ecrs-auth-core 1.0.64 → 1.0.66

package/dist/auth.service.js

@@ -54,6 +54,7 @@ let AuthService = class AuthService {
     constructor(jwtService, options) {
         this.jwtService = jwtService;
         this.options = options;
+        this.uploadPhotoDir = './uploads/organization/photos';
         const { repositories } = options;
         this.userRepo = repositories.userRepo;
         this.roleRepo = repositories.roleRepo;
@@ -63,13 +64,99 @@ let AuthService = class AuthService {
         this.featureAccessRepo = repositories.featureAccessRepo;
         this.moduleAccessRepo = repositories.moduleAccessRepo;
         this.screenPermissionRepo = repositories.screenPermissionRepo;
+        // Optional repositories
+        this.ipRestrictionsRepo = repositories.ipRestrictionsRepo || null;
+        this.userLastLoginRepo = repositories.userLastLoginRepo || null;
+        this.employeeWorkProfileRepo = repositories.employeeWorkProfileRepo || null;
     }
-    async validateUser(email, password) {
+    async validateUser(email, password, clientIp) {
         const user = await this.userRepo.findOne({ where: { email } });
         if (!user)
             return null;
         const isValid = await bcrypt.compare(password, user.password);
-        return isValid ? user : null;
+        if (!isValid)
+            return null;
+        // Check IP restrictions if provided and repository is available
+        if (clientIp && this.ipRestrictionsRepo) {
+            const ipAllowed = await this.validateIpRestriction(user.id, clientIp);
+            if (!ipAllowed) {
+                // IP restriction exists but doesn't match - return null to block login
+                return null;
+            }
+        }
+        return user;
+    }
+    /**
+     * Validate IP restriction for a user
+     *
+     * Logic:
+     * 1. Check if user has any IP restrictions (is_active = 1)
+     * 2. If NO restrictions exist → Allow login (return true)
+     * 3. If restrictions exist → Check if requestIp matches any allowed IP
+     * 4. If match found → Allow login (return true)
+     * 5. If NO match → Deny login (return false)
+     */
+    normalizeIp(ip) {
+        // Remove descriptive text if present (e.g., "IPv4 Address. . . . . . : 192.167.0.173")
+        let cleanIp = ip.trim();
+        if (cleanIp.includes(':')) {
+            const parts = cleanIp.split(':');
+            cleanIp = parts[parts.length - 1].trim();
+        }
+        // Convert IPv6-mapped IPv4 addresses (::ffff:x.x.x.x) to plain IPv4 (x.x.x.x)
+        if (cleanIp.startsWith('::ffff:')) {
+            return cleanIp.substring(7);
+        }
+        // Also handle other IPv6 prefixes
+        if (cleanIp.startsWith('::1')) {
+            return '127.0.0.1'; // IPv6 loopback to IPv4 loopback
+        }
+        return cleanIp;
+    }
+    async validateIpRestriction(userId, requestIp) {
+        if (!this.ipRestrictionsRepo) {
+            // No IP restrictions repository configured - allow login
+            return true;
+        }
+        try {
+            // Normalize the incoming IP
+            const normalizedRequestIp = this.normalizeIp(requestIp);
+            // Get all active IP restrictions for this user
+            const restrictions = await this.ipRestrictionsRepo.find({
+                where: {
+                    user_id: userId,
+                },
+            });
+            // If no restrictions exist, allow login
+            if (!restrictions || restrictions.length === 0) {
+                console.log(`✅ User ${userId}: No IP restrictions configured - Allow login`);
+                return true;
+            }
+            // Check if request IP matches any allowed IP
+            const ipMatches = restrictions.some((restriction) => {
+                // Handle both property name variations
+                const allowedIp = restriction.allowed_ip_address || restriction.ip_address;
+                const normalizedAllowedIp = this.normalizeIp(allowedIp);
+                return normalizedAllowedIp === normalizedRequestIp;
+            });
+            if (ipMatches) {
+                console.log(`✅ User ${userId}: IP ${requestIp} (normalized: ${normalizedRequestIp}) matches allowed IP - Allow login`);
+                return true;
+            }
+            // IP doesn't match any allowed IP
+            const allowedIps = restrictions.map((r) => {
+                const ip = r.allowed_ip_address || r.ip_address;
+                return this.normalizeIp(ip);
+            }).join(', ');
+            console.log(`❌ User ${userId}: IP ${requestIp} (normalized: ${normalizedRequestIp}) does not match allowed IPs - Deny login`);
+            console.log(`   Allowed IPs: ${allowedIps}`);
+            return false;
+        }
+        catch (error) {
+            console.error('Error validating IP restriction:', error);
+            // On error, allow login (fail open)
+            return true;
+        }
     }
     async hasModuleAccess(userId, moduleId) {
         if (!Number.isFinite(moduleId))
@@ -82,11 +169,66 @@ let AuthService = class AuthService {
     async getPermissions(userId) {
         return this.loadPermissions(userId);
     }
+    /**
+     * Save user last login details
+     * Updates the tbl_user_last_login table with latest login info
+     */
+    async saveLastLogin(user, clientIp, loginStatus = 'success', failureReason, additionalData) {
+        if (!this.userLastLoginRepo) {
+            // Last login tracking not configured
+            return;
+        }
+        try {
+            const lastLoginData = {
+                user_id: user.id,
+                email: user.email,
+                first_name: user.firstName,
+                last_name: user.lastName,
+                ip_address: clientIp,
+                login_status: loginStatus,
+                failure_reason: failureReason,
+                login_time: new Date(),
+                ...additionalData,
+            };
+            // Upsert: Update if exists, insert if not
+            await this.userLastLoginRepo.upsert(lastLoginData, {
+                conflictPaths: ['user_id'],
+                skipUpdateIfNoValuesChanged: true,
+            });
+            console.log(`📝 Last login details saved for user ${user.id} (${loginStatus})`);
+        }
+        catch (error) {
+            console.error('Error saving last login details:', error);
+            // Don't throw error - this shouldn't block login
+        }
+    }
     async login(user, selectedModuleId) {
         const permissionTree = await this.loadPermissions(user.id);
         const role = await this.roleRepo.findOne({ where: { id: user.roleId } });
         const roleName = role?.roleName || null;
         const effectiveModuleId = Number.isFinite(selectedModuleId) ? selectedModuleId : user.moduleId ?? null;
+        // Fetch workprofile/employee details from EmployeeWorkProfileEntity
+        let branchId = null;
+        let dispatchCenterId = null;
+        let departmentId = null;
+        let designationId = null;
+        if (this.employeeWorkProfileRepo) {
+            try {
+                const workProfile = await this.employeeWorkProfileRepo.findOne({
+                    where: { employee_id: user.referenceId },
+                });
+                if (workProfile) {
+                    branchId = workProfile?.branch_id || null;
+                    dispatchCenterId = workProfile?.dispatch_id || null;
+                    departmentId = workProfile?.department_id || null;
+                    designationId = workProfile?.designation_id || null;
+                }
+            }
+            catch (error) {
+                console.error('Error fetching work profile:', error);
+                // Continue with null values if fetch fails
+            }
+        }
         const payload = {
             id: user.id,
             email: user.email,
@@ -102,6 +244,10 @@ let AuthService = class AuthService {
             permissions: permissionTree,
             parentId: user.parentId,
             referenceId: user.referenceId,
+            branchId,
+            dispatchCenterId,
+            departmentId,
+            designationId,
         };
         return {
             status: true,
@@ -121,11 +267,25 @@ let AuthService = class AuthService {
                     employeeId: user.referenceId,
                     parentId: user.parentId,
                     referenceId: user.referenceId,
+                    branchId,
+                    dispatchCenterId,
+                    departmentId,
+                    designationId,
+                    profile_photo_url: `${this.uploadPhotoDir}`,
                 },
             },
             access_token: this.jwtService.sign(payload),
         };
     }
+    /**
+     * Extract clean IPv4 address from request
+     * Handles various formats: IPv6-mapped, plain IPv4, descriptive text
+     */
+    extractUserIpv4(clientIp) {
+        if (!clientIp)
+            return '';
+        return this.normalizeIp(clientIp);
+    }
     async findUserById(id) {
         return this.userRepo.findOne({ where: { id } });
     }

package/dist/entities/ip-access.entity.d.ts

@@ -0,0 +1,13 @@
+export declare class EmployeeIPAccessEntity {
+    id: number;
+    user_id: number;
+    employee_id: number;
+    ip_address: string;
+    ip_address_name?: string;
+    created_at: Date;
+    created_by: number;
+    updated_at: Date;
+    updated_by: number;
+    deleted_by: number;
+    deleted_at: Date;
+}

package/dist/entities/ip-access.entity.js

@@ -0,0 +1,73 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.EmployeeIPAccessEntity = void 0;
+const typeorm_1 = require("typeorm");
+let EmployeeIPAccessEntity = class EmployeeIPAccessEntity {
+};
+exports.EmployeeIPAccessEntity = EmployeeIPAccessEntity;
+__decorate([
+    (0, typeorm_1.PrimaryGeneratedColumn)(),
+    __metadata("design:type", Number)
+], EmployeeIPAccessEntity.prototype, "id", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ name: 'user_id', type: 'int' }),
+    __metadata("design:type", Number)
+], EmployeeIPAccessEntity.prototype, "user_id", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ name: 'employee_id', type: 'int' }),
+    __metadata("design:type", Number)
+], EmployeeIPAccessEntity.prototype, "employee_id", void 0);
+__decorate([
+    (0, typeorm_1.Column)({
+        name: 'ip_address',
+        type: 'inet',
+        nullable: false,
+        comment: 'IPv4 / IPv6 / CIDR notation',
+    }),
+    __metadata("design:type", String)
+], EmployeeIPAccessEntity.prototype, "ip_address", void 0);
+__decorate([
+    (0, typeorm_1.Column)({
+        name: 'ip_address_name',
+        type: 'varchar',
+        length: 255,
+        nullable: true,
+    }),
+    __metadata("design:type", String)
+], EmployeeIPAccessEntity.prototype, "ip_address_name", void 0);
+__decorate([
+    (0, typeorm_1.CreateDateColumn)({ type: 'timestamp' }),
+    __metadata("design:type", Date)
+], EmployeeIPAccessEntity.prototype, "created_at", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ type: 'int', nullable: true }),
+    __metadata("design:type", Number)
+], EmployeeIPAccessEntity.prototype, "created_by", void 0);
+__decorate([
+    (0, typeorm_1.UpdateDateColumn)({ type: 'timestamp', nullable: true }),
+    __metadata("design:type", Date)
+], EmployeeIPAccessEntity.prototype, "updated_at", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ type: 'int', nullable: true }),
+    __metadata("design:type", Number)
+], EmployeeIPAccessEntity.prototype, "updated_by", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ type: 'int', nullable: true }),
+    __metadata("design:type", Number)
+], EmployeeIPAccessEntity.prototype, "deleted_by", void 0);
+__decorate([
+    (0, typeorm_1.DeleteDateColumn)({ type: 'timestamp', nullable: true }),
+    __metadata("design:type", Date)
+], EmployeeIPAccessEntity.prototype, "deleted_at", void 0);
+exports.EmployeeIPAccessEntity = EmployeeIPAccessEntity = __decorate([
+    (0, typeorm_1.Entity)('tbl_hr_user_ip_access')
+], EmployeeIPAccessEntity);

package/dist/entities/user-last-login.entity.d.ts

@@ -0,0 +1,27 @@
+export declare class UserLastLoginEntity {
+    id: number;
+    user_id: number;
+    email: string;
+    first_name: string;
+    last_name: string;
+    ip_address: string;
+    ip_address_name?: string;
+    browser: string;
+    device_type: string;
+    operating_system: string;
+    user_agent: string;
+    location: string;
+    module_id: number;
+    login_status: 'success' | 'failed' | 'blocked';
+    failure_reason: string;
+    session_duration_ms: number;
+    metadata: Record<string, any>;
+    login_time: Date;
+    logout_time: Date;
+    created_at: Date;
+    created_by: number;
+    updated_at: Date;
+    updated_by: number;
+    deleted_by: number;
+    deleted_at: Date;
+}

package/dist/entities/user-last-login.entity.js

@@ -0,0 +1,147 @@
+"use strict";
+var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
+    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+    return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = (this && this.__metadata) || function (k, v) {
+    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.UserLastLoginEntity = void 0;
+const typeorm_1 = require("typeorm");
+let UserLastLoginEntity = class UserLastLoginEntity {
+};
+exports.UserLastLoginEntity = UserLastLoginEntity;
+__decorate([
+    (0, typeorm_1.PrimaryGeneratedColumn)(),
+    __metadata("design:type", Number)
+], UserLastLoginEntity.prototype, "id", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ type: 'int', nullable: false }),
+    __metadata("design:type", Number)
+], UserLastLoginEntity.prototype, "user_id", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ length: 250, nullable: true }),
+    __metadata("design:type", String)
+], UserLastLoginEntity.prototype, "email", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ length: 100, nullable: true }),
+    __metadata("design:type", String)
+], UserLastLoginEntity.prototype, "first_name", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ length: 100, nullable: true }),
+    __metadata("design:type", String)
+], UserLastLoginEntity.prototype, "last_name", void 0);
+__decorate([
+    (0, typeorm_1.Column)({
+        name: 'ip_address',
+        type: 'varchar',
+        length: 45,
+        nullable: true,
+        comment: 'IPv4 or IPv6',
+    }),
+    __metadata("design:type", String)
+], UserLastLoginEntity.prototype, "ip_address", void 0);
+__decorate([
+    (0, typeorm_1.Column)({
+        name: 'ip_address_name',
+        type: 'varchar',
+        length: 255,
+        nullable: true,
+        comment: 'Location/Name of IP (e.g., Office, Home)',
+    }),
+    __metadata("design:type", String)
+], UserLastLoginEntity.prototype, "ip_address_name", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ length: 100, nullable: true }),
+    __metadata("design:type", String)
+], UserLastLoginEntity.prototype, "browser", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ length: 100, nullable: true }),
+    __metadata("design:type", String)
+], UserLastLoginEntity.prototype, "device_type", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ length: 100, nullable: true }),
+    __metadata("design:type", String)
+], UserLastLoginEntity.prototype, "operating_system", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ type: 'text', nullable: true }),
+    __metadata("design:type", String)
+], UserLastLoginEntity.prototype, "user_agent", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ length: 255, nullable: true }),
+    __metadata("design:type", String)
+], UserLastLoginEntity.prototype, "location", void 0);
+__decorate([
+    (0, typeorm_1.Column)({
+        name: 'module_id',
+        type: 'int',
+        nullable: true,
+    }),
+    __metadata("design:type", Number)
+], UserLastLoginEntity.prototype, "module_id", void 0);
+__decorate([
+    (0, typeorm_1.Column)({
+        name: 'login_status',
+        type: 'enum',
+        enum: ['success', 'failed', 'blocked'],
+        default: 'success',
+    }),
+    __metadata("design:type", String)
+], UserLastLoginEntity.prototype, "login_status", void 0);
+__decorate([
+    (0, typeorm_1.Column)({
+        type: 'text',
+        nullable: true,
+        comment: 'Reason for failure or blocking (e.g., IP not whitelisted, wrong password)',
+    }),
+    __metadata("design:type", String)
+], UserLastLoginEntity.prototype, "failure_reason", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ type: 'bigint', nullable: true }),
+    __metadata("design:type", Number)
+], UserLastLoginEntity.prototype, "session_duration_ms", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ type: 'json', nullable: true }),
+    __metadata("design:type", Object)
+], UserLastLoginEntity.prototype, "metadata", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ type: 'timestamp', nullable: true }),
+    __metadata("design:type", Date)
+], UserLastLoginEntity.prototype, "login_time", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ type: 'timestamp', nullable: true }),
+    __metadata("design:type", Date)
+], UserLastLoginEntity.prototype, "logout_time", void 0);
+__decorate([
+    (0, typeorm_1.CreateDateColumn)({ type: 'timestamp' }),
+    __metadata("design:type", Date)
+], UserLastLoginEntity.prototype, "created_at", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ type: 'int', nullable: true }),
+    __metadata("design:type", Number)
+], UserLastLoginEntity.prototype, "created_by", void 0);
+__decorate([
+    (0, typeorm_1.UpdateDateColumn)({ type: 'timestamp', nullable: true }),
+    __metadata("design:type", Date)
+], UserLastLoginEntity.prototype, "updated_at", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ type: 'int', nullable: true }),
+    __metadata("design:type", Number)
+], UserLastLoginEntity.prototype, "updated_by", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ type: 'int', nullable: true }),
+    __metadata("design:type", Number)
+], UserLastLoginEntity.prototype, "deleted_by", void 0);
+__decorate([
+    (0, typeorm_1.DeleteDateColumn)({ type: 'timestamp', nullable: true }),
+    __metadata("design:type", Date)
+], UserLastLoginEntity.prototype, "deleted_at", void 0);
+exports.UserLastLoginEntity = UserLastLoginEntity = __decorate([
+    (0, typeorm_1.Entity)('tbl_user_last_login'),
+    (0, typeorm_1.Index)(['user_id']),
+    (0, typeorm_1.Index)(['login_time']),
+    (0, typeorm_1.Unique)(['user_id'])
+], UserLastLoginEntity);

package/dist/entities/work-profile.entity.d.ts

@@ -0,0 +1,48 @@
+export declare enum EmployeeType {
+    PERMANENT = "PERMANENT",
+    CONTRACT = "CONTRACT",
+    INTERN = "INTERN",
+    CONSULTANT = "CONSULTANT"
+}
+export declare enum EmployeeStatus {
+    ACTIVE = "ACTIVE",
+    INACTIVE = "INACTIVE",
+    ON_LEAVE = "ON_LEAVE"
+}
+export declare enum WeekOffType {
+    FIXED = "FIXED",
+    ROTATIONAL = "ROTATIONAL",
+    FLEXIBLE = "FLEXIBLE"
+}
+export declare enum WeekOffBasedOn {
+    WORK_LOCATION = "WORK_LOCATION",
+    SHIFT = "SHIFT"
+}
+export declare class EmployeeWorkProfileEntity {
+    id: number;
+    employee_id: number;
+    department_id: number;
+    designation_id: number;
+    employee_type: EmployeeType;
+    employee_status?: EmployeeStatus;
+    shift_id: number;
+    role_id: number;
+    agency?: string;
+    reporting_manager_id?: number | null;
+    l2_manager_id?: number | null;
+    joining_date: Date;
+    resignation_date?: Date;
+    branch_id: number;
+    dispatch_center_id: number;
+    cost_center_id: number;
+    week_off_type: WeekOffType;
+    week_off_based_on: WeekOffBasedOn;
+    bioMetricCode: string;
+    linkedInProfile: string;
+    created_at: Date;
+    created_by?: number;
+    updated_at?: Date;
+    updated_by?: number;
+    deleted_by?: number;
+    deleted_at?: Date;
+}