ecrs-auth-core 1.0.83 → 1.0.85

package/README.md

@@ -1,263 +1,263 @@
-# ECRS Auth Core
-
-A centralized authentication and authorization module for NestJS applications, providing JWT-based authentication, role-based access control, and feature-level permissions.
-
-## Features
-
-- 🔐 JWT-based authentication
-- 👥 Role-based access control (RBAC)
-- 🎯 Feature-level permissions
-- 🛡️ Route-level security guards
-- 📊 Module and screen permissions
-- 🔧 Easy integration with TypeORM
-- 📦 Fully typed with TypeScript
-
-## Installation
-
-```bash
-npm install ecrs-auth-core
-```
-
-## Peer Dependencies
-
-Make sure you have the following peer dependencies installed:
-
-```bash
-npm install @nestjs/common @nestjs/core @nestjs/passport @nestjs/typeorm bcrypt passport passport-jwt typeorm
-```
-
-## Quick Start
-
-### 1. Import the Auth Module
-
-```typescript
-import { Module } from '@nestjs/common';
-import { TypeOrmModule } from '@nestjs/typeorm';
-import { AuthCoreModule } from 'ecrs-auth-core';
-
-@Module({
-  imports: [
-    TypeOrmModule.forRoot({
-      // your database configuration
-    }),
-    AuthCoreModule.forRoot({
-      jwtSecret: 'your-jwt-secret',
-      jwtExpiresIn: '1h',
-    }),
-  ],
-})
-export class AppModule {}
-```
-
-### 2. Include Entities in TypeORM
-
-```typescript
-import {
-  User,
-  Role,
-  Module as AuthModule,
-  Feature,
-  ModuleRoute,
-  UserFeatureAccess,
-  UserModuleAccess,
-  ModuleScreenPermission,
-} from 'ecrs-auth-core';
-
-TypeOrmModule.forRoot({
-  // ... other config
-  entities: [
-    User,
-    Role,
-    AuthModule,
-    Feature,
-    ModuleRoute,
-    UserFeatureAccess,
-    UserModuleAccess,
-    ModuleScreenPermission,
-  ],
-});
-```
-
-### 3. Use Guards and Decorators
-
-```typescript
-import { Controller, Get, Post, UseGuards } from '@nestjs/common';
-import { 
-  JwtAuthGuard, 
-  RolesGuard, 
-  FeatureGuard,
-  Roles, 
-  Feature, 
-  CurrentUser,
-  User 
-} from 'ecrs-auth-core';
-
-@Controller('protected')
-@UseGuards(JwtAuthGuard)
-export class ProtectedController {
-  
-  @Get('admin-only')
-  @UseGuards(RolesGuard)
-  @Roles('admin')
-  adminOnlyEndpoint(@CurrentUser() user: User) {
-    return { message: 'Admin access granted', user: user.username };
-  }
-
-  @Get('feature-protected')
-  @UseGuards(FeatureGuard)
-  @Feature('user-management')
-  featureProtectedEndpoint(@CurrentUser() user: User) {
-    return { message: 'Feature access granted' };
-  }
-}
-```
-
-## Available Decorators
-
-### @CurrentUser()
-Get the current authenticated user in your controller methods.
-
-```typescript
-@Get('profile')
-getProfile(@CurrentUser() user: User) {
-  return user;
-}
-```
-
-### @Roles()
-Restrict access based on user roles.
-
-```typescript
-@Roles('admin', 'manager')
-@UseGuards(RolesGuard)
-adminEndpoint() {
-  // Only admin and manager roles can access
-}
-```
-
-### @Feature()
-Restrict access based on feature permissions.
-
-```typescript
-@Feature('user-management')
-@UseGuards(FeatureGuard)
-userManagementEndpoint() {
-  // Only users with user-management feature access
-}
-```
-
-### @HasPermission()
-Check for specific permissions.
-
-```typescript
-@HasPermission('CREATE_USER')
-@UseGuards(PermissionGuard)
-createUserEndpoint() {
-  // Only users with CREATE_USER permission
-}
-```
-
-### @RoutePermission()
-Route-level permission checking.
-
-```typescript
-@RoutePermission('users', 'create')
-@UseGuards(RouteGuard)
-createUser() {
-  // Route-specific permission checking
-}
-```
-
-## Available Guards
-
-- **JwtAuthGuard**: JWT token validation
-- **RolesGuard**: Role-based access control
-- **FeatureGuard**: Feature-based access control  
-- **PermissionGuard**: Permission-based access control
-- **RouteGuard**: Route-level access control
-- **ModuleGuard**: Module-based access control
-
-## Authentication Service
-
-The `AuthService` provides methods for user authentication and token management:
-
-```typescript
-import { AuthService } from 'ecrs-auth-core';
-
-@Injectable()
-export class MyService {
-  constructor(private authService: AuthService) {}
-
-  async login(username: string, password: string) {
-    return this.authService.validateUser(username, password);
-  }
-
-  async generateToken(user: User) {
-    return this.authService.generateToken(user);
-  }
-}
-```
-
-## Database Entities
-
-The package includes the following TypeORM entities:
-
-- **User**: User account information
-- **Role**: User roles (admin, user, etc.)
-- **Module**: Application modules
-- **Feature**: Feature definitions
-- **ModuleRoute**: Module route mappings
-- **UserFeatureAccess**: User-feature access permissions
-- **UserModuleAccess**: User-module access permissions  
-- **ModuleScreenPermission**: Screen-level permissions
-
-## Configuration Options
-
-```typescript
-interface AuthCoreOptions {
-  jwtSecret: string;
-  jwtExpiresIn?: string;
-  bcryptRounds?: number;
-  // ... other options
-}
-```
-
-## Examples
-
-### Basic Setup with Custom Configuration
-
-```typescript
-AuthCoreModule.forRoot({
-  jwtSecret: process.env.JWT_SECRET,
-  jwtExpiresIn: '24h',
-  bcryptRounds: 12,
-})
-```
-
-### Using Multiple Guards
-
-```typescript
-@UseGuards(JwtAuthGuard, RolesGuard, FeatureGuard)
-@Roles('admin')
-@Feature('advanced-settings')
-@Get('advanced-admin')
-advancedAdminEndpoint() {
-  return { message: 'Multi-level security passed' };
-}
-```
-
-## License
-
-MIT
-
-## Author
-
-Chetan Yadnik
-
-## Contributing
-
-Contributions are welcome! Please feel free to submit a Pull Request.
-
-## Support
-
+# ECRS Auth Core
+
+A centralized authentication and authorization module for NestJS applications, providing JWT-based authentication, role-based access control, and feature-level permissions.
+
+## Features
+
+- 🔐 JWT-based authentication
+- 👥 Role-based access control (RBAC)
+- 🎯 Feature-level permissions
+- 🛡️ Route-level security guards
+- 📊 Module and screen permissions
+- 🔧 Easy integration with TypeORM
+- 📦 Fully typed with TypeScript
+
+## Installation
+
+```bash
+npm install ecrs-auth-core
+```
+
+## Peer Dependencies
+
+Make sure you have the following peer dependencies installed:
+
+```bash
+npm install @nestjs/common @nestjs/core @nestjs/passport @nestjs/typeorm bcrypt passport passport-jwt typeorm
+```
+
+## Quick Start
+
+### 1. Import the Auth Module
+
+```typescript
+import { Module } from '@nestjs/common';
+import { TypeOrmModule } from '@nestjs/typeorm';
+import { AuthCoreModule } from 'ecrs-auth-core';
+
+@Module({
+  imports: [
+    TypeOrmModule.forRoot({
+      // your database configuration
+    }),
+    AuthCoreModule.forRoot({
+      jwtSecret: 'your-jwt-secret',
+      jwtExpiresIn: '1h',
+    }),
+  ],
+})
+export class AppModule {}
+```
+
+### 2. Include Entities in TypeORM
+
+```typescript
+import {
+  User,
+  Role,
+  Module as AuthModule,
+  Feature,
+  ModuleRoute,
+  UserFeatureAccess,
+  UserModuleAccess,
+  ModuleScreenPermission,
+} from 'ecrs-auth-core';
+
+TypeOrmModule.forRoot({
+  // ... other config
+  entities: [
+    User,
+    Role,
+    AuthModule,
+    Feature,
+    ModuleRoute,
+    UserFeatureAccess,
+    UserModuleAccess,
+    ModuleScreenPermission,
+  ],
+});
+```
+
+### 3. Use Guards and Decorators
+
+```typescript
+import { Controller, Get, Post, UseGuards } from '@nestjs/common';
+import { 
+  JwtAuthGuard, 
+  RolesGuard, 
+  FeatureGuard,
+  Roles, 
+  Feature, 
+  CurrentUser,
+  User 
+} from 'ecrs-auth-core';
+
+@Controller('protected')
+@UseGuards(JwtAuthGuard)
+export class ProtectedController {
+  
+  @Get('admin-only')
+  @UseGuards(RolesGuard)
+  @Roles('admin')
+  adminOnlyEndpoint(@CurrentUser() user: User) {
+    return { message: 'Admin access granted', user: user.username };
+  }
+
+  @Get('feature-protected')
+  @UseGuards(FeatureGuard)
+  @Feature('user-management')
+  featureProtectedEndpoint(@CurrentUser() user: User) {
+    return { message: 'Feature access granted' };
+  }
+}
+```
+
+## Available Decorators
+
+### @CurrentUser()
+Get the current authenticated user in your controller methods.
+
+```typescript
+@Get('profile')
+getProfile(@CurrentUser() user: User) {
+  return user;
+}
+```
+
+### @Roles()
+Restrict access based on user roles.
+
+```typescript
+@Roles('admin', 'manager')
+@UseGuards(RolesGuard)
+adminEndpoint() {
+  // Only admin and manager roles can access
+}
+```
+
+### @Feature()
+Restrict access based on feature permissions.
+
+```typescript
+@Feature('user-management')
+@UseGuards(FeatureGuard)
+userManagementEndpoint() {
+  // Only users with user-management feature access
+}
+```
+
+### @HasPermission()
+Check for specific permissions.
+
+```typescript
+@HasPermission('CREATE_USER')
+@UseGuards(PermissionGuard)
+createUserEndpoint() {
+  // Only users with CREATE_USER permission
+}
+```
+
+### @RoutePermission()
+Route-level permission checking.
+
+```typescript
+@RoutePermission('users', 'create')
+@UseGuards(RouteGuard)
+createUser() {
+  // Route-specific permission checking
+}
+```
+
+## Available Guards
+
+- **JwtAuthGuard**: JWT token validation
+- **RolesGuard**: Role-based access control
+- **FeatureGuard**: Feature-based access control  
+- **PermissionGuard**: Permission-based access control
+- **RouteGuard**: Route-level access control
+- **ModuleGuard**: Module-based access control
+
+## Authentication Service
+
+The `AuthService` provides methods for user authentication and token management:
+
+```typescript
+import { AuthService } from 'ecrs-auth-core';
+
+@Injectable()
+export class MyService {
+  constructor(private authService: AuthService) {}
+
+  async login(username: string, password: string) {
+    return this.authService.validateUser(username, password);
+  }
+
+  async generateToken(user: User) {
+    return this.authService.generateToken(user);
+  }
+}
+```
+
+## Database Entities
+
+The package includes the following TypeORM entities:
+
+- **User**: User account information
+- **Role**: User roles (admin, user, etc.)
+- **Module**: Application modules
+- **Feature**: Feature definitions
+- **ModuleRoute**: Module route mappings
+- **UserFeatureAccess**: User-feature access permissions
+- **UserModuleAccess**: User-module access permissions  
+- **ModuleScreenPermission**: Screen-level permissions
+
+## Configuration Options
+
+```typescript
+interface AuthCoreOptions {
+  jwtSecret: string;
+  jwtExpiresIn?: string;
+  bcryptRounds?: number;
+  // ... other options
+}
+```
+
+## Examples
+
+### Basic Setup with Custom Configuration
+
+```typescript
+AuthCoreModule.forRoot({
+  jwtSecret: process.env.JWT_SECRET,
+  jwtExpiresIn: '24h',
+  bcryptRounds: 12,
+})
+```
+
+### Using Multiple Guards
+
+```typescript
+@UseGuards(JwtAuthGuard, RolesGuard, FeatureGuard)
+@Roles('admin')
+@Feature('advanced-settings')
+@Get('advanced-admin')
+advancedAdminEndpoint() {
+  return { message: 'Multi-level security passed' };
+}
+```
+
+## License
+
+MIT
+
+## Author
+
+Chetan Yadnik
+
+## Contributing
+
+Contributions are welcome! Please feel free to submit a Pull Request.
+
+## Support
+
 For questions and support, please open an issue on GitHub.

package/dist/auth.controller.d.ts

@@ -31,6 +31,7 @@ export declare class AuthController {
                 lastLoginTime: any;
                 is_reset_password: number;
                 profile_photo_url: string;
+                permissionTree: string[];
             };
         };
         access_token: string;

package/dist/auth.service.d.ts

@@ -109,6 +109,7 @@ export declare class AuthService {
                 lastLoginTime: any;
                 is_reset_password: number;
                 profile_photo_url: string;
+                permissionTree: string[];
             };
         };
         access_token: string;
@@ -120,5 +121,6 @@ export declare class AuthService {
     extractUserIpv4(clientIp: string | undefined): string;
     findUserById(id: number): Promise<User | null>;
     private loadPermissions;
+    private loadModulePermissions;
 }
 export {};

package/dist/auth.service.js

@@ -72,24 +72,18 @@ let AuthService = class AuthService {
     }
     async validateUser(email, password, clientIp) {
         const user = await this.userRepo.findOne({ where: { email } });
-        if (!user) {
-            throw new common_1.UnauthorizedException('The email address is invalid or not registered.');
-        }
+        if (!user)
+            return null;
         const isValid = await bcrypt.compare(password, user.password);
-        if (!isValid) {
-            throw new common_1.UnauthorizedException('The password is incorrect. Please try again.');
-        }
-        ;
-        if (user.status !== 1) {
-            throw new common_1.UnauthorizedException('Your account is inactive. Please contact support.');
-        }
+        if (!isValid)
+            return null;
         // console.log(this.ipRestrictionsRepo);
         // Check IP restrictions if provided and repository is available
         if (clientIp && this.ipRestrictionsRepo) {
             const ipAllowed = await this.validateIpRestriction(user.id, clientIp);
             if (!ipAllowed) {
-                // IP restriction exists but doesn't match - throw UnauthorizedException to block login
-                throw new common_1.UnauthorizedException('Login denied: Your IP address is not allowed.');
+                // IP restriction exists but doesn't match - return null to block login
+                return null;
             }
         }
         return user;
@@ -420,7 +414,7 @@ let AuthService = class AuthService {
         }
     }
     async login(user, selectedModuleId) {
-        const permissionTree = await this.loadPermissions(user.id);
+        const permissionTree = await this.loadModulePermissions(user.id, selectedModuleId);
         const role = await this.roleRepo.findOne({ where: { id: user.roleId } });
         const roleName = role?.roleName || null;
         const effectiveModuleId = Number.isFinite(selectedModuleId) ? selectedModuleId : user.moduleId ?? null;
@@ -484,7 +478,7 @@ let AuthService = class AuthService {
             mobileNo: user.mobileNo,
             userImage: user.userImage,
             employeeId: user.referenceId,
-            permissions: permissionTree,
+            // permissions: permissionTree,
             parentId: user.parentId,
             referenceId: user.referenceId,
             branchId,
@@ -494,10 +488,6 @@ let AuthService = class AuthService {
             lastLoginTime: lastLoginTime,
             is_reset_password: is_reset_password,
         };
-        // Generate JWT token
-        const accessToken = this.jwtService.sign(payload);
-        // Update user's apiToken in the database
-        await this.userRepo.update({ id: user.id }, { apiToken: accessToken });
         return {
             status: true,
             message: 'Login successful',
@@ -523,9 +513,10 @@ let AuthService = class AuthService {
                     lastLoginTime: lastLoginTime,
                     is_reset_password: is_reset_password,
                     profile_photo_url: `${this.uploadPhotoDir}/${user.userImage}`,
+                    permissionTree: permissionTree,
                 },
             },
-            access_token: accessToken,
+            access_token: this.jwtService.sign(payload),
         };
     }
     /**
@@ -602,6 +593,18 @@ let AuthService = class AuthService {
             routes: routePermissions,
         };
     }
+    async loadModulePermissions(userId, moduleId) {
+        if (!Number.isFinite(moduleId)) {
+            return [];
+        }
+        const access = await this.moduleAccessRepo.findOne({
+            where: { userId, moduleId: moduleId, isDeleted: 0, status: 1 },
+        });
+        if (!access) {
+            return [];
+        }
+        return Array.isArray(access.permissions) ? access.permissions : [];
+    }
 };
 exports.AuthService = AuthService;
 exports.AuthService = AuthService = __decorate([

package/dist/entities/user-module-access.entity.d.ts

@@ -4,6 +4,7 @@ export declare class UserModuleAccess {
     moduleId: number;
     accessLevel: string;
     status: number;
+    permissions: string[];
     createdAt: Date;
     updatedAt: Date;
     createdBy: number;

package/dist/entities/user-module-access.entity.js

@@ -35,6 +35,14 @@ __decorate([
     (0, typeorm_1.Column)({ type: 'smallint', default: 1 }),
     __metadata("design:type", Number)
 ], UserModuleAccess.prototype, "status", void 0);
+__decorate([
+    (0, typeorm_1.Column)({
+        name: 'permissions',
+        type: 'json',
+        nullable: true,
+    }),
+    __metadata("design:type", Array)
+], UserModuleAccess.prototype, "permissions", void 0);
 __decorate([
     (0, typeorm_1.Column)({ name: 'created_at', type: 'timestamp', default: () => 'CURRENT_TIMESTAMP' }),
     __metadata("design:type", Date)

package/dist/jwt/jwt.strategy.js

@@ -34,10 +34,6 @@ let JwtStrategy = class JwtStrategy extends (0, passport_1.PassportStrategy)(pas
             console.log(`✅ User ${user.id} has access to module ${payload.moduleId}`);
         }
         console.log(`✅ JWT validated for user ${user.id}`);
-        if (user.status !== 1) {
-            console.log(`❌ User ${user.id} is not active`);
-            throw new common_1.UnauthorizedException('Your account is inactive. Please contact support.');
-        }
         return {
             id: user.id,
             email: user.email,

package/package.json

@@ -1,51 +1,51 @@
-{
-  "name": "ecrs-auth-core",
-  "version": "1.0.83",
-  "description": "Centralized authentication and authorization module for ECRS apps",
-  "main": "dist/index.js",
-  "types": "dist/index.d.ts",
-  "files": [
-    "dist"
-  ],
-  "scripts": {
-    "build": "tsc -p tsconfig.json"
-  },
-  "keywords": [
-    "nestjs",
-    "auth",
-    "jwt",
-    "module",
-    "ecrs"
-  ],
-  "author": "Chetan Yadnik",
-  "license": "MIT",
-  "peerDependencies": {
-    "@nestjs/common": "^10.2.7 || ^11.0.0",
-    "@nestjs/core": "^10.2.7 || ^11.0.0",
-    "@nestjs/passport": "^10.0.3 || ^11.0.0",
-    "bcrypt": "^5.1.1",
-    "passport": "^0.6.0",
-    "passport-jwt": "^4.0.1",
-    "typeorm": "^0.3.25"
-  },
-  "dependencies": {
-    "@nestjs/jwt": "^11.0.0",
-    "@nestjs/swagger": "^7.1.14",
-    "@nestjs/typeorm": "^11.0.0",
-    "class-transformer": "^0.5.1",
-    "class-validator": "^0.14.3",
-    "jsonwebtoken": "^9.0.2",
-    "rxjs": "^7.8.1",
-    "swagger-ui-express": "^5.0.0"
-  },
-  "devDependencies": {
-    "@nestjs/common": "^10.2.7",
-    "@nestjs/core": "^10.2.7",
-    "@nestjs/passport": "^10.0.3",
-    "@types/bcrypt": "^6.0.0",
-    "@types/passport-jwt": "^4.0.1",
-    "reflect-metadata": "^0.1.13",
-    "typeorm": "^0.3.17",
-    "typescript": "^5.8.3"
-  }
-}
+{
+  "name": "ecrs-auth-core",
+  "version": "1.0.85",
+  "description": "Centralized authentication and authorization module for ECRS apps",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "files": [
+    "dist"
+  ],
+  "scripts": {
+    "build": "tsc -p tsconfig.json"
+  },
+  "keywords": [
+    "nestjs",
+    "auth",
+    "jwt",
+    "module",
+    "ecrs"
+  ],
+  "author": "Chetan Yadnik",
+  "license": "MIT",
+  "peerDependencies": {
+    "@nestjs/common": "^10.2.7 || ^11.0.0",
+    "@nestjs/core": "^10.2.7 || ^11.0.0",
+    "@nestjs/passport": "^10.0.3 || ^11.0.0",
+    "bcrypt": "^5.1.1",
+    "passport": "^0.6.0",
+    "passport-jwt": "^4.0.1",
+    "typeorm": "^0.3.25"
+  },
+  "dependencies": {
+    "@nestjs/jwt": "^11.0.0",
+    "@nestjs/swagger": "^7.1.14",
+    "@nestjs/typeorm": "^11.0.0",
+    "class-transformer": "^0.5.1",
+    "class-validator": "^0.14.3",
+    "jsonwebtoken": "^9.0.2",
+    "rxjs": "^7.8.1",
+    "swagger-ui-express": "^5.0.0"
+  },
+  "devDependencies": {
+    "@nestjs/common": "^10.2.7",
+    "@nestjs/core": "^10.2.7",
+    "@nestjs/passport": "^10.0.3",
+    "@types/bcrypt": "^6.0.0",
+    "@types/passport-jwt": "^4.0.1",
+    "reflect-metadata": "^0.1.13",
+    "typeorm": "^0.3.17",
+    "typescript": "^5.8.3"
+  }
+}