ecrs-auth-core 1.0.61 → 1.0.63

package/dist/auth.module.js

@@ -19,6 +19,8 @@ const roles_guard_1 = require("./guards/roles.guard");
 const feature_guard_1 = require("./guards/feature.guard");
 const route_guard_1 = require("./guards/route.guard");
 const permission_guard_1 = require("./guards/permission.guard");
+const api_key_guard_1 = require("./guards/api-key.guard");
+const encryption_service_1 = require("./services/encryption.service");
 exports.AUTH_CORE_OPTIONS = 'AUTH_CORE_OPTIONS';
 // @Global()
 // @Module({})
@@ -109,6 +111,12 @@ let AuthCoreModule = AuthCoreModule_1 = class AuthCoreModule {
                     useFactory: (opts) => opts.moduleConfig || {},
                     inject: [exports.AUTH_CORE_OPTIONS],
                 },
+                {
+                    provide: 'API_KEY_REPOSITORY',
+                    useFactory: (opts) => opts.repositories?.apiKeyRepo || null,
+                    inject: [exports.AUTH_CORE_OPTIONS],
+                },
+                encryption_service_1.EncryptionService,
                 auth_service_1.AuthService,
                 jwt_strategy_1.JwtStrategy,
                 jwt_guard_1.JwtAuthGuard,
@@ -117,14 +125,17 @@ let AuthCoreModule = AuthCoreModule_1 = class AuthCoreModule {
                 feature_guard_1.FeatureGuard,
                 route_guard_1.RouteGuard,
                 permission_guard_1.PermissionGuard,
+                api_key_guard_1.ApiKeyGuard,
             ],
             controllers: [auth_controller_1.AuthController],
             exports: [
                 // ⬇️ export these so Superadmin can resolve guard deps
                 exports.AUTH_CORE_OPTIONS,
                 'MODULE_CONFIG',
+                'API_KEY_REPOSITORY',
                 jwt_1.JwtModule,
                 auth_service_1.AuthService,
+                encryption_service_1.EncryptionService,
                 jwt_strategy_1.JwtStrategy,
                 jwt_guard_1.JwtAuthGuard,
                 module_guard_1.ModuleGuard,
@@ -132,6 +143,7 @@ let AuthCoreModule = AuthCoreModule_1 = class AuthCoreModule {
                 feature_guard_1.FeatureGuard,
                 route_guard_1.RouteGuard,
                 permission_guard_1.PermissionGuard,
+                api_key_guard_1.ApiKeyGuard,
             ],
         };
     }

package/dist/auth.service.js

@@ -74,7 +74,6 @@ let AuthService = class AuthService {
     async hasModuleAccess(userId, moduleId) {
         if (!Number.isFinite(moduleId))
             return false;
-        // Check both isDeleted and status flags for active access
         const access = await this.moduleAccessRepo.findOne({
             where: { userId, moduleId, isDeleted: 0, status: 1 },
         });

package/dist/decorators/api-key.decorator.d.ts

@@ -0,0 +1,5 @@
+export interface ApiKeyOptions {
+    scope?: string;
+    endpoints?: string[];
+}
+export declare const ApiKey: (options?: ApiKeyOptions) => import("@nestjs/common").CustomDecorator<string>;

package/dist/decorators/api-key.decorator.js

@@ -0,0 +1,8 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ApiKey = void 0;
+const common_1 = require("@nestjs/common");
+const ApiKey = (options) => {
+    return (0, common_1.SetMetadata)('api_key_options', options || {});
+};
+exports.ApiKey = ApiKey;

package/dist/entities/api-key.entity.d.ts

@@ -0,0 +1,16 @@
+export declare class ApiKeyEntity {
+    id: number;
+    key: string;
+    clientName: string;
+    clientDescription: string | null;
+    scope: string;
+    allowedIps: string | null;
+    allowedEndpoints: string | null;
+    isActive: boolean;
+    rateLimit: number | null;
+    lastUsedAt: number | null;
+    createdAt: Date;
+    updatedAt: Date;
+    createdBy: string | null;
+    metadata: string | null;
+}

package/dist/entities/api-key.entity.js

@@ -0,0 +1,75 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ApiKeyEntity = void 0;
+const typeorm_1 = require("typeorm");
+let ApiKeyEntity = class ApiKeyEntity {
+};
+exports.ApiKeyEntity = ApiKeyEntity;
+__decorate([
+    (0, typeorm_1.PrimaryGeneratedColumn)(),
+    __metadata("design:type", Number)
+], ApiKeyEntity.prototype, "id", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ type: 'varchar', length: 255, unique: true }),
+    __metadata("design:type", String)
+], ApiKeyEntity.prototype, "key", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ type: 'varchar', length: 255 }),
+    __metadata("design:type", String)
+], ApiKeyEntity.prototype, "clientName", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ type: 'varchar', length: 255, nullable: true }),
+    __metadata("design:type", Object)
+], ApiKeyEntity.prototype, "clientDescription", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ type: 'varchar', length: 50, default: 'common' }),
+    __metadata("design:type", String)
+], ApiKeyEntity.prototype, "scope", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ type: 'text', nullable: true }),
+    __metadata("design:type", Object)
+], ApiKeyEntity.prototype, "allowedIps", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ type: 'text', nullable: true }),
+    __metadata("design:type", Object)
+], ApiKeyEntity.prototype, "allowedEndpoints", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ type: 'boolean', default: true }),
+    __metadata("design:type", Boolean)
+], ApiKeyEntity.prototype, "isActive", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ type: 'bigint', nullable: true }),
+    __metadata("design:type", Object)
+], ApiKeyEntity.prototype, "rateLimit", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ type: 'bigint', nullable: true }),
+    __metadata("design:type", Object)
+], ApiKeyEntity.prototype, "lastUsedAt", void 0);
+__decorate([
+    (0, typeorm_1.CreateDateColumn)(),
+    __metadata("design:type", Date)
+], ApiKeyEntity.prototype, "createdAt", void 0);
+__decorate([
+    (0, typeorm_1.UpdateDateColumn)(),
+    __metadata("design:type", Date)
+], ApiKeyEntity.prototype, "updatedAt", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ type: 'varchar', length: 255, nullable: true }),
+    __metadata("design:type", Object)
+], ApiKeyEntity.prototype, "createdBy", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ type: 'text', nullable: true }),
+    __metadata("design:type", Object)
+], ApiKeyEntity.prototype, "metadata", void 0);
+exports.ApiKeyEntity = ApiKeyEntity = __decorate([
+    (0, typeorm_1.Entity)({ name: 'tbl_c_api_keys' })
+], ApiKeyEntity);

package/dist/guards/api-key.guard.d.ts

@@ -0,0 +1,17 @@
+import { CanActivate, ExecutionContext } from '@nestjs/common';
+import { Reflector } from '@nestjs/core';
+import { Repository } from 'typeorm';
+import { ApiKeyEntity } from '../entities/api-key.entity';
+import { EncryptionService } from '../services/encryption.service';
+export declare class ApiKeyGuard implements CanActivate {
+    private readonly reflector;
+    private readonly encryptionService;
+    private apiKeyRepo;
+    private rateLimitMap;
+    constructor(reflector: Reflector, encryptionService: EncryptionService, apiKeyRepository?: Repository<ApiKeyEntity>);
+    canActivate(context: ExecutionContext): Promise<boolean>;
+    private extractApiKey;
+    private validateApiKey;
+    private getClientIp;
+    private checkRateLimit;
+}

package/dist/guards/api-key.guard.js

@@ -0,0 +1,195 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = (this && this.__param) || function (paramIndex, decorator) {
+    return function (target, key) { decorator(target, key, paramIndex); }
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.ApiKeyGuard = void 0;
+const common_1 = require("@nestjs/common");
+const core_1 = require("@nestjs/core");
+const typeorm_1 = require("typeorm");
+const encryption_service_1 = require("../services/encryption.service");
+let ApiKeyGuard = class ApiKeyGuard {
+    constructor(reflector, encryptionService, apiKeyRepository) {
+        this.reflector = reflector;
+        this.encryptionService = encryptionService;
+        this.rateLimitMap = new Map();
+        if (apiKeyRepository) {
+            this.apiKeyRepo = apiKeyRepository;
+        }
+    }
+    async canActivate(context) {
+        const options = this.reflector.get('api_key_options', context.getHandler());
+        // If no @ApiKey decorator is present, skip this guard
+        if (!options) {
+            return true;
+        }
+        const request = context.switchToHttp().getRequest();
+        const apiKey = this.extractApiKey(request);
+        if (!apiKey) {
+            throw new common_1.UnauthorizedException('API key is missing');
+        }
+        // Validate API key
+        const validation = await this.validateApiKey(apiKey, request, options);
+        if (!validation.valid) {
+            throw new common_1.UnauthorizedException(validation.message || 'Invalid API key');
+        }
+        // Attach API key info to request for downstream use
+        request.apiKey = validation.apiKey;
+        request.apiKeyClient = {
+            id: validation.apiKey?.id,
+            clientName: validation.apiKey?.clientName,
+            scope: validation.apiKey?.scope,
+        };
+        return true;
+    }
+    extractApiKey(request) {
+        // Check 'X-API-Key' header
+        const headerKey = request.headers['x-api-key'];
+        if (headerKey) {
+            return headerKey;
+        }
+        // Check 'api_key' query parameter
+        if (request.query?.api_key) {
+            return request.query.api_key;
+        }
+        // Check Authorization header (format: 'ApiKey <key>')
+        const authHeader = request.headers.authorization;
+        if (authHeader && authHeader.startsWith('ApiKey ')) {
+            return authHeader.substring(7);
+        }
+        return null;
+    }
+    async validateApiKey(apiKey, request, options) {
+        if (!this.apiKeyRepo) {
+            return { valid: false, message: 'API key validation not configured' };
+        }
+        // Find all active API keys and compare hashes
+        const records = await this.apiKeyRepo.find({
+            where: { isActive: true },
+        });
+        let record = null;
+        // Compare incoming key with hashed keys in database
+        for (const dbRecord of records) {
+            const isMatch = await this.encryptionService.compareKey(apiKey, dbRecord.key);
+            if (isMatch) {
+                record = dbRecord;
+                break;
+            }
+        }
+        if (!record) {
+            return { valid: false, message: 'API key not found or inactive' };
+        }
+        // Check scope
+        const requiredScope = options.scope || 'common';
+        if (record.scope !== 'common' && record.scope !== requiredScope) {
+            return {
+                valid: false,
+                message: `API key scope '${record.scope}' does not match required scope '${requiredScope}'`,
+            };
+        }
+        // Check IP whitelist
+        if (record.allowedIps) {
+            const clientIp = this.getClientIp(request);
+            const allowedIps = record.allowedIps.split(',').map((ip) => ip.trim());
+            if (!allowedIps.includes(clientIp)) {
+                return {
+                    valid: false,
+                    message: `Client IP '${clientIp}' is not whitelisted`,
+                };
+            }
+        }
+        // Check endpoint restriction
+        if (record.allowedEndpoints) {
+            const requestEndpoint = `${request.method} ${request.path}`;
+            const allowedEndpoints = record.allowedEndpoints
+                .split(',')
+                .map((ep) => ep.trim());
+            const isAllowed = allowedEndpoints.some((ep) => {
+                // Support wildcard matching (e.g., 'GET /spot/*')
+                if (ep.includes('*')) {
+                    const pattern = ep.replace(/\*/g, '.*');
+                    return new RegExp(`^${pattern}$`).test(requestEndpoint);
+                }
+                return ep === requestEndpoint;
+            });
+            if (!isAllowed) {
+                return {
+                    valid: false,
+                    message: `Endpoint '${requestEndpoint}' is not allowed for this API key`,
+                };
+            }
+        }
+        // Check rate limit
+        if (record.rateLimit) {
+            const isRateLimited = this.checkRateLimit(apiKey, record.rateLimit);
+            if (isRateLimited) {
+                return {
+                    valid: false,
+                    message: `Rate limit exceeded (${record.rateLimit} requests per minute)`,
+                };
+            }
+        }
+        // Update last used timestamp
+        if (this.apiKeyRepo) {
+            await this.apiKeyRepo.update(record.id, {
+                lastUsedAt: Date.now(),
+            });
+        }
+        return { valid: true, apiKey: record };
+    }
+    getClientIp(request) {
+        // Support common proxy headers
+        const xForwardedFor = request.headers['x-forwarded-for'];
+        if (xForwardedFor) {
+            return xForwardedFor.split(',')[0].trim();
+        }
+        const xRealIp = request.headers['x-real-ip'];
+        if (xRealIp) {
+            return xRealIp;
+        }
+        return request.ip || request.connection.remoteAddress || 'unknown';
+    }
+    checkRateLimit(apiKey, rateLimit) {
+        const now = Date.now();
+        const limitData = this.rateLimitMap.get(apiKey);
+        if (!limitData) {
+            // First request, initialize
+            this.rateLimitMap.set(apiKey, {
+                count: 1,
+                resetTime: now + 60000, // 1 minute
+            });
+            return false;
+        }
+        if (now > limitData.resetTime) {
+            // Reset window expired
+            this.rateLimitMap.set(apiKey, {
+                count: 1,
+                resetTime: now + 60000,
+            });
+            return false;
+        }
+        // Still within window
+        if (limitData.count >= rateLimit) {
+            return true;
+        }
+        limitData.count++;
+        return false;
+    }
+};
+exports.ApiKeyGuard = ApiKeyGuard;
+exports.ApiKeyGuard = ApiKeyGuard = __decorate([
+    (0, common_1.Injectable)(),
+    __param(2, (0, common_1.Inject)('API_KEY_REPOSITORY')),
+    __metadata("design:paramtypes", [core_1.Reflector,
+        encryption_service_1.EncryptionService,
+        typeorm_1.Repository])
+], ApiKeyGuard);

package/dist/index.d.ts

@@ -7,13 +7,16 @@ export * from './decorators/feature.decorator';
 export * from './decorators/has-permission.decorator';
 export * from './decorators/roles.decorator';
 export * from './decorators/route-permission.decorator';
+export * from './decorators/api-key.decorator';
 export * from './guards/module.guard';
 export * from './guards/roles.guard';
 export * from './guards/feature.guard';
 export * from './guards/route.guard';
 export * from './guards/permission.guard';
+export * from './guards/api-key.guard';
 export * from './jwt/jwt.guard';
 export * from './jwt/jwt.strategy';
+export * from './services/encryption.service';
 export * from './interfaces/auth-core-options.interface';
 export * from './entities/user.entity';
 export * from './entities/role.entity';
@@ -23,3 +26,4 @@ export * from './entities/module-route.entity';
 export * from './entities/user-feature-access.entity';
 export * from './entities/user-module-access.entity';
 export * from './entities/module-screen-permission.entity';
+export * from './entities/api-key.entity';

package/dist/index.js

@@ -26,15 +26,19 @@ __exportStar(require("./decorators/feature.decorator"), exports);
 __exportStar(require("./decorators/has-permission.decorator"), exports);
 __exportStar(require("./decorators/roles.decorator"), exports);
 __exportStar(require("./decorators/route-permission.decorator"), exports);
+__exportStar(require("./decorators/api-key.decorator"), exports);
 // Guards
 __exportStar(require("./guards/module.guard"), exports);
 __exportStar(require("./guards/roles.guard"), exports);
 __exportStar(require("./guards/feature.guard"), exports);
 __exportStar(require("./guards/route.guard"), exports);
 __exportStar(require("./guards/permission.guard"), exports);
+__exportStar(require("./guards/api-key.guard"), exports);
 // JWT
 __exportStar(require("./jwt/jwt.guard"), exports);
 __exportStar(require("./jwt/jwt.strategy"), exports);
+// Services
+__exportStar(require("./services/encryption.service"), exports);
 // Interfaces
 __exportStar(require("./interfaces/auth-core-options.interface"), exports);
 // ✅ Entities
@@ -46,3 +50,4 @@ __exportStar(require("./entities/module-route.entity"), exports);
 __exportStar(require("./entities/user-feature-access.entity"), exports);
 __exportStar(require("./entities/user-module-access.entity"), exports);
 __exportStar(require("./entities/module-screen-permission.entity"), exports);
+__exportStar(require("./entities/api-key.entity"), exports);

package/dist/interfaces/auth-core-options.interface.d.ts

@@ -7,6 +7,7 @@ import { ModuleRoute } from '../entities/module-route.entity';
 import { UserFeatureAccess } from '../entities/user-feature-access.entity';
 import { UserModuleAccess } from '../entities/user-module-access.entity';
 import { ModuleScreenPermission } from '../entities/module-screen-permission.entity';
+import { ApiKeyEntity } from '../entities/api-key.entity';
 export interface Repositories {
     userRepo: Repository<User>;
     roleRepo: Repository<Role>;
@@ -16,6 +17,7 @@ export interface Repositories {
     featureRepo: Repository<Feature>;
     routeRepo: Repository<ModuleRoute>;
     moduleAccessRepo: Repository<UserModuleAccess>;
+    apiKeyRepo?: Repository<ApiKeyEntity>;
 }
 export interface AuthModuleConfig {
     enable2FA?: boolean;

package/dist/services/encryption.service.d.ts

@@ -0,0 +1,16 @@
+export declare class EncryptionService {
+    private readonly saltRounds;
+    /**
+     * Hash an API key using bcrypt
+     * @param plainKey - The plain text API key
+     * @returns Hashed key
+     */
+    hashKey(plainKey: string): Promise<string>;
+    /**
+     * Compare plain key with hashed key
+     * @param plainKey - The plain text API key
+     * @param hashedKey - The hashed key from database
+     * @returns True if keys match, false otherwise
+     */
+    compareKey(plainKey: string, hashedKey: string): Promise<boolean>;
+}

package/dist/services/encryption.service.js

@@ -0,0 +1,70 @@
+"use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __importStar = (this && this.__importStar) || (function () {
+    var ownKeys = function(o) {
+        ownKeys = Object.getOwnPropertyNames || function (o) {
+            var ar = [];
+            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
+            return ar;
+        };
+        return ownKeys(o);
+    };
+    return function (mod) {
+        if (mod && mod.__esModule) return mod;
+        var result = {};
+        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
+        __setModuleDefault(result, mod);
+        return result;
+    };
+})();
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.EncryptionService = void 0;
+const common_1 = require("@nestjs/common");
+const bcrypt = __importStar(require("bcrypt"));
+let EncryptionService = class EncryptionService {
+    constructor() {
+        this.saltRounds = 10;
+    }
+    /**
+     * Hash an API key using bcrypt
+     * @param plainKey - The plain text API key
+     * @returns Hashed key
+     */
+    async hashKey(plainKey) {
+        return bcrypt.hash(plainKey, this.saltRounds);
+    }
+    /**
+     * Compare plain key with hashed key
+     * @param plainKey - The plain text API key
+     * @param hashedKey - The hashed key from database
+     * @returns True if keys match, false otherwise
+     */
+    async compareKey(plainKey, hashedKey) {
+        return bcrypt.compare(plainKey, hashedKey);
+    }
+};
+exports.EncryptionService = EncryptionService;
+exports.EncryptionService = EncryptionService = __decorate([
+    (0, common_1.Injectable)()
+], EncryptionService);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ecrs-auth-core",
-  "version": "1.0.61",
+  "version": "1.0.63",
   "description": "Centralized authentication and authorization module for ECRS apps",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",