lapeh 2.2.6 → 2.2.7

package/api-testing-sepuluh/scripts/verify-rbac-functional.js

@@ -0,0 +1,187 @@
+
+// const fetch = require('node:fetch'); // Or native fetch in Node 18+
+
+const BASE_URL = 'http://localhost:8000/api';
+let TOKEN = '';
+let USER_ID = '';
+let ROLE_ID = '';
+let PERMISSION_ID = '';
+
+async function request(method, endpoint, body = null, token = null) {
+  const headers = { 'Content-Type': 'application/json' };
+  if (token) headers['Authorization'] = `Bearer ${token}`;
+  
+  const config = { method, headers };
+  if (body) config.body = JSON.stringify(body);
+
+  try {
+    const res = await fetch(`${BASE_URL}${endpoint}`, config);
+    const data = await res.json();
+    return { status: res.status, data };
+  } catch (err) {
+    console.error(`Error requesting ${endpoint}:`, err.message);
+    return null;
+  }
+}
+
+async function run() {
+  console.log('🚀 Starting RBAC Functional Verification...');
+
+  // 0. Login as Super Admin
+  console.log('\n0️⃣  Logging in as Super Admin...');
+  const saLogin = await request('POST', '/auth/login', {
+    email: 'sa@sa.com',
+    password: 'string'
+  });
+
+  let SA_TOKEN = '';
+  if (saLogin?.status === 200) {
+    console.log('✅ SA Login successful');
+    SA_TOKEN = saLogin.data.data.token;
+  } else {
+    console.error('❌ SA Login failed:', JSON.stringify(saLogin?.data));
+    process.exit(1);
+  }
+
+  // 1. Register User
+  console.log('\n1️⃣  Registering User (Tester)...');
+  const regRes = await request('POST', '/auth/register', {
+    email: 'testrbac@example.com',
+    name: 'RBAC Tester',
+    password: 'password123',
+    confirmPassword: 'password123'
+  });
+  
+  if (regRes?.status === 200 || regRes?.status === 201) {
+    console.log('✅ Registered successfully');
+    USER_ID = regRes.data.data.id;
+  } else if (regRes?.status === 422 && regRes.data.message.includes('Validation error')) {
+     console.log('ℹ️  User might already exist, trying login to get ID...');
+     // Login to get ID
+     const loginRes = await request('POST', '/auth/login', {
+        email: 'testrbac@example.com',
+        password: 'password123'
+      });
+      if (loginRes?.status === 200) {
+        const meRes = await request('GET', '/auth/me', null, loginRes.data.data.token);
+        USER_ID = meRes.data.data.id;
+        console.log('✅ Got existing User ID');
+      }
+  } else {
+    console.error('❌ Registration failed:', JSON.stringify(regRes?.data));
+  }
+
+  // 2. Login (as Tester) - to verify later
+  console.log('\n2️⃣  Logging in as Tester...');
+  const loginRes = await request('POST', '/auth/login', {
+    email: 'testrbac@example.com',
+    password: 'password123'
+  });
+
+  if (loginRes?.status === 200) {
+    console.log('✅ Login successful');
+    TOKEN = loginRes.data.data.token;
+  } else {
+    console.error('❌ Login failed:', JSON.stringify(loginRes?.data));
+    process.exit(1);
+  }
+
+  // 3. Create Role (Using SA Token)
+  console.log('\n3️⃣  Creating Role "tester-role"...');
+  const roleRes = await request('POST', '/rbac/roles', {
+    name: 'Tester Role',
+    slug: 'tester-role',
+    description: 'Role for automated testing'
+  }, SA_TOKEN);
+
+  if (roleRes?.status === 201 || roleRes?.status === 200) {
+    console.log('✅ Role created');
+    ROLE_ID = roleRes.data.data.id;
+  } else if (roleRes?.status === 422) { // Duplicate?
+     console.log('ℹ️  Role might already exist.');
+     const listRes = await request('GET', '/rbac/roles', null, SA_TOKEN);
+     const found = listRes.data.data.find(r => r.slug === 'tester-role');
+     if (found) {
+        ROLE_ID = found.id;
+        console.log('✅ Found existing role');
+     } else {
+        console.error('❌ Could not create or find role');
+        process.exit(1);
+     }
+  } else {
+    console.error('❌ Create role failed:', JSON.stringify(roleRes?.data));
+    process.exit(1);
+  }
+
+  // 4. Create Permission (Using SA Token)
+  console.log('\n4️⃣  Creating Permission "test.exec"...');
+  const permRes = await request('POST', '/rbac/permissions', {
+    name: 'Test Execute',
+    slug: 'test.exec',
+    description: 'Permission to execute tests'
+  }, SA_TOKEN);
+
+  if (permRes?.status === 201 || permRes?.status === 200) {
+    console.log('✅ Permission created');
+    PERMISSION_ID = permRes.data.data.id;
+  } else if (permRes?.status === 422) {
+     const listRes = await request('GET', '/rbac/permissions', null, SA_TOKEN);
+     const found = listRes.data.data.find(p => p.slug === 'test.exec');
+     if (found) {
+        PERMISSION_ID = found.id;
+        console.log('✅ Found existing permission');
+     } else {
+        console.error('❌ Could not create or find permission');
+        process.exit(1);
+     }
+  } else {
+    console.error('❌ Create permission failed:', JSON.stringify(permRes?.data));
+    process.exit(1);
+  }
+
+  // 5. Assign Permission to Role (Using SA Token)
+  console.log('\n5️⃣  Assigning Permission to Role...');
+  const assignP2R = await request('POST', '/rbac/roles/assign-permission', {
+    roleId: ROLE_ID,
+    permissionId: PERMISSION_ID
+  }, SA_TOKEN);
+
+  if (assignP2R?.status === 200) {
+    console.log('✅ Permission assigned to role');
+  } else {
+    console.error('❌ Assign permission failed:', JSON.stringify(assignP2R?.data));
+  }
+
+  // 6. Assign Role to User (Using SA Token)
+  console.log('\n6️⃣  Assigning Role to User...');
+  const assignR2U = await request('POST', '/rbac/users/assign-role', {
+    userId: USER_ID,
+    roleId: ROLE_ID
+  }, SA_TOKEN);
+
+  if (assignR2U?.status === 200) {
+    console.log('✅ Role assigned to user');
+  } else {
+    console.error('❌ Assign role failed:', JSON.stringify(assignR2U?.data));
+  }
+
+  // 7. Verify via Profile (Using Tester Token)
+  console.log('\n7️⃣  Verifying Profile...');
+  const profile = await request('GET', '/auth/me', null, TOKEN);
+  console.log('👤 User Profile:', JSON.stringify(profile.data.data));
+  
+  // 8. Cleanup (Using SA Token)
+  console.log('\n8️⃣  Cleaning up...');
+  
+  const delRole = await request('DELETE', `/rbac/roles/${ROLE_ID}`, null, SA_TOKEN);
+  if (delRole?.status === 200) console.log('✅ Role deleted');
+  else console.error('❌ Delete role failed', JSON.stringify(delRole?.data));
+
+  const delPerm = await request('DELETE', `/rbac/permissions/${PERMISSION_ID}`, null, SA_TOKEN);
+  if (delPerm?.status === 200) console.log('✅ Permission deleted');
+  else console.error('❌ Delete permission failed');
+
+  console.log('\n🎉 Verification Complete!');
+}
+
+run();

package/api-testing-sepuluh/src/controllers/authController.ts

@@ -0,0 +1,469 @@
+import { Request, Response } from "express";
+import bcrypt from "bcryptjs";
+import jwt from "jsonwebtoken";
+import { v4 as uuidv4 } from "uuid";
+import { prisma } from "@lapeh/core/database";
+import { sendError, sendFastSuccess } from "@lapeh/utils/response";
+import { Validator } from "@lapeh/utils/validator";
+import { getSerializer, createResponseSchema } from "@lapeh/core/serializer";
+
+export const ACCESS_TOKEN_EXPIRES_IN_SECONDS = 7 * 24 * 60 * 60;
+
+// --- Serializers ---
+
+const registerSchema = {
+  type: "object",
+  properties: {
+    id: { type: "string" },
+    email: { type: "string" },
+    name: { type: "string" },
+    role: { type: "string" },
+  },
+};
+
+const loginSchema = {
+  type: "object",
+  properties: {
+    token: { type: "string" },
+    refreshToken: { type: "string" },
+    expiresIn: { type: "integer" },
+    expiresAt: { type: "string" },
+    name: { type: "string" },
+    role: { type: "string" },
+  },
+};
+
+const userProfileSchema = {
+  type: "object",
+  properties: {
+    id: { type: "string" },
+    name: { type: "string" },
+    email: { type: "string" },
+    role: { type: "string" },
+    avatar: { type: "string", nullable: true },
+    avatar_url: { type: "string", nullable: true },
+    email_verified_at: { type: "string", format: "date-time", nullable: true },
+    created_at: { type: "string", format: "date-time", nullable: true },
+    updated_at: { type: "string", format: "date-time", nullable: true },
+  },
+};
+
+const refreshTokenSchema = {
+  type: "object",
+  properties: {
+    token: { type: "string" },
+    expiresIn: { type: "integer" },
+    expiresAt: { type: "string" },
+    name: { type: "string" },
+    role: { type: "string" },
+  },
+};
+
+const registerSerializer = getSerializer(
+  "auth-register",
+  createResponseSchema(registerSchema)
+);
+const loginSerializer = getSerializer(
+  "auth-login",
+  createResponseSchema(loginSchema)
+);
+const userProfileSerializer = getSerializer(
+  "auth-profile",
+  createResponseSchema(userProfileSchema)
+);
+const refreshTokenSerializer = getSerializer(
+  "auth-refresh",
+  createResponseSchema(refreshTokenSchema)
+);
+
+const voidSerializer = getSerializer(
+  "void",
+  createResponseSchema({ type: "null" })
+);
+
+// --- Controllers ---
+
+export async function register(req: Request, res: Response) {
+  const validator = Validator.make(req.body || {}, {
+    email: "required|email|unique:users,email",
+    name: "required|min:1",
+    password: "required|min:4",
+    confirmPassword: "required|min:4|same:password",
+  });
+
+  if (await validator.fails()) {
+    sendError(res, 422, "Validation error", validator.errors());
+    return;
+  }
+  const { email, name, password } = await validator.validated();
+  // Manual unique check removed as it is handled by validator
+  const hash = await bcrypt.hash(password, 10);
+  const user = await prisma.users.create({
+    data: {
+      email,
+      name,
+      password: hash,
+      uuid: uuidv4(),
+      created_at: new Date(),
+      updated_at: new Date(),
+    },
+  });
+
+  const defaultRole = await prisma.roles.findUnique({
+    where: { slug: "user" },
+  });
+  if (defaultRole) {
+    await prisma.user_roles.create({
+      data: {
+        user_id: user.id,
+        role_id: defaultRole.id,
+        created_at: new Date(),
+      },
+    });
+  }
+
+  sendFastSuccess(res, 200, registerSerializer, {
+    status: "success",
+    message: "Registration successful",
+    data: {
+      id: user.id.toString(),
+      email: user.email,
+      name: user.name,
+      role: defaultRole ? defaultRole.slug : "user",
+    },
+  });
+}
+
+export async function login(req: Request, res: Response) {
+  const validator = Validator.make(req.body || {}, {
+    email: "required|email",
+    password: "required|min:4",
+  });
+
+  if (await validator.fails()) {
+    sendError(res, 422, "Validation error", validator.errors());
+    return;
+  }
+  const { email, password } = await validator.validated();
+  const user = await prisma.users.findUnique({
+    where: { email },
+    include: {
+      user_roles: {
+        include: {
+          role: true,
+        },
+      },
+    },
+  });
+  if (!user) {
+    sendError(res, 401, "Email not registered", {
+      field: "email",
+      message: "Email is not registered, please register first",
+    });
+    return;
+  }
+  const ok = await bcrypt.compare(password, user.password);
+  if (!ok) {
+    sendError(res, 401, "Invalid credentials", {
+      field: "password",
+      message: "The password you entered is incorrect",
+    });
+    return;
+  }
+  const secret = process.env.JWT_SECRET;
+  if (!secret) {
+    sendError(res, 500, "Server misconfigured");
+    return;
+  }
+  const primaryUserRole =
+    user.user_roles && user.user_roles.length > 0 && user.user_roles[0].role
+      ? user.user_roles[0].role.slug
+      : "user";
+  const accessExpiresInSeconds = ACCESS_TOKEN_EXPIRES_IN_SECONDS;
+  const accessExpiresAt = new Date(
+    Date.now() + accessExpiresInSeconds * 1000
+  ).toISOString();
+  const token = jwt.sign(
+    { userId: user.id.toString(), role: primaryUserRole },
+    secret,
+    { expiresIn: accessExpiresInSeconds }
+  );
+  const refreshExpiresInSeconds = 30 * 24 * 60 * 60;
+  const refreshToken = jwt.sign(
+    {
+      userId: user.id.toString(),
+      role: primaryUserRole,
+      tokenType: "refresh",
+    },
+    secret,
+    { expiresIn: refreshExpiresInSeconds }
+  );
+  sendFastSuccess(res, 200, loginSerializer, {
+    status: "success",
+    message: "Login successful",
+    data: {
+      token,
+      refreshToken,
+      expiresIn: accessExpiresInSeconds,
+      expiresAt: accessExpiresAt,
+      name: user.name,
+      role: primaryUserRole,
+    },
+  });
+}
+
+export async function me(req: Request, res: Response) {
+  const payload = (req as any).user as { userId: string; role: string };
+  if (!payload || !payload.userId) {
+    sendError(res, 401, "Unauthorized");
+    return;
+  }
+  const user = await prisma.users.findUnique({
+    where: { id: BigInt(payload.userId) },
+    include: {
+      user_roles: {
+        include: {
+          role: true,
+        },
+      },
+    },
+  });
+  if (!user) {
+    sendError(res, 404, "User not found");
+    return;
+  }
+  const { password, remember_token, ...rest } = user as any;
+  sendFastSuccess(res, 200, userProfileSerializer, {
+    status: "success",
+    message: "User profile",
+    data: {
+      ...rest,
+      id: user.id.toString(),
+      role:
+        user.user_roles && user.user_roles.length > 0 && user.user_roles[0].role
+          ? user.user_roles[0].role.slug
+          : "user",
+    },
+  });
+}
+
+export async function logout(_req: Request, res: Response) {
+  // In a stateless JWT setup, logout is client-side (delete token).
+  // If using a whitelist/blacklist in Redis, invalidate the token here.
+  // For now, just return success.
+  sendFastSuccess(res, 200, voidSerializer, {
+    status: "success",
+    message: "Logout successful",
+    data: null,
+  });
+}
+
+export async function refreshToken(req: Request, res: Response) {
+  const validator = Validator.make(req.body || {}, {
+    refreshToken: "required|min:1",
+  });
+  if (await validator.fails()) {
+    sendError(res, 422, "Validation error", validator.errors());
+    return;
+  }
+  const secret = process.env.JWT_SECRET;
+  if (!secret) {
+    sendError(res, 500, "Server misconfigured");
+    return;
+  }
+  try {
+    const validatedData = await validator.validated();
+    const decoded = jwt.verify(validatedData.refreshToken, secret) as {
+      userId: string;
+      role: string;
+      tokenType?: string;
+      iat: number;
+      exp: number;
+    };
+    if (decoded.tokenType !== "refresh") {
+      sendError(res, 401, "Invalid refresh token");
+      return;
+    }
+    const user = await prisma.users.findUnique({
+      where: { id: BigInt(decoded.userId) },
+      include: {
+        user_roles: {
+          include: {
+            role: true,
+          },
+        },
+      },
+    });
+    if (!user) {
+      sendError(res, 401, "Invalid refresh token");
+      return;
+    }
+    const primaryUserRole =
+      user.user_roles && user.user_roles.length > 0 && user.user_roles[0].role
+        ? user.user_roles[0].role.slug
+        : "user";
+    const accessExpiresInSeconds = ACCESS_TOKEN_EXPIRES_IN_SECONDS;
+    const accessExpiresAt = new Date(
+      Date.now() + accessExpiresInSeconds * 1000
+    ).toISOString();
+    const token = jwt.sign(
+      { userId: user.id.toString(), role: primaryUserRole },
+      secret,
+      { expiresIn: accessExpiresInSeconds }
+    );
+    sendFastSuccess(res, 200, refreshTokenSerializer, {
+      status: "success",
+      message: "Token refreshed",
+      data: {
+        token,
+        expiresIn: accessExpiresInSeconds,
+        expiresAt: accessExpiresAt,
+        name: user.name,
+        role: primaryUserRole,
+      },
+    });
+  } catch {
+    sendError(res, 401, "Invalid refresh token");
+  }
+}
+
+export async function updateAvatar(req: Request, res: Response) {
+  const payload = (req as any).user as { userId: string; role: string };
+  if (!payload || !payload.userId) {
+    sendError(res, 401, "Unauthorized");
+    return;
+  }
+
+  const data = {
+    avatar: (req as any).file,
+  };
+
+  const validator = Validator.make(data, {
+    avatar: "nullable|image|mimes:jpeg,png,jpg,gif|max:2048",
+  });
+
+  if (await validator.fails()) {
+    sendError(res, 422, "Validation error", validator.errors());
+    return;
+  }
+
+  const { avatar: file } = await validator.validated();
+
+  if (!file) {
+    sendError(res, 400, "Avatar file is required");
+    return;
+  }
+  const userId = BigInt(payload.userId);
+  const avatar = file.filename;
+  const avatar_url =
+    process.env.AVATAR_BASE_URL || `/uploads/avatars/${file.filename}`;
+  const updated = await prisma.users.update({
+    where: { id: userId },
+    data: {
+      avatar,
+      avatar_url,
+      updated_at: new Date(),
+    },
+  });
+  const { password, remember_token, ...rest } = updated as any;
+  // Note: user_roles might not be fetched in update, so role defaults to "user" or fetched if needed.
+  // Ideally we should refetch or pass existing role.
+  // For now assuming role is preserved or handled by frontend state, but API should return it.
+  // Let's rely on nullable role or simple "user" fallback if not present in `updated`.
+  // Actually `update` returns what was updated. Relations are not included unless specified.
+  // For now we will return it compatible with userProfileSchema.
+
+  sendFastSuccess(res, 200, userProfileSerializer, {
+    status: "success",
+    message: "Avatar updated successfully",
+    data: {
+      ...rest,
+      id: updated.id.toString(),
+      role: payload.role, // Use role from JWT payload as it shouldn't change here
+    },
+  });
+}
+
+export async function updatePassword(req: Request, res: Response) {
+  const payload = (req as any).user as { userId: string; role: string };
+  if (!payload || !payload.userId) {
+    sendError(res, 401, "Unauthorized");
+    return;
+  }
+  const validator = Validator.make(req.body || {}, {
+    currentPassword: "required|min:4",
+    newPassword: "required|min:4",
+    confirmPassword: "required|min:4|same:newPassword",
+  });
+  if (await validator.fails()) {
+    sendError(res, 422, "Validation error", validator.errors());
+    return;
+  }
+  const { currentPassword, newPassword } = await validator.validated();
+  const user = await prisma.users.findUnique({
+    where: { id: BigInt(payload.userId) },
+  });
+  if (!user) {
+    sendError(res, 404, "User not found");
+    return;
+  }
+  const ok = await bcrypt.compare(currentPassword, user.password);
+  if (!ok) {
+    sendError(res, 401, "Invalid credentials", {
+      field: "currentPassword",
+      message: "Current password is incorrect",
+    });
+    return;
+  }
+  const hash = await bcrypt.hash(newPassword, 10);
+  await prisma.users.update({
+    where: { id: user.id },
+    data: {
+      password: hash,
+      updated_at: new Date(),
+    },
+  });
+  sendFastSuccess(res, 200, voidSerializer, {
+    status: "success",
+    message: "Password updated successfully",
+    data: null,
+  });
+}
+
+export async function updateProfile(req: Request, res: Response) {
+  const payload = (req as any).user as { userId: string; role: string };
+  if (!payload || !payload.userId) {
+    sendError(res, 401, "Unauthorized");
+    return;
+  }
+  const validator = Validator.make(req.body || {}, {
+    name: "required|min:1",
+    email: `required|email|unique:users,email,${payload.userId}`,
+  });
+  if (await validator.fails()) {
+    sendError(res, 422, "Validation error", validator.errors());
+    return;
+  }
+  const { name, email } = await validator.validated();
+  const userId = BigInt(payload.userId);
+  // Manual unique check removed as it is handled by validator
+
+  const updated = await prisma.users.update({
+    where: { id: userId },
+    data: {
+      name,
+      email,
+      updated_at: new Date(),
+    },
+  });
+  const { password, remember_token, ...rest } = updated as any;
+  sendFastSuccess(res, 200, userProfileSerializer, {
+    status: "success",
+    message: "Profile updated successfully",
+    data: {
+      ...rest,
+      id: updated.id.toString(),
+      role: payload.role, // Use role from JWT payload
+    },
+  });
+}