ecrs-auth-core 1.0.63 → 1.0.65

package/dist/auth.controller.d.ts

@@ -1,9 +1,10 @@
+import { Request } from 'express';
 import { AuthService } from './auth.service';
 import { LoginDto } from './dtos/login.dto';
 export declare class AuthController {
     private readonly authService;
     constructor(authService: AuthService);
-    login(body: LoginDto): Promise<{
+    login(request: Request, body: LoginDto): Promise<{
         status: boolean;
         message: string;
         data: {
@@ -21,8 +22,31 @@ export declare class AuthController {
                 employeeId: number;
                 parentId: number;
                 referenceId: number;
+                branchId: any;
+                dispatchId: any;
+                departmentId: any;
+                designationId: any;
+                profile_photo_url: string;
             };
         };
         access_token: string;
     }>;
+    /**
+     * Extract additional client data from request and user-agent
+     */
+    private extractClientData;
+    /**
+     * Parse user-agent string to extract browser, OS, and device type
+     */
+    private parseUserAgent;
+    /**
+     * Extract client IP from request
+     * Priority:
+     * 1. X-Forwarded-For header (proxy)
+     * 2. X-Real-IP header (nginx)
+     * 3. CF-Connecting-IP (Cloudflare)
+     * 4. request.ip (Express native)
+     * 5. socket.remoteAddress (direct connection)
+     */
+    private getClientIp;
 }

package/dist/auth.controller.js

@@ -22,10 +22,19 @@ let AuthController = class AuthController {
     constructor(authService) {
         this.authService = authService;
     }
-    async login(body) {
-        const user = await this.authService.validateUser(body.email, body.password);
+    async login(request, body) {
+        // Get client IP from socket/request
+        const clientIp = this.getClientIp(request);
+        const userAgent = request.get('user-agent') || 'Unknown';
+        // Extract additional client data
+        const additionalData = this.extractClientData(request, userAgent);
+        console.log(`📍 Login attempt from IP: ${clientIp}, User-Agent: ${userAgent}`);
+        // Validate user with IP restriction check
+        const user = await this.authService.validateUser(body.email, body.password, clientIp);
         if (!user) {
-            throw new common_1.UnauthorizedException('Login failed: email or password not matched');
+            // Save failed login attempt
+            await this.authService.saveLastLogin({ email: body.email }, clientIp, 'failed', 'Invalid credentials or IP not allowed', additionalData).catch(() => { }); // Ignore errors
+            throw new common_1.UnauthorizedException('Login failed: email or password not matched or IP not allowed');
         }
         const requestedModuleId = Number(body.moduleId);
         if (!Number.isFinite(requestedModuleId)) {
@@ -39,7 +48,104 @@ let AuthController = class AuthController {
         if (!Array.isArray(perms.modules) || !perms.modules.includes(requestedModuleId)) {
             throw new common_1.UnauthorizedException('You are not authorized to access this module');
         }
-        return this.authService.login(user, requestedModuleId);
+        const loginResponse = await this.authService.login(user, requestedModuleId);
+        // Save successful login details with additional client data
+        await this.authService.saveLastLogin(user, clientIp, 'success', undefined, {
+            ...additionalData,
+            moduleId: requestedModuleId,
+        }).catch(() => { }); // Ignore errors - don't block login
+        return loginResponse;
+    }
+    /**
+     * Extract additional client data from request and user-agent
+     */
+    extractClientData(request, userAgent) {
+        const { browser, os, deviceType } = this.parseUserAgent(userAgent);
+        const ipAddressName = request.get('x-forwarded-host') || request.get('host') || 'Unknown';
+        const location = request.get('cf-ipcountry') || 'Unknown'; // Cloudflare header
+        return {
+            browser,
+            deviceType,
+            operatingSystem: os,
+            userAgent,
+            location,
+            ipAddressName,
+        };
+    }
+    /**
+     * Parse user-agent string to extract browser, OS, and device type
+     */
+    parseUserAgent(userAgent) {
+        const ua = userAgent.toLowerCase();
+        // Detect browser
+        let browser = 'Unknown';
+        if (ua.includes('chrome'))
+            browser = 'Chrome';
+        else if (ua.includes('firefox'))
+            browser = 'Firefox';
+        else if (ua.includes('safari'))
+            browser = 'Safari';
+        else if (ua.includes('edg/'))
+            browser = 'Edge';
+        else if (ua.includes('opera') || ua.includes('opr/'))
+            browser = 'Opera';
+        else if (ua.includes('trident'))
+            browser = 'Internet Explorer';
+        // Detect OS
+        let os = 'Unknown';
+        if (ua.includes('windows'))
+            os = 'Windows';
+        else if (ua.includes('mac'))
+            os = 'macOS';
+        else if (ua.includes('linux'))
+            os = 'Linux';
+        else if (ua.includes('iphone') || ua.includes('ipad'))
+            os = 'iOS';
+        else if (ua.includes('android'))
+            os = 'Android';
+        // Detect device type
+        let deviceType = 'Desktop';
+        if (ua.includes('mobile') || ua.includes('android') || ua.includes('iphone'))
+            deviceType = 'Mobile';
+        else if (ua.includes('tablet') || ua.includes('ipad'))
+            deviceType = 'Tablet';
+        return { browser, os, deviceType };
+    }
+    /**
+     * Extract client IP from request
+     * Priority:
+     * 1. X-Forwarded-For header (proxy)
+     * 2. X-Real-IP header (nginx)
+     * 3. CF-Connecting-IP (Cloudflare)
+     * 4. request.ip (Express native)
+     * 5. socket.remoteAddress (direct connection)
+     */
+    getClientIp(request) {
+        // Check X-Forwarded-For header (most common with proxies)
+        const xForwardedFor = request.headers['x-forwarded-for'];
+        if (xForwardedFor) {
+            const ips = Array.isArray(xForwardedFor)
+                ? xForwardedFor
+                : xForwardedFor.split(',');
+            return ips[0].trim();
+        }
+        // Check X-Real-IP header (nginx)
+        const xRealIp = request.headers['x-real-ip'];
+        if (xRealIp) {
+            return Array.isArray(xRealIp) ? xRealIp[0] : xRealIp;
+        }
+        // Check CF-Connecting-IP (Cloudflare)
+        const cfIp = request.headers['cf-connecting-ip'];
+        if (cfIp) {
+            return Array.isArray(cfIp) ? cfIp[0] : cfIp;
+        }
+        // Use Express native request.ip (handles proxies if trust proxy is set)
+        if (request.ip) {
+            return request.ip;
+        }
+        // Fallback to socket remote address
+        const socketIp = (request.socket.remoteAddress || '').replace(/^.*:/, '');
+        return socketIp || 'unknown';
     }
 };
 exports.AuthController = AuthController;
@@ -84,10 +190,11 @@ __decorate([
             }
         }
     }),
-    (0, swagger_1.ApiUnauthorizedResponse)({ description: 'Invalid credentials' }),
-    __param(0, (0, common_1.Body)()),
+    (0, swagger_1.ApiUnauthorizedResponse)({ description: 'Invalid credentials or IP not allowed' }),
+    __param(0, (0, common_1.Req)()),
+    __param(1, (0, common_1.Body)()),
     __metadata("design:type", Function),
-    __metadata("design:paramtypes", [login_dto_1.LoginDto]),
+    __metadata("design:paramtypes", [Object, login_dto_1.LoginDto]),
     __metadata("design:returntype", Promise)
 ], AuthController.prototype, "login", null);
 exports.AuthController = AuthController = __decorate([

package/dist/auth.module.js

@@ -20,7 +20,6 @@ const feature_guard_1 = require("./guards/feature.guard");
 const route_guard_1 = require("./guards/route.guard");
 const permission_guard_1 = require("./guards/permission.guard");
 const api_key_guard_1 = require("./guards/api-key.guard");
-const encryption_service_1 = require("./services/encryption.service");
 exports.AUTH_CORE_OPTIONS = 'AUTH_CORE_OPTIONS';
 // @Global()
 // @Module({})
@@ -116,7 +115,6 @@ let AuthCoreModule = AuthCoreModule_1 = class AuthCoreModule {
                     useFactory: (opts) => opts.repositories?.apiKeyRepo || null,
                     inject: [exports.AUTH_CORE_OPTIONS],
                 },
-                encryption_service_1.EncryptionService,
                 auth_service_1.AuthService,
                 jwt_strategy_1.JwtStrategy,
                 jwt_guard_1.JwtAuthGuard,
@@ -135,7 +133,6 @@ let AuthCoreModule = AuthCoreModule_1 = class AuthCoreModule {
                 'API_KEY_REPOSITORY',
                 jwt_1.JwtModule,
                 auth_service_1.AuthService,
-                encryption_service_1.EncryptionService,
                 jwt_strategy_1.JwtStrategy,
                 jwt_guard_1.JwtAuthGuard,
                 module_guard_1.ModuleGuard,

package/dist/auth.service.d.ts

@@ -25,10 +25,39 @@ export declare class AuthService {
     private readonly featureAccessRepo;
     private readonly moduleAccessRepo;
     private readonly screenPermissionRepo;
+    private readonly ipRestrictionsRepo;
+    private readonly userLastLoginRepo;
+    private readonly employeeWorkProfileRepo;
+    private uploadPhotoDir;
     constructor(jwtService: JwtService, options: AuthCoreOptions);
-    validateUser(email: string, password: string): Promise<User | null>;
+    validateUser(email: string, password: string, clientIp?: string): Promise<User | null>;
+    /**
+     * Validate IP restriction for a user
+     *
+     * Logic:
+     * 1. Check if user has any IP restrictions (is_active = 1)
+     * 2. If NO restrictions exist → Allow login (return true)
+     * 3. If restrictions exist → Check if requestIp matches any allowed IP
+     * 4. If match found → Allow login (return true)
+     * 5. If NO match → Deny login (return false)
+     */
+    private validateIpRestriction;
     hasModuleAccess(userId: number, moduleId: number): Promise<boolean>;
     getPermissions(userId: number): Promise<PermissionsTree>;
+    /**
+     * Save user last login details
+     * Updates the tbl_user_last_login table with latest login info
+     */
+    saveLastLogin(user: User, clientIp: string, loginStatus?: 'success' | 'failed' | 'blocked', failureReason?: string, additionalData?: {
+        browser?: string;
+        deviceType?: string;
+        operatingSystem?: string;
+        userAgent?: string;
+        location?: string;
+        moduleId?: number;
+        ipAddressName?: string;
+        metadata?: Record<string, any>;
+    }): Promise<void>;
     login(user: User, selectedModuleId?: number): Promise<{
         status: boolean;
         message: string;
@@ -47,6 +76,11 @@ export declare class AuthService {
                 employeeId: number;
                 parentId: number;
                 referenceId: number;
+                branchId: any;
+                dispatchId: any;
+                departmentId: any;
+                designationId: any;
+                profile_photo_url: string;
             };
         };
         access_token: string;

package/dist/auth.service.js

@@ -54,6 +54,7 @@ let AuthService = class AuthService {
     constructor(jwtService, options) {
         this.jwtService = jwtService;
         this.options = options;
+        this.uploadPhotoDir = './uploads/organization/photos';
         const { repositories } = options;
         this.userRepo = repositories.userRepo;
         this.roleRepo = repositories.roleRepo;
@@ -63,13 +64,76 @@ let AuthService = class AuthService {
         this.featureAccessRepo = repositories.featureAccessRepo;
         this.moduleAccessRepo = repositories.moduleAccessRepo;
         this.screenPermissionRepo = repositories.screenPermissionRepo;
+        // Optional repositories
+        this.ipRestrictionsRepo = repositories.ipRestrictionsRepo || null;
+        this.userLastLoginRepo = repositories.userLastLoginRepo || null;
+        this.employeeWorkProfileRepo = repositories.employeeWorkProfileRepo || null;
     }
-    async validateUser(email, password) {
+    async validateUser(email, password, clientIp) {
         const user = await this.userRepo.findOne({ where: { email } });
         if (!user)
             return null;
         const isValid = await bcrypt.compare(password, user.password);
-        return isValid ? user : null;
+        if (!isValid)
+            return null;
+        // Check IP restrictions if provided and repository is available
+        if (clientIp && this.ipRestrictionsRepo) {
+            const ipAllowed = await this.validateIpRestriction(user.id, clientIp);
+            if (!ipAllowed) {
+                // IP restriction exists but doesn't match - return null to block login
+                return null;
+            }
+        }
+        return user;
+    }
+    /**
+     * Validate IP restriction for a user
+     *
+     * Logic:
+     * 1. Check if user has any IP restrictions (is_active = 1)
+     * 2. If NO restrictions exist → Allow login (return true)
+     * 3. If restrictions exist → Check if requestIp matches any allowed IP
+     * 4. If match found → Allow login (return true)
+     * 5. If NO match → Deny login (return false)
+     */
+    async validateIpRestriction(userId, requestIp) {
+        if (!this.ipRestrictionsRepo) {
+            // No IP restrictions repository configured - allow login
+            return true;
+        }
+        try {
+            // Get all active IP restrictions for this user
+            const restrictions = await this.ipRestrictionsRepo.find({
+                where: {
+                    user_id: userId,
+                },
+            });
+            // If no restrictions exist, allow login
+            if (!restrictions || restrictions.length === 0) {
+                console.log(`✅ User ${userId}: No IP restrictions configured - Allow login`);
+                return true;
+            }
+            // Check if request IP matches any allowed IP
+            const ipMatches = restrictions.some((restriction) => {
+                // Handle both property name variations
+                const allowedIp = restriction.allowed_ip_address || restriction.ip_address;
+                return allowedIp === requestIp;
+            });
+            if (ipMatches) {
+                console.log(`✅ User ${userId}: IP ${requestIp} matches allowed IP - Allow login`);
+                return true;
+            }
+            // IP doesn't match any allowed IP
+            const allowedIps = restrictions.map((r) => r.allowed_ip_address || r.ip_address).join(', ');
+            console.log(`❌ User ${userId}: IP ${requestIp} does not match allowed IPs - Deny login`);
+            console.log(`   Allowed IPs: ${allowedIps}`);
+            return false;
+        }
+        catch (error) {
+            console.error('Error validating IP restriction:', error);
+            // On error, allow login (fail open)
+            return true;
+        }
     }
     async hasModuleAccess(userId, moduleId) {
         if (!Number.isFinite(moduleId))
@@ -82,11 +146,66 @@ let AuthService = class AuthService {
     async getPermissions(userId) {
         return this.loadPermissions(userId);
     }
+    /**
+     * Save user last login details
+     * Updates the tbl_user_last_login table with latest login info
+     */
+    async saveLastLogin(user, clientIp, loginStatus = 'success', failureReason, additionalData) {
+        if (!this.userLastLoginRepo) {
+            // Last login tracking not configured
+            return;
+        }
+        try {
+            const lastLoginData = {
+                user_id: user.id,
+                email: user.email,
+                first_name: user.firstName,
+                last_name: user.lastName,
+                ip_address: clientIp,
+                login_status: loginStatus,
+                failure_reason: failureReason,
+                login_time: new Date(),
+                ...additionalData,
+            };
+            // Upsert: Update if exists, insert if not
+            await this.userLastLoginRepo.upsert(lastLoginData, {
+                conflictPaths: ['user_id'],
+                skipUpdateIfNoValuesChanged: true,
+            });
+            console.log(`📝 Last login details saved for user ${user.id} (${loginStatus})`);
+        }
+        catch (error) {
+            console.error('Error saving last login details:', error);
+            // Don't throw error - this shouldn't block login
+        }
+    }
     async login(user, selectedModuleId) {
         const permissionTree = await this.loadPermissions(user.id);
         const role = await this.roleRepo.findOne({ where: { id: user.roleId } });
         const roleName = role?.roleName || null;
         const effectiveModuleId = Number.isFinite(selectedModuleId) ? selectedModuleId : user.moduleId ?? null;
+        // Fetch workprofile/employee details from EmployeeWorkProfileEntity
+        let branchId = null;
+        let dispatchId = null;
+        let departmentId = null;
+        let designationId = null;
+        if (this.employeeWorkProfileRepo) {
+            try {
+                const workProfile = await this.employeeWorkProfileRepo.findOne({
+                    where: { employee_id: user.referenceId },
+                });
+                if (workProfile) {
+                    branchId = workProfile?.branch_id || null;
+                    dispatchId = workProfile?.dispatch_id || null;
+                    departmentId = workProfile?.department_id || null;
+                    designationId = workProfile?.designation_id || null;
+                }
+            }
+            catch (error) {
+                console.error('Error fetching work profile:', error);
+                // Continue with null values if fetch fails
+            }
+        }
         const payload = {
             id: user.id,
             email: user.email,
@@ -102,6 +221,10 @@ let AuthService = class AuthService {
             permissions: permissionTree,
             parentId: user.parentId,
             referenceId: user.referenceId,
+            branchId,
+            dispatchId,
+            departmentId,
+            designationId,
         };
         return {
             status: true,
@@ -121,6 +244,11 @@ let AuthService = class AuthService {
                     employeeId: user.referenceId,
                     parentId: user.parentId,
                     referenceId: user.referenceId,
+                    branchId,
+                    dispatchId,
+                    departmentId,
+                    designationId,
+                    profile_photo_url: `${this.uploadPhotoDir}`,
                 },
             },
             access_token: this.jwtService.sign(payload),

package/dist/entities/ip-access.entity.d.ts

@@ -0,0 +1,13 @@
+export declare class EmployeeIPAccessEntity {
+    id: number;
+    user_id: number;
+    employee_id: number;
+    ip_address: string;
+    ip_address_name?: string;
+    created_at: Date;
+    created_by: number;
+    updated_at: Date;
+    updated_by: number;
+    deleted_by: number;
+    deleted_at: Date;
+}

package/dist/entities/ip-access.entity.js

@@ -0,0 +1,73 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.EmployeeIPAccessEntity = void 0;
+const typeorm_1 = require("typeorm");
+let EmployeeIPAccessEntity = class EmployeeIPAccessEntity {
+};
+exports.EmployeeIPAccessEntity = EmployeeIPAccessEntity;
+__decorate([
+    (0, typeorm_1.PrimaryGeneratedColumn)(),
+    __metadata("design:type", Number)
+], EmployeeIPAccessEntity.prototype, "id", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ name: 'user_id', type: 'int' }),
+    __metadata("design:type", Number)
+], EmployeeIPAccessEntity.prototype, "user_id", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ name: 'employee_id', type: 'int' }),
+    __metadata("design:type", Number)
+], EmployeeIPAccessEntity.prototype, "employee_id", void 0);
+__decorate([
+    (0, typeorm_1.Column)({
+        name: 'ip_address',
+        type: 'inet',
+        nullable: false,
+        comment: 'IPv4 / IPv6 / CIDR notation',
+    }),
+    __metadata("design:type", String)
+], EmployeeIPAccessEntity.prototype, "ip_address", void 0);
+__decorate([
+    (0, typeorm_1.Column)({
+        name: 'ip_address_name',
+        type: 'varchar',
+        length: 255,
+        nullable: true,
+    }),
+    __metadata("design:type", String)
+], EmployeeIPAccessEntity.prototype, "ip_address_name", void 0);
+__decorate([
+    (0, typeorm_1.CreateDateColumn)({ type: 'timestamp' }),
+    __metadata("design:type", Date)
+], EmployeeIPAccessEntity.prototype, "created_at", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ type: 'int', nullable: true }),
+    __metadata("design:type", Number)
+], EmployeeIPAccessEntity.prototype, "created_by", void 0);
+__decorate([
+    (0, typeorm_1.UpdateDateColumn)({ type: 'timestamp', nullable: true }),
+    __metadata("design:type", Date)
+], EmployeeIPAccessEntity.prototype, "updated_at", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ type: 'int', nullable: true }),
+    __metadata("design:type", Number)
+], EmployeeIPAccessEntity.prototype, "updated_by", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ type: 'int', nullable: true }),
+    __metadata("design:type", Number)
+], EmployeeIPAccessEntity.prototype, "deleted_by", void 0);
+__decorate([
+    (0, typeorm_1.DeleteDateColumn)({ type: 'timestamp', nullable: true }),
+    __metadata("design:type", Date)
+], EmployeeIPAccessEntity.prototype, "deleted_at", void 0);
+exports.EmployeeIPAccessEntity = EmployeeIPAccessEntity = __decorate([
+    (0, typeorm_1.Entity)('tbl_hr_user_ip_access')
+], EmployeeIPAccessEntity);

package/dist/entities/user-last-login.entity.d.ts

@@ -0,0 +1,27 @@
+export declare class UserLastLoginEntity {
+    id: number;
+    user_id: number;
+    email: string;
+    first_name: string;
+    last_name: string;
+    ip_address: string;
+    ip_address_name?: string;
+    browser: string;
+    device_type: string;
+    operating_system: string;
+    user_agent: string;
+    location: string;
+    module_id: number;
+    login_status: 'success' | 'failed' | 'blocked';
+    failure_reason: string;
+    session_duration_ms: number;
+    metadata: Record<string, any>;
+    login_time: Date;
+    logout_time: Date;
+    created_at: Date;
+    created_by: number;
+    updated_at: Date;
+    updated_by: number;
+    deleted_by: number;
+    deleted_at: Date;
+}

package/dist/entities/user-last-login.entity.js

@@ -0,0 +1,147 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.UserLastLoginEntity = void 0;
+const typeorm_1 = require("typeorm");
+let UserLastLoginEntity = class UserLastLoginEntity {
+};
+exports.UserLastLoginEntity = UserLastLoginEntity;
+__decorate([
+    (0, typeorm_1.PrimaryGeneratedColumn)(),
+    __metadata("design:type", Number)
+], UserLastLoginEntity.prototype, "id", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ type: 'int', nullable: false }),
+    __metadata("design:type", Number)
+], UserLastLoginEntity.prototype, "user_id", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ length: 250, nullable: true }),
+    __metadata("design:type", String)
+], UserLastLoginEntity.prototype, "email", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ length: 100, nullable: true }),
+    __metadata("design:type", String)
+], UserLastLoginEntity.prototype, "first_name", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ length: 100, nullable: true }),
+    __metadata("design:type", String)
+], UserLastLoginEntity.prototype, "last_name", void 0);
+__decorate([
+    (0, typeorm_1.Column)({
+        name: 'ip_address',
+        type: 'varchar',
+        length: 45,
+        nullable: true,
+        comment: 'IPv4 or IPv6',
+    }),
+    __metadata("design:type", String)
+], UserLastLoginEntity.prototype, "ip_address", void 0);
+__decorate([
+    (0, typeorm_1.Column)({
+        name: 'ip_address_name',
+        type: 'varchar',
+        length: 255,
+        nullable: true,
+        comment: 'Location/Name of IP (e.g., Office, Home)',
+    }),
+    __metadata("design:type", String)
+], UserLastLoginEntity.prototype, "ip_address_name", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ length: 100, nullable: true }),
+    __metadata("design:type", String)
+], UserLastLoginEntity.prototype, "browser", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ length: 100, nullable: true }),
+    __metadata("design:type", String)
+], UserLastLoginEntity.prototype, "device_type", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ length: 100, nullable: true }),
+    __metadata("design:type", String)
+], UserLastLoginEntity.prototype, "operating_system", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ type: 'text', nullable: true }),
+    __metadata("design:type", String)
+], UserLastLoginEntity.prototype, "user_agent", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ length: 255, nullable: true }),
+    __metadata("design:type", String)
+], UserLastLoginEntity.prototype, "location", void 0);
+__decorate([
+    (0, typeorm_1.Column)({
+        name: 'module_id',
+        type: 'int',
+        nullable: true,
+    }),
+    __metadata("design:type", Number)
+], UserLastLoginEntity.prototype, "module_id", void 0);
+__decorate([
+    (0, typeorm_1.Column)({
+        name: 'login_status',
+        type: 'enum',
+        enum: ['success', 'failed', 'blocked'],
+        default: 'success',
+    }),
+    __metadata("design:type", String)
+], UserLastLoginEntity.prototype, "login_status", void 0);
+__decorate([
+    (0, typeorm_1.Column)({
+        type: 'text',
+        nullable: true,
+        comment: 'Reason for failure or blocking (e.g., IP not whitelisted, wrong password)',
+    }),
+    __metadata("design:type", String)
+], UserLastLoginEntity.prototype, "failure_reason", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ type: 'bigint', nullable: true }),
+    __metadata("design:type", Number)
+], UserLastLoginEntity.prototype, "session_duration_ms", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ type: 'json', nullable: true }),
+    __metadata("design:type", Object)
+], UserLastLoginEntity.prototype, "metadata", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ type: 'timestamp', nullable: true }),
+    __metadata("design:type", Date)
+], UserLastLoginEntity.prototype, "login_time", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ type: 'timestamp', nullable: true }),
+    __metadata("design:type", Date)
+], UserLastLoginEntity.prototype, "logout_time", void 0);
+__decorate([
+    (0, typeorm_1.CreateDateColumn)({ type: 'timestamp' }),
+    __metadata("design:type", Date)
+], UserLastLoginEntity.prototype, "created_at", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ type: 'int', nullable: true }),
+    __metadata("design:type", Number)
+], UserLastLoginEntity.prototype, "created_by", void 0);
+__decorate([
+    (0, typeorm_1.UpdateDateColumn)({ type: 'timestamp', nullable: true }),
+    __metadata("design:type", Date)
+], UserLastLoginEntity.prototype, "updated_at", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ type: 'int', nullable: true }),
+    __metadata("design:type", Number)
+], UserLastLoginEntity.prototype, "updated_by", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ type: 'int', nullable: true }),
+    __metadata("design:type", Number)
+], UserLastLoginEntity.prototype, "deleted_by", void 0);
+__decorate([
+    (0, typeorm_1.DeleteDateColumn)({ type: 'timestamp', nullable: true }),
+    __metadata("design:type", Date)
+], UserLastLoginEntity.prototype, "deleted_at", void 0);
+exports.UserLastLoginEntity = UserLastLoginEntity = __decorate([
+    (0, typeorm_1.Entity)('tbl_user_last_login'),
+    (0, typeorm_1.Index)(['user_id']),
+    (0, typeorm_1.Index)(['login_time']),
+    (0, typeorm_1.Unique)(['user_id'])
+], UserLastLoginEntity);

package/dist/entities/work-profile.entity.d.ts

@@ -0,0 +1,48 @@
+export declare enum EmployeeType {
+    PERMANENT = "PERMANENT",
+    CONTRACT = "CONTRACT",
+    INTERN = "INTERN",
+    CONSULTANT = "CONSULTANT"
+}
+export declare enum EmployeeStatus {
+    ACTIVE = "ACTIVE",
+    INACTIVE = "INACTIVE",
+    ON_LEAVE = "ON_LEAVE"
+}
+export declare enum WeekOffType {
+    FIXED = "FIXED",
+    ROTATIONAL = "ROTATIONAL",
+    FLEXIBLE = "FLEXIBLE"
+}
+export declare enum WeekOffBasedOn {
+    WORK_LOCATION = "WORK_LOCATION",
+    SHIFT = "SHIFT"
+}
+export declare class EmployeeWorkProfileEntity {
+    id: number;
+    employee_id: number;
+    department_id: number;
+    designation_id: number;
+    employee_type: EmployeeType;
+    employee_status?: EmployeeStatus;
+    shift_id: number;
+    role_id: number;
+    agency?: string;
+    reporting_manager_id?: number | null;
+    l2_manager_id?: number | null;
+    joining_date: Date;
+    resignation_date?: Date;
+    branch_id: number;
+    dispatch_center_id: number;
+    cost_center_id: number;
+    week_off_type: WeekOffType;
+    week_off_based_on: WeekOffBasedOn;
+    bioMetricCode: string;
+    linkedInProfile: string;
+    created_at: Date;
+    created_by?: number;
+    updated_at?: Date;
+    updated_by?: number;
+    deleted_by?: number;
+    deleted_at?: Date;
+}

package/dist/entities/work-profile.entity.js

@@ -0,0 +1,165 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.EmployeeWorkProfileEntity = exports.WeekOffBasedOn = exports.WeekOffType = exports.EmployeeStatus = exports.EmployeeType = void 0;
+const typeorm_1 = require("typeorm");
+var EmployeeType;
+(function (EmployeeType) {
+    EmployeeType["PERMANENT"] = "PERMANENT";
+    EmployeeType["CONTRACT"] = "CONTRACT";
+    EmployeeType["INTERN"] = "INTERN";
+    EmployeeType["CONSULTANT"] = "CONSULTANT";
+})(EmployeeType || (exports.EmployeeType = EmployeeType = {}));
+var EmployeeStatus;
+(function (EmployeeStatus) {
+    EmployeeStatus["ACTIVE"] = "ACTIVE";
+    EmployeeStatus["INACTIVE"] = "INACTIVE";
+    EmployeeStatus["ON_LEAVE"] = "ON_LEAVE";
+})(EmployeeStatus || (exports.EmployeeStatus = EmployeeStatus = {}));
+// export enum WorkngShift {
+//   DAY = 'DAY',
+//   NIGHT = 'NIGHT',
+// }
+var WeekOffType;
+(function (WeekOffType) {
+    WeekOffType["FIXED"] = "FIXED";
+    WeekOffType["ROTATIONAL"] = "ROTATIONAL";
+    WeekOffType["FLEXIBLE"] = "FLEXIBLE";
+})(WeekOffType || (exports.WeekOffType = WeekOffType = {}));
+var WeekOffBasedOn;
+(function (WeekOffBasedOn) {
+    WeekOffBasedOn["WORK_LOCATION"] = "WORK_LOCATION";
+    WeekOffBasedOn["SHIFT"] = "SHIFT";
+})(WeekOffBasedOn || (exports.WeekOffBasedOn = WeekOffBasedOn = {}));
+let EmployeeWorkProfileEntity = class EmployeeWorkProfileEntity {
+};
+exports.EmployeeWorkProfileEntity = EmployeeWorkProfileEntity;
+__decorate([
+    (0, typeorm_1.PrimaryGeneratedColumn)(),
+    __metadata("design:type", Number)
+], EmployeeWorkProfileEntity.prototype, "id", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ name: 'employee_id', type: 'int' }),
+    __metadata("design:type", Number)
+], EmployeeWorkProfileEntity.prototype, "employee_id", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ name: 'department_id', type: 'int' }),
+    __metadata("design:type", Number)
+], EmployeeWorkProfileEntity.prototype, "department_id", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ name: 'designation_id', type: 'int' }),
+    __metadata("design:type", Number)
+], EmployeeWorkProfileEntity.prototype, "designation_id", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ type: 'enum', enum: EmployeeType, nullable: false }),
+    __metadata("design:type", String)
+], EmployeeWorkProfileEntity.prototype, "employee_type", void 0);
+__decorate([
+    (0, typeorm_1.Column)({
+        type: 'enum',
+        enum: EmployeeStatus,
+        default: EmployeeStatus.ACTIVE,
+        nullable: true,
+    }),
+    __metadata("design:type", String)
+], EmployeeWorkProfileEntity.prototype, "employee_status", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ name: 'shift_id', type: 'int', nullable: true }),
+    __metadata("design:type", Number)
+], EmployeeWorkProfileEntity.prototype, "shift_id", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ name: 'role_id', type: 'int' }),
+    __metadata("design:type", Number)
+], EmployeeWorkProfileEntity.prototype, "role_id", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ name: 'agency', type: 'varchar', nullable: true }),
+    __metadata("design:type", String)
+], EmployeeWorkProfileEntity.prototype, "agency", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ name: 'reporting_manager_id', type: 'int', nullable: true }),
+    __metadata("design:type", Object)
+], EmployeeWorkProfileEntity.prototype, "reporting_manager_id", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ name: 'l2_manager_id', type: 'int', nullable: true }),
+    __metadata("design:type", Object)
+], EmployeeWorkProfileEntity.prototype, "l2_manager_id", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ type: 'date', nullable: false }),
+    __metadata("design:type", Date)
+], EmployeeWorkProfileEntity.prototype, "joining_date", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ type: 'date', nullable: true }),
+    __metadata("design:type", Date)
+], EmployeeWorkProfileEntity.prototype, "resignation_date", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ name: 'branch_id', type: 'int', nullable: true }),
+    __metadata("design:type", Number)
+], EmployeeWorkProfileEntity.prototype, "branch_id", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ name: 'dispatch_center_id', type: 'int', nullable: true }),
+    __metadata("design:type", Number)
+], EmployeeWorkProfileEntity.prototype, "dispatch_center_id", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ name: 'cost_center_id', type: 'int' }),
+    __metadata("design:type", Number)
+], EmployeeWorkProfileEntity.prototype, "cost_center_id", void 0);
+__decorate([
+    (0, typeorm_1.Column)({
+        type: 'enum',
+        enum: WeekOffType,
+        nullable: false,
+    }),
+    __metadata("design:type", String)
+], EmployeeWorkProfileEntity.prototype, "week_off_type", void 0);
+__decorate([
+    (0, typeorm_1.Column)({
+        type: 'enum',
+        enum: WeekOffBasedOn,
+        nullable: false,
+    }),
+    __metadata("design:type", String)
+], EmployeeWorkProfileEntity.prototype, "week_off_based_on", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ length: 50, nullable: true }),
+    __metadata("design:type", String)
+], EmployeeWorkProfileEntity.prototype, "bioMetricCode", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ length: 255, nullable: true }),
+    __metadata("design:type", String)
+], EmployeeWorkProfileEntity.prototype, "linkedInProfile", void 0);
+__decorate([
+    (0, typeorm_1.CreateDateColumn)({ type: 'timestamp' }),
+    __metadata("design:type", Date)
+], EmployeeWorkProfileEntity.prototype, "created_at", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ type: 'int', nullable: true }),
+    __metadata("design:type", Number)
+], EmployeeWorkProfileEntity.prototype, "created_by", void 0);
+__decorate([
+    (0, typeorm_1.UpdateDateColumn)({ type: 'timestamp' }),
+    __metadata("design:type", Date)
+], EmployeeWorkProfileEntity.prototype, "updated_at", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ type: 'int', nullable: true }),
+    __metadata("design:type", Number)
+], EmployeeWorkProfileEntity.prototype, "updated_by", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ type: 'int', nullable: true }),
+    __metadata("design:type", Number)
+], EmployeeWorkProfileEntity.prototype, "deleted_by", void 0);
+__decorate([
+    (0, typeorm_1.DeleteDateColumn)({ type: 'timestamp', nullable: true }),
+    __metadata("design:type", Date)
+], EmployeeWorkProfileEntity.prototype, "deleted_at", void 0);
+exports.EmployeeWorkProfileEntity = EmployeeWorkProfileEntity = __decorate([
+    (0, typeorm_1.Entity)('tbl_hr_employee_work_profile'),
+    (0, typeorm_1.Unique)(['employee_id'])
+], EmployeeWorkProfileEntity);

package/dist/guards/api-key.guard.d.ts

@@ -2,13 +2,11 @@ import { CanActivate, ExecutionContext } from '@nestjs/common';
 import { Reflector } from '@nestjs/core';
 import { Repository } from 'typeorm';
 import { ApiKeyEntity } from '../entities/api-key.entity';
-import { EncryptionService } from '../services/encryption.service';
 export declare class ApiKeyGuard implements CanActivate {
     private readonly reflector;
-    private readonly encryptionService;
     private apiKeyRepo;
     private rateLimitMap;
-    constructor(reflector: Reflector, encryptionService: EncryptionService, apiKeyRepository?: Repository<ApiKeyEntity>);
+    constructor(reflector: Reflector, apiKeyRepository?: Repository<ApiKeyEntity>);
     canActivate(context: ExecutionContext): Promise<boolean>;
     private extractApiKey;
     private validateApiKey;

package/dist/guards/api-key.guard.js

@@ -16,11 +16,9 @@ exports.ApiKeyGuard = void 0;
 const common_1 = require("@nestjs/common");
 const core_1 = require("@nestjs/core");
 const typeorm_1 = require("typeorm");
-const encryption_service_1 = require("../services/encryption.service");
 let ApiKeyGuard = class ApiKeyGuard {
-    constructor(reflector, encryptionService, apiKeyRepository) {
+    constructor(reflector, apiKeyRepository) {
         this.reflector = reflector;
-        this.encryptionService = encryptionService;
         this.rateLimitMap = new Map();
         if (apiKeyRepository) {
             this.apiKeyRepo = apiKeyRepository;
@@ -72,19 +70,9 @@ let ApiKeyGuard = class ApiKeyGuard {
         if (!this.apiKeyRepo) {
             return { valid: false, message: 'API key validation not configured' };
         }
-        // Find all active API keys and compare hashes
-        const records = await this.apiKeyRepo.find({
-            where: { isActive: true },
+        const record = await this.apiKeyRepo.findOne({
+            where: { key: apiKey, isActive: true },
         });
-        let record = null;
-        // Compare incoming key with hashed keys in database
-        for (const dbRecord of records) {
-            const isMatch = await this.encryptionService.compareKey(apiKey, dbRecord.key);
-            if (isMatch) {
-                record = dbRecord;
-                break;
-            }
-        }
         if (!record) {
             return { valid: false, message: 'API key not found or inactive' };
         }
@@ -188,8 +176,7 @@ let ApiKeyGuard = class ApiKeyGuard {
 exports.ApiKeyGuard = ApiKeyGuard;
 exports.ApiKeyGuard = ApiKeyGuard = __decorate([
     (0, common_1.Injectable)(),
-    __param(2, (0, common_1.Inject)('API_KEY_REPOSITORY')),
+    __param(1, (0, common_1.Inject)('API_KEY_REPOSITORY')),
     __metadata("design:paramtypes", [core_1.Reflector,
-        encryption_service_1.EncryptionService,
         typeorm_1.Repository])
 ], ApiKeyGuard);

package/dist/index.d.ts

@@ -16,7 +16,6 @@ export * from './guards/permission.guard';
 export * from './guards/api-key.guard';
 export * from './jwt/jwt.guard';
 export * from './jwt/jwt.strategy';
-export * from './services/encryption.service';
 export * from './interfaces/auth-core-options.interface';
 export * from './entities/user.entity';
 export * from './entities/role.entity';
@@ -27,3 +26,4 @@ export * from './entities/user-feature-access.entity';
 export * from './entities/user-module-access.entity';
 export * from './entities/module-screen-permission.entity';
 export * from './entities/api-key.entity';
+export * from './entities/user-last-login.entity';

package/dist/index.js

@@ -37,8 +37,6 @@ __exportStar(require("./guards/api-key.guard"), exports);
 // JWT
 __exportStar(require("./jwt/jwt.guard"), exports);
 __exportStar(require("./jwt/jwt.strategy"), exports);
-// Services
-__exportStar(require("./services/encryption.service"), exports);
 // Interfaces
 __exportStar(require("./interfaces/auth-core-options.interface"), exports);
 // ✅ Entities
@@ -51,3 +49,4 @@ __exportStar(require("./entities/user-feature-access.entity"), exports);
 __exportStar(require("./entities/user-module-access.entity"), exports);
 __exportStar(require("./entities/module-screen-permission.entity"), exports);
 __exportStar(require("./entities/api-key.entity"), exports);
+__exportStar(require("./entities/user-last-login.entity"), exports);

package/dist/interfaces/auth-core-options.interface.d.ts

@@ -8,6 +8,7 @@ import { UserFeatureAccess } from '../entities/user-feature-access.entity';
 import { UserModuleAccess } from '../entities/user-module-access.entity';
 import { ModuleScreenPermission } from '../entities/module-screen-permission.entity';
 import { ApiKeyEntity } from '../entities/api-key.entity';
+import { UserLastLoginEntity } from '../entities/user-last-login.entity';
 export interface Repositories {
     userRepo: Repository<User>;
     roleRepo: Repository<Role>;
@@ -18,6 +19,9 @@ export interface Repositories {
     routeRepo: Repository<ModuleRoute>;
     moduleAccessRepo: Repository<UserModuleAccess>;
     apiKeyRepo?: Repository<ApiKeyEntity>;
+    ipRestrictionsRepo?: Repository<any>;
+    userLastLoginRepo?: Repository<UserLastLoginEntity>;
+    employeeWorkProfileRepo?: Repository<any>;
 }
 export interface AuthModuleConfig {
     enable2FA?: boolean;

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ecrs-auth-core",
-  "version": "1.0.63",
+  "version": "1.0.65",
   "description": "Centralized authentication and authorization module for ECRS apps",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",

package/dist/services/encryption.service.d.ts

@@ -1,16 +0,0 @@
-export declare class EncryptionService {
-    private readonly saltRounds;
-    /**
-     * Hash an API key using bcrypt
-     * @param plainKey - The plain text API key
-     * @returns Hashed key
-     */
-    hashKey(plainKey: string): Promise<string>;
-    /**
-     * Compare plain key with hashed key
-     * @param plainKey - The plain text API key
-     * @param hashedKey - The hashed key from database
-     * @returns True if keys match, false otherwise
-     */
-    compareKey(plainKey: string, hashedKey: string): Promise<boolean>;
-}

package/dist/services/encryption.service.js

@@ -1,70 +0,0 @@
-"use strict";
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
-    Object.defineProperty(o, "default", { enumerable: true, value: v });
-}) : function(o, v) {
-    o["default"] = v;
-});
-var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
-    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
-    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
-    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
-    return c > 3 && r && Object.defineProperty(target, key, r), r;
-};
-var __importStar = (this && this.__importStar) || (function () {
-    var ownKeys = function(o) {
-        ownKeys = Object.getOwnPropertyNames || function (o) {
-            var ar = [];
-            for (var k in o) if (Object.prototype.hasOwnProperty.call(o, k)) ar[ar.length] = k;
-            return ar;
-        };
-        return ownKeys(o);
-    };
-    return function (mod) {
-        if (mod && mod.__esModule) return mod;
-        var result = {};
-        if (mod != null) for (var k = ownKeys(mod), i = 0; i < k.length; i++) if (k[i] !== "default") __createBinding(result, mod, k[i]);
-        __setModuleDefault(result, mod);
-        return result;
-    };
-})();
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.EncryptionService = void 0;
-const common_1 = require("@nestjs/common");
-const bcrypt = __importStar(require("bcrypt"));
-let EncryptionService = class EncryptionService {
-    constructor() {
-        this.saltRounds = 10;
-    }
-    /**
-     * Hash an API key using bcrypt
-     * @param plainKey - The plain text API key
-     * @returns Hashed key
-     */
-    async hashKey(plainKey) {
-        return bcrypt.hash(plainKey, this.saltRounds);
-    }
-    /**
-     * Compare plain key with hashed key
-     * @param plainKey - The plain text API key
-     * @param hashedKey - The hashed key from database
-     * @returns True if keys match, false otherwise
-     */
-    async compareKey(plainKey, hashedKey) {
-        return bcrypt.compare(plainKey, hashedKey);
-    }
-};
-exports.EncryptionService = EncryptionService;
-exports.EncryptionService = EncryptionService = __decorate([
-    (0, common_1.Injectable)()
-], EncryptionService);