMER_ACCESS_REVOKED");
+            }
+            console.log(`✅ ECRS employee verified — userId: ${user.id}, referenceId: ${user.referenceId}`);
+        }
+        // 4. Module access check (both normal + ECRS employee)
         if (payload.moduleId) {
             const hasAccess = await this.authCustomerService.hasModuleAccess(user.id, payload.moduleId);
             if (!hasAccess) {
@@ -41,12 +58,16 @@ let JwtCustomerStrategy = class JwtCustomerStrategy extends (0, passport_1.Passp
             }
             console.log(`✅ Customer ${user.id} has access to module ${payload.moduleId}`);
         }
-        console.log(`✅ JWT validated for customer user ${user.id}`);
+        console.log(`✅ JWT validated — userId: ${user.id}, ` +
+            `is_ecrs_employee: ${user.is_ecrs_employee ?? false}`);
+        // 5. Return req.user object — available in all controllers via @Req()
         return {
             id: user.id,
             email: user.email,
             roleId: user.roleId,
             moduleId: payload.moduleId ?? user.moduleId,
+            is_ecrs_employee: user.is_ecrs_employee ?? false,
+            referenceId: user.referenceId ?? null,
         };
     }
 };

package/dist/portal-auth.d.ts

@@ -0,0 +1,3 @@
+export declare function generatePortalToken(etsApiBase: string, jwtToken: string): Promise<string>;
+export declare function exchangePortalToken(customerApiBase: string, code: string): Promise<string>;
+export declare function openCustomerPortal(portalUrl: string, code: string): void;

package/dist/portal-auth.js

@@ -0,0 +1,21 @@
+"use strict";
+// src/portal-auth.ts  (new file in your package)
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.generatePortalToken = generatePortalToken;
+exports.exchangePortalToken = exchangePortalToken;
+exports.openCustomerPortal = openCustomerPortal;
+const axios_1 = __importDefault(require("axios"));
+async function generatePortalToken(etsApiBase, jwtToken) {
+    const res = await axios_1.default.post(`${etsApiBase}/auth/generate-portal-token`, {}, { headers: { Authorization: `Bearer ${jwtToken}` } });
+    return res.data.code;
+}
+async function exchangePortalToken(customerApiBase, code) {
+    const res = await axios_1.default.post(`${customerApiBase}/auth/exchange-portal-token`, { code });
+    return res.data.jwt_token;
+}
+function openCustomerPortal(portalUrl, code) {
+    window.open(`${portalUrl}/auth/token?code=${code}`, "_blank", "noopener,noreferrer");
+}

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ecrs-auth-core",
-  "version": "1.0.105",
+  "version": "1.0.108",
   "description": "Centralized authentication and authorization module for ECRS apps",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",
@@ -32,6 +32,7 @@
     "@nestjs/jwt": "^11.0.0",
     "@nestjs/swagger": "^7.1.14",
     "@nestjs/typeorm": "^11.0.0",
+    "axios": "^1.16.1",
     "class-transformer": "^0.5.1",
     "class-validator": "^0.14.3",
     "jsonwebtoken": "^9.0.2",