ecrs-auth-core 1.0.99 → 1.0.100

package/dist/auth.controller.d.ts

@@ -16,6 +16,7 @@ export declare class AuthController {
                 roleId: number;
                 roleName: string | null;
                 moduleId: number;
+                tokenVersion: number;
                 name: string;
                 firstName: string;
                 lastName: string;

package/dist/auth.controller.js

@@ -33,9 +33,7 @@ let AuthController = class AuthController {
         console.log(`📍 Login attempt from IP: ${clientIp}, User-Agent: ${userAgent}`);
         // Validate user with IP restriction check
         const user = await this.authService.validateUser(body.email, body.password, clientIp);
-        console.log(`🔐 User validation result for ${body.email}: ${user ? 'Success' : 'Failed'}`);
         if (!user) {
-            console.warn(`⚠️ Failed login attempt for ${body.email} from IP ${clientIp}`);
             // Save failed login attempt to both tables
             await this.authService.saveLastLogin({ email: body.email }, clientIp, 'failed', 'Invalid credentials or IP not allowed', additionalData).catch((err) => {
                 console.error('❌ Error saving failed login to tbl_user_last_login:', err.message);
@@ -55,12 +53,12 @@ let AuthController = class AuthController {
             console.warn(`⚠️ Invalid module ID provided by user ${body.email}: ${body.moduleId}`);
             throw new common_1.UnauthorizedException('You are not authorized to access this module');
         }
-        // console.log(`🔍 Checking module access for user ID ${user.id} and module ID ${requestedModuleId}...`);
-        // // const allowedDb = await this.authService.hasModuleAccess(user.id, requestedModuleId);
-        // console.log(`📊 Module access check result for user ID ${user.id} and module ID ${requestedModuleId}: ${allowedDb ? 'Allowed' : 'Denied'}`);
-        // if (!allowedDb) {
-        //   throw new UnauthorizedException('You are not authorized to access this module');
-        // }
+        console.log(`🔍 Checking module access for user ID ${user.id} and module ID ${requestedModuleId}...`);
+        const allowedDb = await this.authService.hasModuleAccess(user.id, requestedModuleId);
+        console.log(`📊 Module access check result for user ID ${user.id} and module ID ${requestedModuleId}: ${allowedDb ? 'Allowed' : 'Denied'}`);
+        if (!allowedDb) {
+            throw new common_1.UnauthorizedException('You are not authorized to access this module');
+        }
         // const perms = await this.authService.getPermissions(user.id);
         // console.log(`📊 User permissions for ${body.email}:`, perms);
         // if (!Array.isArray(perms.modules) || !perms.modules.includes(requestedModuleId)) {

package/dist/auth.service.d.ts

@@ -25,7 +25,7 @@ export declare class AuthService {
     private readonly employeeWorkProfileRepo;
     private uploadPhotoDir;
     constructor(jwtService: JwtService, options: AuthCoreOptions);
-    validateUser(email: string, password: string, clientIp?: string): Promise<User | null>;
+    validateUser(email: string, password: string, clientIp?: string): Promise<User>;
     /**
      * Validate IP restriction for a user
      *
@@ -88,6 +88,7 @@ export declare class AuthService {
                 roleId: number;
                 roleName: string | null;
                 moduleId: number;
+                tokenVersion: number;
                 name: string;
                 firstName: string;
                 lastName: string;
@@ -114,5 +115,7 @@ export declare class AuthService {
      */
     extractUserIpv4(clientIp: string | undefined): string;
     findUserById(id: number): Promise<User | null>;
+    findUserLastLogin(userId: number): Promise<any>;
+    updateLastActivity(loginId: number): Promise<void>;
     private loadModulePermissions;
 }

package/dist/auth.service.js

@@ -72,18 +72,17 @@ let AuthService = class AuthService {
     }
     async validateUser(email, password, clientIp) {
         const user = await this.userRepo.findOne({ where: { email } });
-        if (!user)
-            return null;
+        if (!user) {
+            throw new common_1.UnauthorizedException('Invalid email');
+        }
         const isValid = await bcrypt.compare(password, user.password);
-        if (!isValid)
-            return null;
-        // console.log(this.ipRestrictionsRepo);
-        // Check IP restrictions if provided and repository is available
+        if (!isValid) {
+            throw new common_1.UnauthorizedException('Invalid password');
+        }
         if (clientIp && this.ipRestrictionsRepo) {
             const ipAllowed = await this.validateIpRestriction(user.id, clientIp);
             if (!ipAllowed) {
-                // IP restriction exists but doesn't match - return null to block login
-                return null;
+                throw new common_1.UnauthorizedException('Login not allowed from this IP address');
             }
         }
         return user;
@@ -172,7 +171,7 @@ let AuthService = class AuthService {
        AND status = 1
        AND is_deleted = 0
        LIMIT 1`, [userId, moduleId]);
-            console.log('Raw Query Result:', result);
+            // console.log('Raw Query Result:', result);
             const allowed = result.length > 0;
             console.log(`📊 Module access check result for user ID ${userId} and module ID ${moduleId}: ${allowed ? 'Allowed' : 'Denied'}`);
             return allowed;
@@ -489,6 +488,7 @@ let AuthService = class AuthService {
             roleId: user.roleId,
             roleName: roleName,
             moduleId: effectiveModuleId,
+            tokenVersion: user.token_version || 1,
             name: `${user.firstName} ${user.lastName}`,
             firstName: user.firstName,
             lastName: user.lastName,
@@ -515,6 +515,7 @@ let AuthService = class AuthService {
                     roleId: user.roleId,
                     roleName: roleName,
                     moduleId: effectiveModuleId,
+                    tokenVersion: user.token_version || 1,
                     name: `${user.firstName} ${user.lastName}`,
                     firstName: user.firstName,
                     lastName: user.lastName,
@@ -548,6 +549,42 @@ let AuthService = class AuthService {
     async findUserById(id) {
         return this.userRepo.findOne({ where: { id } });
     }
+    async findUserLastLogin(userId) {
+        let lastLoginTime = null;
+        if (this.userLastLoginRepo) {
+            try {
+                const result = await this.userLastLoginRepo
+                    .createQueryBuilder('login')
+                    .select('login.login_time', 'login_time')
+                    .where('login.user_id = :userId', { userId })
+                    .andWhere('login.logout_time IS NULL')
+                    .orderBy('login.login_time', 'DESC')
+                    .limit(1)
+                    .getRawOne();
+                if (result) {
+                    lastLoginTime = result?.login_time || null;
+                }
+            }
+            catch (error) {
+                console.error('Error fetching last login details:', error);
+                // Continue with null values if fetch fails
+            }
+        }
+        return lastLoginTime;
+    }
+    async updateLastActivity(loginId) {
+        try {
+            if (this.userLastLoginRepo) {
+                await this.userLastLoginRepo.update({ id: loginId }, {
+                    login_time: new Date(), // 🔥 update activity
+                    updated_at: new Date(),
+                });
+            }
+        }
+        catch (error) {
+            console.error('Error updating last activity:', error);
+        }
+    }
     // private async loadPermissions(userId: number): Promise<PermissionsTree> {
     //   // Feature Permissions
     //   const featureAccessList = await this.featureAccessRepo.find({

package/dist/entities/user.entity.d.ts

@@ -16,6 +16,7 @@ export declare class User {
     otpNumber: number;
     isOtpVerified: number;
     moduleId: number;
+    token_version: number;
     createdBy: number;
     updatedBy: number;
     deletedBy: number;

package/dist/entities/user.entity.js

@@ -83,6 +83,10 @@ __decorate([
     (0, typeorm_1.Column)({ nullable: true }),
     __metadata("design:type", Number)
 ], User.prototype, "moduleId", void 0);
+__decorate([
+    (0, typeorm_1.Column)({ type: 'int', default: 1 }),
+    __metadata("design:type", Number)
+], User.prototype, "token_version", void 0);
 __decorate([
     (0, typeorm_1.Column)(),
     __metadata("design:type", Number)

package/dist/jwt/jwt.strategy.d.ts

@@ -9,6 +9,6 @@ export declare class JwtStrategy extends JwtStrategy_base {
         email: string;
         roleId: number;
         moduleId: any;
-    } | null>;
+    }>;
 }
 export {};

package/dist/jwt/jwt.strategy.js

@@ -25,13 +25,40 @@ let JwtStrategy = class JwtStrategy extends (0, passport_1.PassportStrategy)(pas
     }
     async validate(payload) {
         const user = await this.authService.findUserById(payload.id);
-        if (!user)
-            return null;
-        // if (payload.moduleId) {
-        //   const hasAccess = await this.authService.hasModuleAccess(user.id, payload.moduleId);
-        //   if (!hasAccess) return null;
-        //   console.log(`✅ User ${user.id} has access to module ${payload.moduleId}`);
-        // }
+        if (!user) {
+            throw new common_1.UnauthorizedException('INVALID_USER');
+        }
+        // 🔥 1. TOKEN VERSION CHECK (DO FIRST → fast reject)
+        if (user.token_version !== payload.tokenVersion) {
+            console.warn(`⚠️ Token version mismatch for user ${user.id}. Expected ${user.token_version}, got ${payload.tokenVersion}`);
+            throw new common_1.UnauthorizedException('TOKEN_EXPIRED');
+        }
+        // 🔥 2. MODULE ACCESS CHECK
+        if (payload.moduleId) {
+            const hasAccess = await this.authService.hasModuleAccess(user.id, payload.moduleId);
+            if (!hasAccess) {
+                throw new common_1.UnauthorizedException('MODULE_ACCESS_DENIED');
+            }
+            console.log(`✅ User ${user.id} has access to module ${payload.moduleId}`);
+        }
+        // 🔥 3. SESSION / LAST ACTIVITY CHECK
+        const lastLogin = await this.authService.findUserLastLogin(user.id);
+        if (!lastLogin) {
+            throw new common_1.UnauthorizedException('SESSION_NOT_FOUND');
+        }
+        const lastActivityTime = new Date(lastLogin.lastActivityTime || lastLogin.login_time).getTime();
+        const currentTime = Date.now();
+        const inactivityMinutes = (currentTime - lastActivityTime) / (1000 * 60);
+        const INACTIVITY_TIMEOUT_MINUTES = 20;
+        // 🔥 Idle timeout
+        if (inactivityMinutes > INACTIVITY_TIMEOUT_MINUTES) {
+            console.log(`❌ User ${user.id} token expired due to inactivity (${inactivityMinutes.toFixed(2)} minutes)`);
+            throw new common_1.UnauthorizedException('Your session has expired due to inactivity. Please login again.');
+        }
+        // 🔥 4. UPDATE LAST ACTIVITY (avoid DB overload)
+        if (inactivityMinutes > 2) {
+            await this.authService.updateLastActivity(lastLogin.id);
+        }
         console.log(`✅ JWT validated for user ${user.id}`);
         return {
             id: user.id,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ecrs-auth-core",
-  "version": "1.0.99",
+  "version": "1.0.100",
   "description": "Centralized authentication and authorization module for ECRS apps",
   "main": "dist/index.js",
   "types": "dist/index.d.ts",