ecrs-auth-core 1.0.64 → 1.0.66

package/dist/auth.controller.d.ts

@@ -1,9 +1,10 @@
+import { Request } from 'express';
 import { AuthService } from './auth.service';
 import { LoginDto } from './dtos/login.dto';
 export declare class AuthController {
     private readonly authService;
     constructor(authService: AuthService);
-    login(body: LoginDto): Promise<{
+    login(request: Request, body: LoginDto): Promise<{
         status: boolean;
         message: string;
         data: {
@@ -21,8 +22,31 @@ export declare class AuthController {
                 employeeId: number;
                 parentId: number;
                 referenceId: number;
+                branchId: any;
+                dispatchCenterId: any;
+                departmentId: any;
+                designationId: any;
+                profile_photo_url: string;
             };
         };
         access_token: string;
     }>;
+    /**
+     * Extract additional client data from request and user-agent
+     */
+    private extractClientData;
+    /**
+     * Parse user-agent string to extract browser, OS, and device type
+     */
+    private parseUserAgent;
+    /**
+     * Extract client IP from request
+     * Priority:
+     * 1. X-Forwarded-For header (proxy)
+     * 2. X-Real-IP header (nginx)
+     * 3. CF-Connecting-IP (Cloudflare)
+     * 4. request.ip (Express native)
+     * 5. socket.remoteAddress (direct connection)
+     */
+    private getClientIp;
 }

package/dist/auth.controller.js

@@ -22,10 +22,19 @@ let AuthController = class AuthController {
     constructor(authService) {
         this.authService = authService;
     }
-    async login(body) {
-        const user = await this.authService.validateUser(body.email, body.password);
+    async login(request, body) {
+        // Get client IP from socket/request
+        const clientIp = this.getClientIp(request);
+        const userAgent = request.get('user-agent') || 'Unknown';
+        // Extract additional client data
+        const additionalData = this.extractClientData(request, userAgent);
+        console.log(`📍 Login attempt from IP: ${clientIp}, User-Agent: ${userAgent}`);
+        // Validate user with IP restriction check
+        const user = await this.authService.validateUser(body.email, body.password, clientIp);
         if (!user) {
-            throw new common_1.UnauthorizedException('Login failed: email or password not matched');
+            // Save failed login attempt
+            await this.authService.saveLastLogin({ email: body.email }, clientIp, 'failed', 'Invalid credentials or IP not allowed', additionalData).catch(() => { }); // Ignore errors
+            throw new common_1.UnauthorizedException('Login failed: email or password not matched or IP not allowed');
         }
         const requestedModuleId = Number(body.moduleId);
         if (!Number.isFinite(requestedModuleId)) {
@@ -39,7 +48,104 @@ let AuthController = class AuthController {
         if (!Array.isArray(perms.modules) || !perms.modules.includes(requestedModuleId)) {
             throw new common_1.UnauthorizedException('You are not authorized to access this module');
         }
-        return this.authService.login(user, requestedModuleId);
+        const loginResponse = await this.authService.login(user, requestedModuleId);
+        // Save successful login details with additional client data
+        await this.authService.saveLastLogin(user, clientIp, 'success', undefined, {
+            ...additionalData,
+            moduleId: requestedModuleId,
+        }).catch(() => { }); // Ignore errors - don't block login
+        return loginResponse;
+    }
+    /**
+     * Extract additional client data from request and user-agent
+     */
+    extractClientData(request, userAgent) {
+        const { browser, os, deviceType } = this.parseUserAgent(userAgent);
+        const ipAddressName = request.get('x-forwarded-host') || request.get('host') || 'Unknown';
+        const location = request.get('cf-ipcountry') || 'Unknown'; // Cloudflare header
+        return {
+            browser,
+            deviceType,
+            operatingSystem: os,
+            userAgent,
+            location,
+            ipAddressName,
+        };
+    }
+    /**
+     * Parse user-agent string to extract browser, OS, and device type
+     */
+    parseUserAgent(userAgent) {
+        const ua = userAgent.toLowerCase();
+        // Detect browser
+        let browser = 'Unknown';
+        if (ua.includes('chrome'))
+            browser = 'Chrome';
+        else if (ua.includes('firefox'))
+            browser = 'Firefox';
+        else if (ua.includes('safari'))
+            browser = 'Safari';
+        else if (ua.includes('edg/'))
+            browser = 'Edge';
+        else if (ua.includes('opera') || ua.includes('opr/'))
+            browser = 'Opera';
+        else if (ua.includes('trident'))
+            browser = 'Internet Explorer';
+        // Detect OS
+        let os = 'Unknown';
+        if (ua.includes('windows'))
+            os = 'Windows';
+        else if (ua.includes('mac'))
+            os = 'macOS';
+        else if (ua.includes('linux'))
+            os = 'Linux';
+        else if (ua.includes('iphone') || ua.includes('ipad'))
+            os = 'iOS';
+        else if (ua.includes('android'))
+            os = 'Android';
+        // Detect device type
+        let deviceType = 'Desktop';
+        if (ua.includes('mobile') || ua.includes('android') || ua.includes('iphone'))
+            deviceType = 'Mobile';
+        else if (ua.includes('tablet') || ua.includes('ipad'))
+            deviceType = 'Tablet';
+        return { browser, os, deviceType };
+    }
+    /**
+     * Extract client IP from request
+     * Priority:
+     * 1. X-Forwarded-For header (proxy)
+     * 2. X-Real-IP header (nginx)
+     * 3. CF-Connecting-IP (Cloudflare)
+     * 4. request.ip (Express native)
+     * 5. socket.remoteAddress (direct connection)
+     */
+    getClientIp(request) {
+        // Check X-Forwarded-For header (most common with proxies)
+        const xForwardedFor = request.headers['x-forwarded-for'];
+        if (xForwardedFor) {
+            const ips = Array.isArray(xForwardedFor)
+                ? xForwardedFor
+                : xForwardedFor.split(',');
+            return ips[0].trim();
+        }
+        // Check X-Real-IP header (nginx)
+        const xRealIp = request.headers['x-real-ip'];
+        if (xRealIp) {
+            return Array.isArray(xRealIp) ? xRealIp[0] : xRealIp;
+        }
+        // Check CF-Connecting-IP (Cloudflare)
+        const cfIp = request.headers['cf-connecting-ip'];
+        if (cfIp) {
+            return Array.isArray(cfIp) ? cfIp[0] : cfIp;
+        }
+        // Use Express native request.ip (handles proxies if trust proxy is set)
+        if (request.ip) {
+            return request.ip;
+        }
+        // Fallback to socket remote address
+        const socketIp = (request.socket.remoteAddress || '').replace(/^.*:/, '');
+        return socketIp || 'unknown';
     }
 };
 exports.AuthController = AuthController;
@@ -84,10 +190,11 @@ __decorate([
             }
         }
     }),
-    (0, swagger_1.ApiUnauthorizedResponse)({ description: 'Invalid credentials' }),
-    __param(0, (0, common_1.Body)()),
+    (0, swagger_1.ApiUnauthorizedResponse)({ description: 'Invalid credentials or IP not allowed' }),
+    __param(0, (0, common_1.Req)()),
+    __param(1, (0, common_1.Body)()),
     __metadata("design:type", Function),
-    __metadata("design:paramtypes", [login_dto_1.LoginDto]),
+    __metadata("design:paramtypes", [Object, login_dto_1.LoginDto]),
     __metadata("design:returntype", Promise)
 ], AuthController.prototype, "login", null);
 exports.AuthController = AuthController = __decorate([

package/dist/auth.module.js

@@ -1,152 +1,152 @@
-"use strict";
-var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
-    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
-    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
-    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
-    return c > 3 && r && Object.defineProperty(target, key, r), r;
-};
-var AuthCoreModule_1;
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.AuthCoreModule = exports.AUTH_CORE_OPTIONS = void 0;
-const common_1 = require("@nestjs/common");
-const jwt_1 = require("@nestjs/jwt");
-const auth_service_1 = require("./auth.service");
-const auth_controller_1 = require("./auth.controller");
-const jwt_strategy_1 = require("./jwt/jwt.strategy");
-const jwt_guard_1 = require("./jwt/jwt.guard");
-const module_guard_1 = require("./guards/module.guard");
-const roles_guard_1 = require("./guards/roles.guard");
-const feature_guard_1 = require("./guards/feature.guard");
-const route_guard_1 = require("./guards/route.guard");
-const permission_guard_1 = require("./guards/permission.guard");
-const api_key_guard_1 = require("./guards/api-key.guard");
-exports.AUTH_CORE_OPTIONS = 'AUTH_CORE_OPTIONS';
-// @Global()
-// @Module({})
-// export class AuthCoreModule {
-//   static registerAsync(options: {
-//     inject: any[];
-//     useFactory: (...args: any[]) => Promise<AuthCoreOptions>;
-//   }): DynamicModule {
-//     const asyncProvider = {
-//       provide: AUTH_CORE_OPTIONS,
-//       inject: options.inject,
-//       useFactory: options.useFactory,
-//     };
-//     return {
-//       module: AuthCoreModule,
-//       imports: [
-//         JwtModule.registerAsync({
-//           inject: options.inject,
-//           useFactory: async (...args: any[]) => {
-//             const config = await options.useFactory(...args);
-//             console.log("🔐 JWT Secret from AUTH_CORE_OPTIONS:", config.jwtSecret);
-//             console.log("⏳ JWT Expiry:", config.jwtExpiresIn);
-//             return {
-//               secret: config.jwtSecret,
-//               signOptions: { expiresIn: config.jwtExpiresIn },
-//             };
-//           },
-//         }),
-//       ],
-//       providers: [
-//         asyncProvider,
-//         {
-//           provide: 'MODULE_CONFIG',
-//           useFactory: (options: AuthCoreOptions) => options.moduleConfig || {},
-//           inject: [AUTH_CORE_OPTIONS],
-//         },
-//         AuthService,
-//         JwtStrategy,
-//         JwtAuthGuard,
-//         ModuleGuard,
-//         RolesGuard,
-//         FeatureGuard,
-//         RouteGuard,
-//         PermissionGuard,
-//       ],
-//       controllers: [AuthController],
-//       exports: [
-//         AuthService,
-//         JwtStrategy,
-//         JwtAuthGuard,
-//         ModuleGuard,
-//         RolesGuard,
-//         FeatureGuard,
-//         RouteGuard,
-//         PermissionGuard,
-//         JwtModule,
-//       ],
-//     };
-//   }
-// }
-let AuthCoreModule = AuthCoreModule_1 = class AuthCoreModule {
-    static registerAsync(options) {
-        const asyncProvider = {
-            provide: exports.AUTH_CORE_OPTIONS,
-            inject: options.inject,
-            useFactory: options.useFactory,
-        };
-        return {
-            module: AuthCoreModule_1,
-            imports: [
-                jwt_1.JwtModule.registerAsync({
-                    inject: options.inject,
-                    useFactory: async (...args) => {
-                        const config = await options.useFactory(...args);
-                        console.log('🔐 JWT Secret from AUTH_CORE_OPTIONS:', config.jwtSecret);
-                        console.log('⏳ JWT Expiry:', config.jwtExpiresIn);
-                        return {
-                            secret: config.jwtSecret,
-                            signOptions: { expiresIn: config.jwtExpiresIn },
-                        };
-                    },
-                }),
-            ],
-            providers: [
-                asyncProvider,
-                {
-                    provide: 'MODULE_CONFIG',
-                    useFactory: (opts) => opts.moduleConfig || {},
-                    inject: [exports.AUTH_CORE_OPTIONS],
-                },
-                {
-                    provide: 'API_KEY_REPOSITORY',
-                    useFactory: (opts) => opts.repositories?.apiKeyRepo || null,
-                    inject: [exports.AUTH_CORE_OPTIONS],
-                },
-                auth_service_1.AuthService,
-                jwt_strategy_1.JwtStrategy,
-                jwt_guard_1.JwtAuthGuard,
-                module_guard_1.ModuleGuard,
-                roles_guard_1.RolesGuard,
-                feature_guard_1.FeatureGuard,
-                route_guard_1.RouteGuard,
-                permission_guard_1.PermissionGuard,
-                api_key_guard_1.ApiKeyGuard,
-            ],
-            controllers: [auth_controller_1.AuthController],
-            exports: [
-                // ⬇️ export these so Superadmin can resolve guard deps
-                exports.AUTH_CORE_OPTIONS,
-                'MODULE_CONFIG',
-                'API_KEY_REPOSITORY',
-                jwt_1.JwtModule,
-                auth_service_1.AuthService,
-                jwt_strategy_1.JwtStrategy,
-                jwt_guard_1.JwtAuthGuard,
-                module_guard_1.ModuleGuard,
-                roles_guard_1.RolesGuard,
-                feature_guard_1.FeatureGuard,
-                route_guard_1.RouteGuard,
-                permission_guard_1.PermissionGuard,
-                api_key_guard_1.ApiKeyGuard,
-            ],
-        };
-    }
-};
-exports.AuthCoreModule = AuthCoreModule;
-exports.AuthCoreModule = AuthCoreModule = AuthCoreModule_1 = __decorate([
-    (0, common_1.Global)(),
-    (0, common_1.Module)({})
-], AuthCoreModule);
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var AuthCoreModule_1;
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.AuthCoreModule = exports.AUTH_CORE_OPTIONS = void 0;
+const common_1 = require("@nestjs/common");
+const jwt_1 = require("@nestjs/jwt");
+const auth_service_1 = require("./auth.service");
+const auth_controller_1 = require("./auth.controller");
+const jwt_strategy_1 = require("./jwt/jwt.strategy");
+const jwt_guard_1 = require("./jwt/jwt.guard");
+const module_guard_1 = require("./guards/module.guard");
+const roles_guard_1 = require("./guards/roles.guard");
+const feature_guard_1 = require("./guards/feature.guard");
+const route_guard_1 = require("./guards/route.guard");
+const permission_guard_1 = require("./guards/permission.guard");
+const api_key_guard_1 = require("./guards/api-key.guard");
+exports.AUTH_CORE_OPTIONS = 'AUTH_CORE_OPTIONS';
+// @Global()
+// @Module({})
+// export class AuthCoreModule {
+//   static registerAsync(options: {
+//     inject: any[];
+//     useFactory: (...args: any[]) => Promise<AuthCoreOptions>;
+//   }): DynamicModule {
+//     const asyncProvider = {
+//       provide: AUTH_CORE_OPTIONS,
+//       inject: options.inject,
+//       useFactory: options.useFactory,
+//     };
+//     return {
+//       module: AuthCoreModule,
+//       imports: [
+//         JwtModule.registerAsync({
+//           inject: options.inject,
+//           useFactory: async (...args: any[]) => {
+//             const config = await options.useFactory(...args);
+//             console.log("🔐 JWT Secret from AUTH_CORE_OPTIONS:", config.jwtSecret);
+//             console.log("⏳ JWT Expiry:", config.jwtExpiresIn);
+//             return {
+//               secret: config.jwtSecret,
+//               signOptions: { expiresIn: config.jwtExpiresIn },
+//             };
+//           },
+//         }),
+//       ],
+//       providers: [
+//         asyncProvider,
+//         {
+//           provide: 'MODULE_CONFIG',
+//           useFactory: (options: AuthCoreOptions) => options.moduleConfig || {},
+//           inject: [AUTH_CORE_OPTIONS],
+//         },
+//         AuthService,
+//         JwtStrategy,
+//         JwtAuthGuard,
+//         ModuleGuard,
+//         RolesGuard,
+//         FeatureGuard,
+//         RouteGuard,
+//         PermissionGuard,
+//       ],
+//       controllers: [AuthController],
+//       exports: [
+//         AuthService,
+//         JwtStrategy,
+//         JwtAuthGuard,
+//         ModuleGuard,
+//         RolesGuard,
+//         FeatureGuard,
+//         RouteGuard,
+//         PermissionGuard,
+//         JwtModule,
+//       ],
+//     };
+//   }
+// }
+let AuthCoreModule = AuthCoreModule_1 = class AuthCoreModule {
+    static registerAsync(options) {
+        const asyncProvider = {
+            provide: exports.AUTH_CORE_OPTIONS,
+            inject: options.inject,
+            useFactory: options.useFactory,
+        };
+        return {
+            module: AuthCoreModule_1,
+            imports: [
+                jwt_1.JwtModule.registerAsync({
+                    inject: options.inject,
+                    useFactory: async (...args) => {
+                        const config = await options.useFactory(...args);
+                        console.log('🔐 JWT Secret from AUTH_CORE_OPTIONS:', config.jwtSecret);
+                        console.log('⏳ JWT Expiry:', config.jwtExpiresIn);
+                        return {
+                            secret: config.jwtSecret,
+                            signOptions: { expiresIn: config.jwtExpiresIn },
+                        };
+                    },
+                }),
+            ],
+            providers: [
+                asyncProvider,
+                {
+                    provide: 'MODULE_CONFIG',
+                    useFactory: (opts) => opts.moduleConfig || {},
+                    inject: [exports.AUTH_CORE_OPTIONS],
+                },
+                {
+                    provide: 'API_KEY_REPOSITORY',
+                    useFactory: (opts) => opts.repositories?.apiKeyRepo || null,
+                    inject: [exports.AUTH_CORE_OPTIONS],
+                },
+                auth_service_1.AuthService,
+                jwt_strategy_1.JwtStrategy,
+                jwt_guard_1.JwtAuthGuard,
+                module_guard_1.ModuleGuard,
+                roles_guard_1.RolesGuard,
+                feature_guard_1.FeatureGuard,
+                route_guard_1.RouteGuard,
+                permission_guard_1.PermissionGuard,
+                api_key_guard_1.ApiKeyGuard,
+            ],
+            controllers: [auth_controller_1.AuthController],
+            exports: [
+                // ⬇️ export these so Superadmin can resolve guard deps
+                exports.AUTH_CORE_OPTIONS,
+                'MODULE_CONFIG',
+                'API_KEY_REPOSITORY',
+                jwt_1.JwtModule,
+                auth_service_1.AuthService,
+                jwt_strategy_1.JwtStrategy,
+                jwt_guard_1.JwtAuthGuard,
+                module_guard_1.ModuleGuard,
+                roles_guard_1.RolesGuard,
+                feature_guard_1.FeatureGuard,
+                route_guard_1.RouteGuard,
+                permission_guard_1.PermissionGuard,
+                api_key_guard_1.ApiKeyGuard,
+            ],
+        };
+    }
+};
+exports.AuthCoreModule = AuthCoreModule;
+exports.AuthCoreModule = AuthCoreModule = AuthCoreModule_1 = __decorate([
+    (0, common_1.Global)(),
+    (0, common_1.Module)({})
+], AuthCoreModule);

package/dist/auth.service.d.ts

@@ -25,10 +25,40 @@ export declare class AuthService {
     private readonly featureAccessRepo;
     private readonly moduleAccessRepo;
     private readonly screenPermissionRepo;
+    private readonly ipRestrictionsRepo;
+    private readonly userLastLoginRepo;
+    private readonly employeeWorkProfileRepo;
+    private uploadPhotoDir;
     constructor(jwtService: JwtService, options: AuthCoreOptions);
-    validateUser(email: string, password: string): Promise<User | null>;
+    validateUser(email: string, password: string, clientIp?: string): Promise<User | null>;
+    /**
+     * Validate IP restriction for a user
+     *
+     * Logic:
+     * 1. Check if user has any IP restrictions (is_active = 1)
+     * 2. If NO restrictions exist → Allow login (return true)
+     * 3. If restrictions exist → Check if requestIp matches any allowed IP
+     * 4. If match found → Allow login (return true)
+     * 5. If NO match → Deny login (return false)
+     */
+    private normalizeIp;
+    private validateIpRestriction;
     hasModuleAccess(userId: number, moduleId: number): Promise<boolean>;
     getPermissions(userId: number): Promise<PermissionsTree>;
+    /**
+     * Save user last login details
+     * Updates the tbl_user_last_login table with latest login info
+     */
+    saveLastLogin(user: User, clientIp: string, loginStatus?: 'success' | 'failed' | 'blocked', failureReason?: string, additionalData?: {
+        browser?: string;
+        deviceType?: string;
+        operatingSystem?: string;
+        userAgent?: string;
+        location?: string;
+        moduleId?: number;
+        ipAddressName?: string;
+        metadata?: Record<string, any>;
+    }): Promise<void>;
     login(user: User, selectedModuleId?: number): Promise<{
         status: boolean;
         message: string;
@@ -47,10 +77,20 @@ export declare class AuthService {
                 employeeId: number;
                 parentId: number;
                 referenceId: number;
+                branchId: any;
+                dispatchCenterId: any;
+                departmentId: any;
+                designationId: any;
+                profile_photo_url: string;
             };
         };
         access_token: string;
     }>;
+    /**
+     * Extract clean IPv4 address from request
+     * Handles various formats: IPv6-mapped, plain IPv4, descriptive text
+     */
+    extractUserIpv4(clientIp: string | undefined): string;
     findUserById(id: number): Promise<User | null>;
     private loadPermissions;
 }