npm - najm-auth - Versions diffs - 0.1.10 → 0.1.12 - Mend

najm-auth 0.1.10 → 0.1.12

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Potentially problematic release.

This version of najm-auth might be problematic. Click here for more details.

Files changed (2) hide show

package/dist/index.mjs +1894 -1518
package/package.json +5 -4

package/dist/index.mjs CHANGED Viewed

@@ -1,23 +1,25 @@
 var __defProp = Object.defineProperty;
-var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
-var __decorateClass = (decorators, target, key, kind) => {
-  var result = kind > 1 ? void 0 : kind ? __getOwnPropDesc(target, key) : target;
-  for (var i = decorators.length - 1, decorator; i >= 0; i--)
-    if (decorator = decorators[i])
-      result = (kind ? decorator(target, key, result) : decorator(result)) || result;
-  if (kind && result) __defProp(target, key, result);
-  return result;
-};
-var __decorateParam = (index, decorator) => (target, key) => decorator(target, key, index);
+var __name = (target, value) => __defProp(target, "name", { value, configurable: true });
 // src/auth/EncryptionService.ts
 import { Injectable } from "najm-api";
 import bcrypt from "bcrypt";
-var EncryptionService = class {
+var __decorate = function(decorators, target, key, desc) {
+  var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+  if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+  else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+  return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata = function(k, v) {
+  if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var _a;
+var EncryptionService = (_a = class {
   constructor() {
   }
   async hashPassword(password) {
-    if (!password) return null;
+    if (!password)
+      return null;
     if (typeof password !== "string" || password.trim().length === 0) {
       return null;
     }
@@ -26,15 +28,23 @@ var EncryptionService = class {
   async comparePassword(password, hashedPassword) {
     return bcrypt.compare(password, hashedPassword);
   }
-};
-EncryptionService = __decorateClass([
-  Injectable()
+}, __name(_a, "EncryptionService"), _a);
+EncryptionService = __decorate([
+  Injectable(),
+  __metadata("design:paramtypes", [])
 ], EncryptionService);
 // src/auth/CookieService.ts
 import { setCookie, Injectable as Injectable2, deleteCookie } from "najm-api";
 import timestring from "timestring";
-var CookieService = class {
+var __decorate2 = function(decorators, target, key, desc) {
+  var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+  if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+  else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+  return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var _a2;
+var CookieService = (_a2 = class {
   setRefreshCookie(refreshToken) {
     const maxAge = timestring(process.env.REFRESH_EXPIRES_IN, "s");
     setCookie("refreshToken", refreshToken, {
@@ -52,229 +62,22 @@ var CookieService = class {
       maxAge: 0
     });
   }
-};
-CookieService = __decorateClass([
+}, __name(_a2, "CookieService"), _a2);
+CookieService = __decorate2([
   Injectable2()
 ], CookieService);
 // src/auth/AuthController.ts
-import { Controller, Get, Post, Params, Body, User, t } from "najm-api";
-// src/roles/RoleGuards.ts
-import { Injectable as Injectable3, Headers, createGuard, GuardParams, Ctx } from "najm-api";
-var ROLES = {
-  ADMIN: "admin",
-  PRINCIPAL: "principal",
-  ACCOUNTING: "accounting",
-  SECRETARY: "secretary",
-  TEACHER: "teacher",
-  STUDENT: "student",
-  PARENT: "parent"
-};
-var ROLE_GROUPS = {
-  ADMINISTRATORS: [ROLES.ADMIN, ROLES.PRINCIPAL],
-  FINANCIAL: [ROLES.ADMIN, ROLES.ACCOUNTING],
-  STAFF: [ROLES.ADMIN, ROLES.PRINCIPAL, ROLES.ACCOUNTING, ROLES.SECRETARY, ROLES.TEACHER],
-  END_USERS: [ROLES.STUDENT, ROLES.PARENT],
-  ALL: [ROLES.ADMIN, ROLES.PRINCIPAL, ROLES.ACCOUNTING, ROLES.SECRETARY, ROLES.TEACHER, ROLES.STUDENT, ROLES.PARENT]
-};
-var RoleChecker = class {
-  isInGroup(userRole, group) {
-    return group.includes(userRole?.toLowerCase());
-  }
-  isAdministrator(userRole) {
-    return this.isInGroup(userRole, ROLE_GROUPS.ADMINISTRATORS);
-  }
-  isStaff(userRole) {
-    return this.isInGroup(userRole, ROLE_GROUPS.STAFF);
-  }
-  hasAnyRole(userRole, roles) {
-    return roles.includes(userRole?.toLowerCase());
-  }
-  hasExactRole(userRole, requiredRole) {
-    return userRole?.toLowerCase() === requiredRole?.toLowerCase();
-  }
-};
-RoleChecker = __decorateClass([
-  Injectable3()
-], RoleChecker);
-var RoleGuards = class {
-  constructor(roleChecker, tokenService) {
-    this.roleChecker = roleChecker;
-    this.tokenService = tokenService;
-  }
-  async isAuth(auth, ctx) {
-    const user = await this.tokenService.storeUserInCache(auth, ctx);
-    return !!user;
-  }
-  async hasRoles(auth, ctx, roles) {
-    try {
-      const user = await this.tokenService.storeUserInCache(auth, ctx);
-      if (!user?.role) return false;
-      const roleArray = Array.isArray(roles) ? roles : [roles];
-      return this.roleChecker.hasAnyRole(user.role, roleArray);
-    } catch {
-      return false;
-    }
-  }
-};
-__decorateClass([
-  __decorateParam(0, Headers("authorization")),
-  __decorateParam(1, Ctx())
-], RoleGuards.prototype, "isAuth", 1);
-__decorateClass([
-  __decorateParam(0, Headers("authorization")),
-  __decorateParam(1, Ctx()),
-  __decorateParam(2, GuardParams())
-], RoleGuards.prototype, "hasRoles", 1);
-RoleGuards = __decorateClass([
-  Injectable3()
-], RoleGuards);
-var isAdmin = () => Role("admin");
-var isPrincipal = () => Role("principal");
-var isAccounting = () => Role("accounting");
-var isSecretary = () => Role("secretary");
-var isTeacher = () => Role("teacher");
-var isParent = () => Role("parent");
-var isStudent = () => Role("student");
-var isAdministrator = () => Role("admin", "principal");
-var isFinancial = () => Role("admin", "accounting");
-var isStaff = () => Role("admin", "principal", "accounting", "secretary", "teacher");
-var isAuth = createGuard(RoleGuards, "isAuth");
-var Role = (...roles) => createGuard(RoleGuards, "hasRoles")(...roles);
-// src/auth/AuthController.ts
-var AuthController = class {
-  constructor(authService) {
-    this.authService = authService;
-  }
-  async registerUser(body) {
-    const data = await this.authService.registerUser(body);
-    return {
-      data,
-      message: t("auth.success.register"),
-      status: "success"
-    };
-  }
-  async loginUser(body) {
-    const data = await this.authService.loginUser(body);
-    return {
-      data,
-      message: t("auth.success.login"),
-      status: "success"
-    };
-  }
-  async refreshTokens() {
-    const data = await this.authService.refreshTokens();
-    return {
-      data,
-      message: t("auth.success.tokenRefreshed"),
-      status: "success"
-    };
-  }
-  async logoutUser(id) {
-    const data = await this.authService.logoutUser(id);
-    return {
-      data,
-      message: t("auth.success.logout"),
-      status: "success"
-    };
-  }
-  async userProfile(user) {
-    const data = await this.authService.getUserProfile(user);
-    return {
-      data,
-      message: t("users.success.retrieved"),
-      status: "success"
-    };
-  }
-  async forgotPassword(body) {
-    const data = await this.authService.forgotPassword(body.email);
-    return {
-      data,
-      message: t("auth.success.passwordReset"),
-      status: "success"
-    };
-  }
-};
-__decorateClass([
-  Post("/register"),
-  __decorateParam(0, Body())
-], AuthController.prototype, "registerUser", 1);
-__decorateClass([
-  Post("/login"),
-  __decorateParam(0, Body())
-], AuthController.prototype, "loginUser", 1);
-__decorateClass([
-  Get("/refresh")
-], AuthController.prototype, "refreshTokens", 1);
-__decorateClass([
-  Get("/logout/:id"),
-  __decorateParam(0, Params("id"))
-], AuthController.prototype, "logoutUser", 1);
-__decorateClass([
-  Get("/me"),
-  isAuth(),
-  __decorateParam(0, User())
-], AuthController.prototype, "userProfile", 1);
-__decorateClass([
-  Post("/forgot-password"),
-  isAuth(),
-  __decorateParam(0, Body())
-], AuthController.prototype, "forgotPassword", 1);
-AuthController = __decorateClass([
-  Controller("/auth")
-], AuthController);
+import { Controller as Controller3, Get as Get3, Post as Post3, Params as Params3, Body as Body3, User, t as t7 } from "najm-api";
 // src/auth/AuthService.ts
-import { t as t2 } from "najm-api";
-import { Injectable as Injectable4, getCurrentLanguage } from "najm-api";
-var AuthService = class {
-  constructor(tokenService, userService, userValidator, cookieService) {
-    this.tokenService = tokenService;
-    this.userService = userService;
-    this.userValidator = userValidator;
-    this.cookieService = cookieService;
-  }
-  async registerUser(body) {
-    return await this.userService.create(body);
-  }
-  async loginUser(body) {
-    const { email, password } = body;
-    if (!email || !password) {
-      throw new Error(t2("auth.errors.invalidCredentials"));
-    }
-    const existingPassword = await this.userService.getPassword(email);
-    const { id } = await this.userService.getByEmail(email);
-    await this.userValidator.checkPasswordValid(password, existingPassword);
-    const data = await this.tokenService.generateTokens(id);
-    this.cookieService.setRefreshCookie(data.refreshToken);
-    return data;
-  }
-  async refreshTokens() {
-    const data = await this.tokenService.refreshTokens();
-    this.cookieService.setRefreshCookie(data.refreshToken);
-    return data;
-  }
-  async logoutUser(userId) {
-    await this.userValidator.checkUserExists(userId);
-    await this.tokenService.revokeToken(userId);
-    this.cookieService.clearRefreshCookie();
-    return { data: null, message: t2("auth.success.logout") };
-  }
-  async getUserProfile(userData) {
-    const lang = getCurrentLanguage();
-    return {
-      ...userData,
-      language: lang
-    };
-  }
-  async forgotPassword(email) {
-  }
-};
-AuthService = __decorateClass([
-  Injectable4()
-], AuthService);
+import { t as t6 } from "najm-api";
+import { Injectable as Injectable9, getCurrentLanguage as getCurrentLanguage2 } from "najm-api";
+// src/database/schema/index.ts
+import { pgTable, text, boolean, timestamp } from "drizzle-orm/pg-core";
+import { nanoid } from "nanoid";
+import { sql } from "drizzle-orm";
 // src/lib/ENUMS.ts
 var ENUMS = {
@@ -509,128 +312,374 @@ var ENUMS = {
     translationKey: "parents.maritalStatus"
   }
 };
-var getEnumConfig = (enumKey) => ENUMS[enumKey];
-var getEnumValues = (enumKey) => ENUMS[enumKey]?.values || [];
-// src/lib/validations.ts
-import { z as z2 } from "zod";
+var getEnumConfig = /* @__PURE__ */ __name((enumKey) => ENUMS[enumKey], "getEnumConfig");
+var getEnumValues = /* @__PURE__ */ __name((enumKey) => ENUMS[enumKey]?.values || [], "getEnumValues");
-// src/lib/ZodEnum.ts
-import { z } from "zod";
-var createZodEnum = (enumKey) => {
-  const values = ENUMS[enumKey]?.values;
-  if (!values) throw new Error(`Enum ${enumKey} not found`);
-  return z.enum(values);
-};
-var userTypeEnum = createZodEnum("userType");
-var userStatusEnum = createZodEnum("userStatus");
-var tokenStatusEnum = createZodEnum("tokenStatus");
-var tokenTypeEnum = createZodEnum("tokenType");
-var fileStatusEnum = createZodEnum("fileStatus");
-var genderEnum = createZodEnum("gender");
-var studentStatusEnum = createZodEnum("studentStatus");
-var teacherStatusEnum = createZodEnum("teacherStatus");
-var employmentTypeEnum = createZodEnum("employmentType");
-var relationshipTypeEnum = createZodEnum("relationshipType");
-var semesterEnum = createZodEnum("semester");
-var classStatusEnum = createZodEnum("classStatus");
-var sectionStatusEnum = createZodEnum("sectionStatus");
-var languageEnum = createZodEnum("language");
-var enrollmentStatusEnum = createZodEnum("enrollmentStatus");
-var assignmentStatusEnum = createZodEnum("assignmentStatus");
-var calendarSystemEnum = createZodEnum("calendarSystem");
-var assessmentTypeEnum = createZodEnum("assessmentType");
-var assessmentStatusEnum = createZodEnum("assessmentStatus");
-var submissionTypeEnum = createZodEnum("submissionType");
-var examTypeEnum = createZodEnum("examType");
-var examSecurityEnum = createZodEnum("examSecurity");
-var examStatusEnum = createZodEnum("examStatus");
-var gradeStatusEnum = createZodEnum("gradeStatus");
-var attendanceStatusEnum = createZodEnum("attendanceStatus");
-var proficiencyLevelEnum = createZodEnum("proficiencyLevel");
-var dayOfWeekEnum = createZodEnum("dayOfWeek");
-var alertTypeEnum = createZodEnum("alertType");
-var alertPriorityEnum = createZodEnum("alertPriority");
-var alertStatusEnum = createZodEnum("alertStatus");
-var feeTypeStatusEnum = createZodEnum("feeTypeStatus");
-var paymentTypeEnum = createZodEnum("paymentType");
-var scheduleEnum = createZodEnum("schedule");
-var feeStatusEnum = createZodEnum("feeStatus");
-var feeInstallmentStatusEnum = createZodEnum("feeInstallmentStatus");
-var paymentMethodEnum = createZodEnum("paymentMethod");
-var paymentStatusEnum = createZodEnum("paymentStatus");
-var eventTypeEnum = createZodEnum("eventType");
-var eventStatusEnum = createZodEnum("eventStatus");
-var eventVisibilityEnum = createZodEnum("eventVisibility");
-var participantTypeEnum = createZodEnum("participantType");
-var expenseCategoryEnum = createZodEnum("expenseCategory");
-var expenseStatusEnum = createZodEnum("expenseStatus");
-var trackerModeEnum = createZodEnum("trackerMode");
-var driverStatusEnum = createZodEnum("driverStatus");
-var vehicleStatusEnum = createZodEnum("vehicleStatus");
-var vehicleTypeEnum = createZodEnum("vehicleType");
-var vehicleDocumentTypeEnum = createZodEnum("vehicleDocumentType");
-var busStatusEnum = createZodEnum("busStatus");
-var refuelStatusEnum = createZodEnum("refuelStatus");
-var fuelTypeEnum = createZodEnum("fuelType");
-var maintenanceTypeEnum = createZodEnum("maintenanceType");
-var maintenanceStatusEnum = createZodEnum("maintenanceStatus");
-var maritalStatusEnum = createZodEnum("maritalStatus");
+// src/database/schema/PgEnum.ts
+import { pgEnum } from "drizzle-orm/pg-core";
+var createPgEnum = /* @__PURE__ */ __name((enumKey) => {
+  const config = getEnumConfig(enumKey);
+  if (!config)
+    throw new Error(`Enum ${enumKey} not found`);
+  const enumName = config.name || enumKey;
+  return pgEnum(enumName, config.values);
+}, "createPgEnum");
+var userStatusEnum = createPgEnum("userStatus");
+var tokenStatusEnum = createPgEnum("tokenStatus");
+var tokenTypeEnum = createPgEnum("tokenType");
+var studentStatusEnum = createPgEnum("studentStatus");
-// src/lib/validations.ts
-var requiredId = z2.preprocess((val) => val ?? "", z2.string().min(1, "ID is required"));
-var optionalId = z2.string().min(1, "ID cannot be empty").nullish().optional();
-var emailField = z2.string().email("Invalid email format").or(z2.literal(""));
-var phoneField = z2.string().regex(/^[\+]?[1-9][\d]{0,15}$/, "Invalid phone number");
-var nameField = z2.string().min(2, "Name must be at least 2 characters").max(100, "Name too long");
-var dateField = z2.string().regex(/^(\d{4}-\d{2}-\d{2}|\d{2}\/\d{2}\/\d{4}|\d{2}-\d{2}-\d{2}|\d{2}-\d{2}-\d{4})$/, "Date must be in YYYY-MM-DD, MM/DD/YYYY, DD/MM/YYYY, DD-MM-YY, or DD-MM-YYYY format");
-var optionalDateField = z2.string().regex(/^\d{4}-\d{2}-\d{2}$/, "Date must be in YYYY-MM-DD format").nullable().optional();
-var timeField = z2.string().regex(/^([01]?[0-9]|2[0-3]):[0-5][0-9]$/, "Time must be in HH:MM format").optional().nullable();
-var cinField = z2.string().min(8, "CIN must be at least 8 characters").max(20, "CIN too long");
-var addressField = z2.string().max(500, "Address too long").optional();
-var academicYearField = z2.string().min(9, "Academic year is required").regex(/^\d{4}-\d{4}$/, "Academic year must be in YYYY-YYYY format");
-var num = () => {
-  const createChainable = (currentSchema) => {
-    const methods = {
-      positive: (msg = "Must be positive") => createChainable(currentSchema.refine((val) => val > 0, { message: msg })),
-      min: (value, msg) => createChainable(currentSchema.refine(
-        (val) => val >= value,
-        { message: msg || `Must be at least ${value}` }
-      )),
-      max: (value, msg) => createChainable(currentSchema.refine(
-        (val) => val <= value,
-        { message: msg || `Cannot exceed ${value}` }
-      )),
-      int: (msg = "Must be an integer") => createChainable(currentSchema.refine(
-        (val) => Number.isInteger(val),
-        { message: msg }
-      ))
-    };
-    return Object.assign(currentSchema, methods);
-  };
-  const isValidNumber = (val) => {
-    if (val === null || val === void 0 || Number.isNaN(val)) return false;
-    if (typeof val === "number") return true;
-    if (typeof val === "string") {
-      const trimmed = val.trim();
-      return trimmed !== "" && !isNaN(Number(trimmed));
-    }
-    return false;
-  };
-  const baseSchema = z2.any().refine(isValidNumber, { message: "Must be a valid number" }).transform((val) => typeof val === "string" ? Number(val) : val);
-  return createChainable(baseSchema);
+// src/database/schema/index.ts
+var timestamps = {
+  createdAt: timestamp("created_at", { mode: "string" }).defaultNow(),
+  updatedAt: timestamp("updated_at", { mode: "string" }).defaultNow().$onUpdate(() => sql`CURRENT_TIMESTAMP`)
 };
-var userSchema = z2.object({
-  id: optionalId,
-  username: nameField.max(50).optional(),
-  email: emailField,
-  password: z2.string().min(8, "Password must be at least 8 characters"),
-  roleId: optionalId,
+var idField = /* @__PURE__ */ __name((length = 5) => text("id").primaryKey().notNull().$defaultFn(() => nanoid(length)), "idField");
+var rolesTable = pgTable("roles", {
+  id: idField(),
+  name: text("name").notNull(),
+  description: text("description")
+});
+var usersTable = pgTable("users", {
+  id: idField(8),
+  email: text("email").notNull().unique(),
+  emailVerified: boolean("email_verified").default(false),
+  password: text("password").notNull(),
+  image: text("image").default("noavatar.png"),
+  status: userStatusEnum("status").default("pending"),
+  roleId: text("role_id").references(() => rolesTable.id),
+  lastLogin: timestamp("last_login", { mode: "string" }),
+  ...timestamps
+});
+var tokensTable = pgTable("tokens", {
+  id: idField(10),
+  userId: text("user_id").references(() => usersTable.id, { onDelete: "cascade" }).unique().notNull(),
+  token: text("token").notNull(),
+  type: tokenTypeEnum("type").default("refresh"),
+  status: tokenStatusEnum("status").default("active"),
+  expiresAt: timestamp("expires_at", { mode: "string" }).notNull(),
+  ...timestamps
+});
+var permissionsTable = pgTable("permissions", {
+  id: idField(),
+  name: text("name").notNull().unique(),
+  description: text("description"),
+  resource: text("resource").notNull(),
+  action: text("action").notNull(),
+  ...timestamps
+});
+var rolePermissionsTable = pgTable("role_permissions", {
+  id: idField(),
+  roleId: text("role_id").references(() => rolesTable.id).notNull(),
+  permissionId: text("permission_id").references(() => permissionsTable.id).notNull(),
+  ...timestamps
+});
+// src/users/UserRepository.ts
+import { eq, ne } from "drizzle-orm";
+import { Repository } from "najm-api";
+var __decorate3 = function(decorators, target, key, desc) {
+  var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+  if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+  else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+  return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var _a3;
+var UserRepository = (_a3 = class {
+  getUser() {
+    return {
+      id: usersTable.id,
+      email: usersTable.email,
+      emailVerified: usersTable.emailVerified,
+      image: usersTable.image,
+      status: usersTable.status,
+      roleId: usersTable.roleId,
+      role: rolesTable.name,
+      createdAt: usersTable.createdAt,
+      updatedAt: usersTable.updatedAt
+    };
+  }
+  async getAll() {
+    const allUsers = await this.db.select(this.getUser()).from(usersTable).leftJoin(rolesTable, eq(usersTable.roleId, rolesTable.id));
+    return Promise.all(allUsers.map(async (user) => ({
+      ...user,
+      permissions: await this.getUserPermissions(user.id)
+    })));
+  }
+  async getById(id) {
+    const [user] = await this.db.select(this.getUser()).from(usersTable).leftJoin(rolesTable, eq(usersTable.roleId, rolesTable.id)).where(eq(usersTable.id, id)).limit(1);
+    if (!user)
+      return user;
+    return {
+      ...user,
+      permissions: await this.getUserPermissions(user.id)
+    };
+  }
+  async getByEmail(email) {
+    const [existingUser] = await this.db.select(this.getUser()).from(usersTable).leftJoin(rolesTable, eq(usersTable.roleId, rolesTable.id)).where(eq(usersTable.email, email));
+    return existingUser;
+  }
+  async create(data) {
+    const [newUser] = await this.db.insert(usersTable).values(data).returning();
+    return newUser;
+  }
+  async update(id, data) {
+    const [updatedUser] = await this.db.update(usersTable).set(data).where(eq(usersTable.id, id)).returning();
+    return updatedUser;
+  }
+  async delete(id) {
+    const [deletedUser] = await this.db.delete(usersTable).where(eq(usersTable.id, id)).returning();
+    return deletedUser;
+  }
+  async deleteAll() {
+    const adminRole = await this.db.select({ id: rolesTable.id }).from(rolesTable).where(eq(rolesTable.name, "admin")).limit(1);
+    if (adminRole.length === 0) {
+      const deletedUsers2 = await this.db.delete(usersTable).returning();
+      return deletedUsers2;
+    }
+    const deletedUsers = await this.db.delete(usersTable).where(ne(usersTable.roleId, adminRole[0].id)).returning();
+    return deletedUsers;
+  }
+  async getRoleNameById(userId) {
+    const [role] = await this.db.select({
+      roleName: rolesTable.name
+    }).from(usersTable).leftJoin(rolesTable, eq(usersTable.roleId, rolesTable.id)).where(eq(usersTable.id, userId));
+    return role.roleName;
+  }
+  async getUserPassword(email) {
+    const [user] = await this.db.select({
+      id: usersTable.id,
+      email: usersTable.email,
+      password: usersTable.password
+    }).from(usersTable).where(eq(usersTable.email, email)).limit(1);
+    return user.password;
+  }
+  async getUserPermissions(userId) {
+    const [user] = await this.db.select({ roleId: usersTable.roleId }).from(usersTable).where(eq(usersTable.id, userId)).limit(1);
+    if (!user || !user.roleId)
+      return [];
+    const userPermissions = await this.db.select({
+      name: permissionsTable.name
+    }).from(rolePermissionsTable).leftJoin(permissionsTable, eq(rolePermissionsTable.permissionId, permissionsTable.id)).where(eq(rolePermissionsTable.roleId, user.roleId));
+    return userPermissions.map((p) => p.name).filter((name) => name);
+  }
+}, __name(_a3, "UserRepository"), _a3);
+UserRepository = __decorate3([
+  Repository()
+], UserRepository);
+// src/users/UserValidator.ts
+import { Injectable as Injectable3, t } from "najm-api";
+// src/shared/index.ts
+import * as fs from "fs/promises";
+import * as path from "path";
+import _isEmpty from "lodash.isempty";
+var avatarsPath = path.join(process.cwd(), "avatars");
+var parseSchema = /* @__PURE__ */ __name(async (schema, data) => {
+  try {
+    return await schema.parseAsync(data);
+  } catch (error) {
+    const errors = error.issues || error.errors || [];
+    const errorMessage = errors.map((err) => `${err.path.join(".")}: ${err.message}`).join("; ");
+    throw new Error(errorMessage);
+  }
+}, "parseSchema");
+var clean = /* @__PURE__ */ __name((obj) => {
+  const cleaned = {};
+  for (const [key, value] of Object.entries(obj)) {
+    if (value !== null && value !== void 0 && value !== "") {
+      cleaned[key] = value;
+    }
+  }
+  return cleaned;
+}, "clean");
+var getAvatarFile = /* @__PURE__ */ __name(async (fileName) => {
+  try {
+    const filePath = path.join(avatarsPath, fileName);
+    const buffer = await fs.readFile(filePath);
+    const file = new File([buffer], fileName, {
+      type: "image/png"
+    });
+    return file;
+  } catch (error) {
+    return null;
+  }
+}, "getAvatarFile");
+var formatDate = /* @__PURE__ */ __name((dateValue) => {
+  if (!dateValue)
+    return null;
+  let date;
+  if (dateValue instanceof Date) {
+    date = dateValue;
+  } else if (typeof dateValue === "string") {
+    date = new Date(dateValue);
+  } else {
+    return null;
+  }
+  if (isNaN(date.getTime()))
+    return null;
+  return date.toISOString().split("T")[0];
+}, "formatDate");
+function calculateAge(dateOfBirth) {
+  if (!dateOfBirth)
+    return null;
+  const formattedDate = formatDate(dateOfBirth);
+  if (!formattedDate)
+    return null;
+  const birth = new Date(formattedDate);
+  const today = /* @__PURE__ */ new Date();
+  let age = today.getFullYear() - birth.getFullYear();
+  const monthDiff = today.getMonth() - birth.getMonth();
+  if (monthDiff < 0 || monthDiff === 0 && today.getDate() < birth.getDate()) {
+    age--;
+  }
+  return age;
+}
+__name(calculateAge, "calculateAge");
+function calculateYearsOfExperience(hireDate) {
+  if (!hireDate)
+    return null;
+  const formattedDate = formatDate(hireDate);
+  if (!formattedDate)
+    return null;
+  const hire = new Date(formattedDate);
+  const today = /* @__PURE__ */ new Date();
+  let years = today.getFullYear() - hire.getFullYear();
+  const monthDiff = today.getMonth() - hire.getMonth();
+  if (monthDiff < 0 || monthDiff === 0 && today.getDate() < hire.getDate()) {
+    years--;
+  }
+  return years;
+}
+__name(calculateYearsOfExperience, "calculateYearsOfExperience");
+function pickProps(source, keys) {
+  const result = {};
+  for (const key of keys) {
+    if (source[key] !== void 0) {
+      result[key] = source[key];
+    }
+  }
+  return result;
+}
+__name(pickProps, "pickProps");
+var isEmpty = _isEmpty;
+var isPath = /* @__PURE__ */ __name((img) => typeof img === "string" && img.trim().length > 0 && (img.startsWith("/") || img.startsWith("http") || img.startsWith("storage/")), "isPath");
+var isFile = /* @__PURE__ */ __name((img) => !!img && typeof img !== "string" && img instanceof File, "isFile");
+// src/lib/validations.ts
+import { z as z2 } from "zod";
+// src/lib/ZodEnum.ts
+import { z } from "zod";
+var createZodEnum = /* @__PURE__ */ __name((enumKey) => {
+  const values = ENUMS[enumKey]?.values;
+  if (!values)
+    throw new Error(`Enum ${enumKey} not found`);
+  return z.enum(values);
+}, "createZodEnum");
+var userTypeEnum = createZodEnum("userType");
+var userStatusEnum2 = createZodEnum("userStatus");
+var tokenStatusEnum2 = createZodEnum("tokenStatus");
+var tokenTypeEnum2 = createZodEnum("tokenType");
+var fileStatusEnum = createZodEnum("fileStatus");
+var genderEnum = createZodEnum("gender");
+var studentStatusEnum2 = createZodEnum("studentStatus");
+var teacherStatusEnum = createZodEnum("teacherStatus");
+var employmentTypeEnum = createZodEnum("employmentType");
+var relationshipTypeEnum = createZodEnum("relationshipType");
+var semesterEnum = createZodEnum("semester");
+var classStatusEnum = createZodEnum("classStatus");
+var sectionStatusEnum = createZodEnum("sectionStatus");
+var languageEnum = createZodEnum("language");
+var enrollmentStatusEnum = createZodEnum("enrollmentStatus");
+var assignmentStatusEnum = createZodEnum("assignmentStatus");
+var calendarSystemEnum = createZodEnum("calendarSystem");
+var assessmentTypeEnum = createZodEnum("assessmentType");
+var assessmentStatusEnum = createZodEnum("assessmentStatus");
+var submissionTypeEnum = createZodEnum("submissionType");
+var examTypeEnum = createZodEnum("examType");
+var examSecurityEnum = createZodEnum("examSecurity");
+var examStatusEnum = createZodEnum("examStatus");
+var gradeStatusEnum = createZodEnum("gradeStatus");
+var attendanceStatusEnum = createZodEnum("attendanceStatus");
+var proficiencyLevelEnum = createZodEnum("proficiencyLevel");
+var dayOfWeekEnum = createZodEnum("dayOfWeek");
+var alertTypeEnum = createZodEnum("alertType");
+var alertPriorityEnum = createZodEnum("alertPriority");
+var alertStatusEnum = createZodEnum("alertStatus");
+var feeTypeStatusEnum = createZodEnum("feeTypeStatus");
+var paymentTypeEnum = createZodEnum("paymentType");
+var scheduleEnum = createZodEnum("schedule");
+var feeStatusEnum = createZodEnum("feeStatus");
+var feeInstallmentStatusEnum = createZodEnum("feeInstallmentStatus");
+var paymentMethodEnum = createZodEnum("paymentMethod");
+var paymentStatusEnum = createZodEnum("paymentStatus");
+var eventTypeEnum = createZodEnum("eventType");
+var eventStatusEnum = createZodEnum("eventStatus");
+var eventVisibilityEnum = createZodEnum("eventVisibility");
+var participantTypeEnum = createZodEnum("participantType");
+var expenseCategoryEnum = createZodEnum("expenseCategory");
+var expenseStatusEnum = createZodEnum("expenseStatus");
+var trackerModeEnum = createZodEnum("trackerMode");
+var driverStatusEnum = createZodEnum("driverStatus");
+var vehicleStatusEnum = createZodEnum("vehicleStatus");
+var vehicleTypeEnum = createZodEnum("vehicleType");
+var vehicleDocumentTypeEnum = createZodEnum("vehicleDocumentType");
+var busStatusEnum = createZodEnum("busStatus");
+var refuelStatusEnum = createZodEnum("refuelStatus");
+var fuelTypeEnum = createZodEnum("fuelType");
+var maintenanceTypeEnum = createZodEnum("maintenanceType");
+var maintenanceStatusEnum = createZodEnum("maintenanceStatus");
+var maritalStatusEnum = createZodEnum("maritalStatus");
+// src/lib/validations.ts
+var requiredId = z2.preprocess((val) => val ?? "", z2.string().min(1, "ID is required"));
+var optionalId = z2.string().min(1, "ID cannot be empty").nullish().optional();
+var emailField = z2.string().email("Invalid email format").or(z2.literal(""));
+var phoneField = z2.string().regex(/^[\+]?[1-9][\d]{0,15}$/, "Invalid phone number");
+var nameField = z2.string().min(2, "Name must be at least 2 characters").max(100, "Name too long");
+var dateField = z2.string().regex(/^(\d{4}-\d{2}-\d{2}|\d{2}\/\d{2}\/\d{4}|\d{2}-\d{2}-\d{2}|\d{2}-\d{2}-\d{4})$/, "Date must be in YYYY-MM-DD, MM/DD/YYYY, DD/MM/YYYY, DD-MM-YY, or DD-MM-YYYY format");
+var optionalDateField = z2.string().regex(/^\d{4}-\d{2}-\d{2}$/, "Date must be in YYYY-MM-DD format").nullable().optional();
+var timeField = z2.string().regex(/^([01]?[0-9]|2[0-3]):[0-5][0-9]$/, "Time must be in HH:MM format").optional().nullable();
+var cinField = z2.string().min(8, "CIN must be at least 8 characters").max(20, "CIN too long");
+var addressField = z2.string().max(500, "Address too long").optional();
+var academicYearField = z2.string().min(9, "Academic year is required").regex(/^\d{4}-\d{4}$/, "Academic year must be in YYYY-YYYY format");
+var num = /* @__PURE__ */ __name(() => {
+  const createChainable = /* @__PURE__ */ __name((currentSchema) => {
+    const methods = {
+      positive: /* @__PURE__ */ __name((msg = "Must be positive") => createChainable(currentSchema.refine((val) => val > 0, { message: msg })), "positive"),
+      min: /* @__PURE__ */ __name((value, msg) => createChainable(currentSchema.refine((val) => val >= value, { message: msg || `Must be at least ${value}` })), "min"),
+      max: /* @__PURE__ */ __name((value, msg) => createChainable(currentSchema.refine((val) => val <= value, { message: msg || `Cannot exceed ${value}` })), "max"),
+      int: /* @__PURE__ */ __name((msg = "Must be an integer") => createChainable(currentSchema.refine((val) => Number.isInteger(val), { message: msg })), "int")
+    };
+    return Object.assign(currentSchema, methods);
+  }, "createChainable");
+  const isValidNumber = /* @__PURE__ */ __name((val) => {
+    if (val === null || val === void 0 || Number.isNaN(val))
+      return false;
+    if (typeof val === "number")
+      return true;
+    if (typeof val === "string") {
+      const trimmed = val.trim();
+      return trimmed !== "" && !isNaN(Number(trimmed));
+    }
+    return false;
+  }, "isValidNumber");
+  const baseSchema = z2.any().refine(isValidNumber, { message: "Must be a valid number" }).transform((val) => typeof val === "string" ? Number(val) : val);
+  return createChainable(baseSchema);
+}, "num");
+var userSchema = z2.object({
+  id: optionalId,
+  username: nameField.max(50).optional(),
+  email: emailField,
+  password: z2.string().min(8, "Password must be at least 8 characters"),
+  roleId: optionalId,
   roleName: nameField.max(50).optional(),
   lastLogin: optionalDateField,
   image: z2.union([z2.string(), z2.instanceof(File), z2.undefined()]).optional(),
   emailVerified: z2.boolean().default(false),
-  status: userStatusEnum,
+  status: userStatusEnum2,
   createdAt: optionalDateField
 });
 var roleSchema = z2.object({
@@ -654,7 +703,7 @@ var studentSchema = z2.object({
   medicalConditions: z2.string().max(1e3, "Medical conditions description too long").nullish().optional(),
   previousSchool: z2.string().max(500, "Previous school name too long").optional().nullable(),
   image: z2.union([z2.string(), z2.instanceof(File), z2.null()]).optional(),
-  status: studentStatusEnum.default("active")
+  status: studentStatusEnum2.default("active")
 });
 var parentSchema = z2.object({
   id: optionalId,
@@ -1075,648 +1124,612 @@ var dateRangeSchema = z2.object({
   dateTo: dateField
 });
-// src/database/schema/index.ts
-import { pgTable, text, boolean, timestamp } from "drizzle-orm/pg-core";
-import { nanoid } from "nanoid";
-import { sql } from "drizzle-orm";
-// src/database/schema/PgEnum.ts
-import { pgEnum } from "drizzle-orm/pg-core";
-var createPgEnum = (enumKey) => {
-  const config = getEnumConfig(enumKey);
-  if (!config) throw new Error(`Enum ${enumKey} not found`);
-  const enumName = config.name || enumKey;
-  return pgEnum(enumName, config.values);
+// src/users/UserValidator.ts
+var __decorate4 = function(decorators, target, key, desc) {
+  var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+  if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+  else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+  return c > 3 && r && Object.defineProperty(target, key, r), r;
 };
-var userStatusEnum2 = createPgEnum("userStatus");
-var tokenStatusEnum2 = createPgEnum("tokenStatus");
-var tokenTypeEnum2 = createPgEnum("tokenType");
-var studentStatusEnum2 = createPgEnum("studentStatus");
-// src/database/schema/index.ts
-var timestamps = {
-  createdAt: timestamp("created_at", { mode: "string" }).defaultNow(),
-  updatedAt: timestamp("updated_at", { mode: "string" }).defaultNow().$onUpdate(() => sql`CURRENT_TIMESTAMP`)
+var __metadata2 = function(k, v) {
+  if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
 };
-var idField = (length = 5) => text("id").primaryKey().notNull().$defaultFn(() => nanoid(length));
-var rolesTable = pgTable("roles", {
-  id: idField(),
-  name: text("name").notNull(),
-  description: text("description")
-});
-var usersTable = pgTable("users", {
-  id: idField(8),
-  email: text("email").notNull().unique(),
-  emailVerified: boolean("email_verified").default(false),
-  password: text("password").notNull(),
-  image: text("image").default("noavatar.png"),
-  status: userStatusEnum2("status").default("pending"),
-  roleId: text("role_id").references(() => rolesTable.id),
-  lastLogin: timestamp("last_login", { mode: "string" }),
-  ...timestamps
-});
-var tokensTable = pgTable("tokens", {
-  id: idField(10),
-  userId: text("user_id").references(() => usersTable.id, { onDelete: "cascade" }).unique().notNull(),
-  token: text("token").notNull(),
-  type: tokenTypeEnum2("type").default("refresh"),
-  status: tokenStatusEnum2("status").default("active"),
-  expiresAt: timestamp("expires_at", { mode: "string" }).notNull(),
-  ...timestamps
-});
-var permissionsTable = pgTable("permissions", {
-  id: idField(),
-  name: text("name").notNull().unique(),
-  description: text("description"),
-  resource: text("resource").notNull(),
-  action: text("action").notNull(),
-  ...timestamps
-});
-var rolePermissionsTable = pgTable("role_permissions", {
-  id: idField(),
-  roleId: text("role_id").references(() => rolesTable.id).notNull(),
-  permissionId: text("permission_id").references(() => permissionsTable.id).notNull(),
-  ...timestamps
-});
-// src/permissions/PermissionRepository.ts
-import { eq, and } from "drizzle-orm";
-import { Repository } from "najm-api";
-var PermissionRepository = class {
-  async getAll() {
-    return await this.db.select().from(permissionsTable);
-  }
-  async getById(id) {
-    const [existingPermission] = await this.db.select().from(permissionsTable).where(eq(permissionsTable.id, id));
-    return existingPermission;
-  }
-  async getByName(name) {
-    const [existingPermission] = await this.db.select().from(permissionsTable).where(eq(permissionsTable.name, name));
-    return existingPermission;
-  }
-  async create(data) {
-    const [newPermission] = await this.db.insert(permissionsTable).values(data).returning();
-    return newPermission;
-  }
-  async update(id, data) {
-    const [updatedPermission] = await this.db.update(permissionsTable).set(data).where(eq(permissionsTable.id, id)).returning();
-    return updatedPermission;
-  }
-  async delete(id) {
-    const [deletedPermission] = await this.db.delete(permissionsTable).where(eq(permissionsTable.id, id)).returning();
-    return deletedPermission;
-  }
-  async getPermissionsByRole(roleId) {
-    return await this.db.select({
-      id: permissionsTable.id,
-      name: permissionsTable.name,
-      description: permissionsTable.description,
-      resource: permissionsTable.resource,
-      action: permissionsTable.action
-    }).from(rolePermissionsTable).leftJoin(permissionsTable, eq(rolePermissionsTable.permissionId, permissionsTable.id)).where(eq(rolePermissionsTable.roleId, roleId));
-  }
-  async getRolesByPermission(permissionId) {
-    return await this.db.select({
-      id: rolesTable.id,
-      name: rolesTable.name,
-      description: rolesTable.description
-    }).from(rolePermissionsTable).leftJoin(rolesTable, eq(rolePermissionsTable.roleId, rolesTable.id)).where(eq(rolePermissionsTable.permissionId, permissionId));
+var _a4;
+var _b;
+var _a5;
+var UserValidator = (_a5 = class {
+  constructor(userRepository, encryptionService) {
+    this.userRepository = userRepository;
+    this.encryptionService = encryptionService;
   }
-  async assignPermissionToRole(roleId, permissionId) {
-    const [newRolePermission] = await this.db.insert(rolePermissionsTable).values({ roleId, permissionId }).returning();
-    return newRolePermission;
+  async validateCreateUser(data) {
+    return parseSchema(userSchema, data);
   }
-  async removePermissionFromRole(roleId, permissionId) {
-    const [deletedRolePermission] = await this.db.delete(rolePermissionsTable).where(and(eq(rolePermissionsTable.roleId, roleId), eq(rolePermissionsTable.permissionId, permissionId))).returning();
-    return deletedRolePermission;
+  async isEmailExists(email) {
+    const existingUser = await this.userRepository.getByEmail(email);
+    return !!existingUser;
   }
-  async checkRoleHasPermission(roleId, permissionId) {
-    const [rolePermission] = await this.db.select().from(rolePermissionsTable).where(and(eq(rolePermissionsTable.roleId, roleId), eq(rolePermissionsTable.permissionId, permissionId)));
-    return !!rolePermission;
+  async isPasswordValid(password, hashedPassword) {
+    const isPasswordValid = await this.encryptionService.comparePassword(password, hashedPassword);
+    return !!isPasswordValid;
   }
-  async deleteAll() {
-    await this.db.delete(rolePermissionsTable);
-    const deletedPermissions = await this.db.delete(permissionsTable).returning();
-    return deletedPermissions;
+  async isUserExist(id) {
+    const existingUser = await this.userRepository.getById(id);
+    return !!existingUser;
   }
-};
-PermissionRepository = __decorateClass([
-  Repository()
-], PermissionRepository);
-// src/permissions/PermissionGuards.ts
-import { createGuard as createGuard2, Injectable as Injectable5, GuardParams as GuardParams2, Headers as Headers2, Ctx as Ctx2 } from "najm-api";
-var PermissionGuards = class {
-  constructor(tokenService) {
-    this.tokenService = tokenService;
+  async checkUserIdIsUnique(id) {
+    if (!id)
+      return;
+    const existingUser = await this.userRepository.getById(id);
+    if (existingUser) {
+      throw new Error(t("users.errors.idExists"));
+    }
   }
-  async getUserPermissions(auth) {
-    const permissions = await this.tokenService.getUserPermissions(auth);
-    if (!permissions || !Array.isArray(permissions)) return null;
-    return permissions;
+  async isCorrectPass(password) {
+    return password && typeof password === "string" && password.trim().length > 0;
   }
-  checkPermissionMatch(permissions, requiredPermission) {
-    if (permissions.includes(requiredPermission)) {
-      return true;
-    }
-    const [requiredAction, requiredResource] = requiredPermission.split(":");
-    if (requiredAction && requiredResource) {
-      if (permissions.includes(`${requiredAction}:*`)) {
-        return true;
-      }
-      if (permissions.includes(`*:${requiredResource}`)) {
-        return true;
-      }
+  async hasRole(userId, roles) {
+    const roleName = await this.userRepository.getRoleNameById(userId);
+    if (!roleName) {
+      throw Error(t("auth.errors.accessDenied"));
     }
-    if (permissions.includes("*:*")) {
-      return true;
+    const hasRole = roles.some((item) => roleName.toLowerCase() === item.toLowerCase());
+    if (!hasRole) {
+      throw Error(t("auth.errors.accessDenied"));
     }
-    return false;
-  }
-  async hasPermission(auth, ctx, requiredPermission) {
-    await this.tokenService.storeUserInCache(auth, ctx);
-    const permissions = await this.getUserPermissions(auth);
-    if (!permissions) return false;
-    const check = this.checkPermissionMatch(permissions, requiredPermission);
-    return check;
-  }
-};
-__decorateClass([
-  __decorateParam(0, Headers2("authorization")),
-  __decorateParam(1, Ctx2()),
-  __decorateParam(2, GuardParams2())
-], PermissionGuards.prototype, "hasPermission", 1);
-PermissionGuards = __decorateClass([
-  Injectable5()
-], PermissionGuards);
-var Permission = (...permissions) => createGuard2(PermissionGuards, "hasPermission")(...permissions);
-// src/permissions/PermissionController.ts
-import { Controller as Controller2, Get as Get2, Post as Post2, Put, Delete, Params as Params2, Body as Body2, t as t3 } from "najm-api";
-var PermissionController = class {
-  constructor(permissionService) {
-    this.permissionService = permissionService;
-  }
-  async getPermissions() {
-    const permissions = await this.permissionService.getAll();
-    return {
-      data: permissions,
-      message: t3("permissions.success.retrieved"),
-      status: "success"
-    };
-  }
-  async getPermission(id) {
-    const permission = await this.permissionService.getById(id);
-    return {
-      data: permission,
-      message: t3("permissions.success.retrieved"),
-      status: "success"
-    };
-  }
-  async create(body) {
-    const newPermission = await this.permissionService.create(body);
-    return {
-      data: newPermission,
-      message: t3("permissions.success.created"),
-      status: "success"
-    };
-  }
-  async update(id, body) {
-    const updatedPermission = await this.permissionService.update(id, body);
-    return {
-      data: updatedPermission,
-      message: t3("permissions.success.updated"),
-      status: "success"
-    };
-  }
-  async delete(id) {
-    const result = await this.permissionService.delete(id);
-    return {
-      data: result,
-      message: t3("permissions.success.deleted"),
-      status: "success"
-    };
-  }
-  async getByRole(roleId) {
-    const permissions = await this.permissionService.getPermissionsByRole(roleId);
-    return {
-      data: permissions,
-      message: t3("permissions.success.retrieved"),
-      status: "success"
-    };
+    return true;
   }
-  async getRolesByPermission(permissionId) {
-    const roles = await this.permissionService.getRolesByPermission(permissionId);
-    return {
-      data: roles,
-      message: t3("permissions.success.retrieved"),
-      status: "success"
-    };
+  //======================= throw errors
+  async checkUserExistsByEmail(email) {
+    const user = await this.userRepository.getByEmail(email);
+    if (!user) {
+      throw new Error(t("auth.errors.invalidCredentials"));
+    }
+    return user;
   }
-  async assignToRole(roleId, permissionId) {
-    const result = await this.permissionService.assignPermissionToRole(roleId, permissionId);
-    return {
-      data: result,
-      message: t3("permissions.success.assigned"),
-      status: "success"
-    };
+  async checkUserExists(id) {
+    const userExists = await this.isUserExist(id);
+    if (!userExists) {
+      throw new Error(t("users.errors.notFound"));
+    }
+    return userExists;
   }
-  async removeFromRole(roleId, permissionId) {
-    const result = await this.permissionService.removePermissionFromRole(roleId, permissionId);
-    return {
-      data: result,
-      message: t3("permissions.success.removed"),
-      status: "success"
-    };
+  async checkEmailUnique(email, excludeId = null) {
+    if (!email)
+      return;
+    const existingUser = await this.userRepository.getByEmail(email);
+    if (existingUser && existingUser.id !== excludeId) {
+      throw new Error(t("auth.errors.emailExists"));
+    }
   }
-  async deleteAll() {
-    const result = await this.permissionService.deleteAll();
-    return {
-      data: result,
-      message: t3("permissions.success.allDeleted"),
-      status: "success"
-    };
+  async checkEmailExists(email) {
+    const user = await this.userRepository.getByEmail(email);
+    if (!user) {
+      throw new Error(t("users.errors.notFound"));
+    }
+    return user;
   }
-};
-__decorateClass([
-  Get2()
-], PermissionController.prototype, "getPermissions", 1);
-__decorateClass([
-  Get2("/:id"),
-  __decorateParam(0, Params2("id"))
-], PermissionController.prototype, "getPermission", 1);
-__decorateClass([
-  Post2(),
-  __decorateParam(0, Body2())
-], PermissionController.prototype, "create", 1);
-__decorateClass([
-  Put("/:id"),
-  __decorateParam(0, Params2("id")),
-  __decorateParam(1, Body2())
-], PermissionController.prototype, "update", 1);
-__decorateClass([
-  Delete("/:id"),
-  __decorateParam(0, Params2("id"))
-], PermissionController.prototype, "delete", 1);
-__decorateClass([
-  Get2("/role/:roleId"),
-  __decorateParam(0, Params2("roleId"))
-], PermissionController.prototype, "getByRole", 1);
-__decorateClass([
-  Get2("/roles/:permissionId"),
-  __decorateParam(0, Params2("permissionId"))
-], PermissionController.prototype, "getRolesByPermission", 1);
-__decorateClass([
-  Post2("/assign/:roleId/:permissionId"),
-  __decorateParam(0, Params2("roleId")),
-  __decorateParam(1, Params2("permissionId"))
-], PermissionController.prototype, "assignToRole", 1);
-__decorateClass([
-  Delete("/remove/:roleId/:permissionId"),
-  __decorateParam(0, Params2("roleId")),
-  __decorateParam(1, Params2("permissionId"))
-], PermissionController.prototype, "removeFromRole", 1);
-__decorateClass([
-  Delete(),
-  isAdmin()
-], PermissionController.prototype, "deleteAll", 1);
-PermissionController = __decorateClass([
-  Controller2("/permissions"),
-  isAdmin()
-], PermissionController);
-// src/permissions/PermissionService.ts
-import { Injectable as Injectable6 } from "najm-api";
-var PermissionService = class {
-  constructor(permissionRepository, permissionValidator, roleService) {
-    this.permissionRepository = permissionRepository;
-    this.permissionValidator = permissionValidator;
-    this.roleService = roleService;
+  async checkPasswordValid(password, hashedPassword) {
+    const isPasswordValid = await this.isPasswordValid(password, hashedPassword);
+    if (!isPasswordValid) {
+      throw new Error(t("auth.errors.invalidCredentials"));
+    }
   }
+}, __name(_a5, "UserValidator"), _a5);
+UserValidator = __decorate4([
+  Injectable3(),
+  __metadata2("design:paramtypes", [typeof (_a4 = typeof UserRepository !== "undefined" && UserRepository) === "function" ? _a4 : Object, typeof (_b = typeof EncryptionService !== "undefined" && EncryptionService) === "function" ? _b : Object])
+], UserValidator);
+// src/users/UserService.ts
+import { Injectable as Injectable8, setLanguage, getCurrentLanguage, Transactional } from "najm-api";
+// src/roles/RoleRepository.ts
+import { eq as eq2 } from "drizzle-orm";
+import { Repository as Repository2 } from "najm-api";
+var __decorate5 = function(decorators, target, key, desc) {
+  var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+  if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+  else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+  return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var _a6;
+var RoleRepository = (_a6 = class {
   async getAll() {
-    return await this.permissionRepository.getAll();
+    return await this.db.select().from(rolesTable);
   }
   async getById(id) {
-    await this.permissionValidator.checkPermissionExists(id);
-    return await this.permissionRepository.getById(id);
+    const [existingRole] = await this.db.select().from(rolesTable).where(eq2(rolesTable.id, id));
+    return existingRole;
   }
   async getByName(name) {
-    return await this.permissionRepository.getByName(name);
-  }
-  async getByResource(resource) {
-    return await this.permissionRepository.getAll().then(
-      (permissions) => permissions.filter((p) => p.resource === resource)
-    );
+    const [existingRole] = await this.db.select().from(rolesTable).where(eq2(rolesTable.name, name));
+    return existingRole;
   }
   async create(data) {
-    await this.permissionValidator.validateCreatePermission(data);
-    await this.permissionValidator.checkPermissionNameUnique(data.name);
-    return await this.permissionRepository.create(data);
+    const [newRole] = await this.db.insert(rolesTable).values(data).returning();
+    return newRole;
   }
   async update(id, data) {
-    await this.permissionValidator.checkPermissionExists(id);
-    await this.permissionValidator.checkPermissionNameUnique(data.name, id);
-    return await this.permissionRepository.update(id, data);
+    const [updatedRole] = await this.db.update(rolesTable).set(data).where(eq2(rolesTable.id, id)).returning();
+    return updatedRole;
   }
   async delete(id) {
-    await this.permissionValidator.checkPermissionExists(id);
-    return await this.permissionRepository.delete(id);
+    const [deletedRole] = await this.db.delete(rolesTable).where(eq2(rolesTable.id, id)).returning();
+    return deletedRole;
   }
-  async getPermissionsByRole(roleId) {
-    return await this.permissionRepository.getPermissionsByRole(roleId);
+}, __name(_a6, "RoleRepository"), _a6);
+RoleRepository = __decorate5([
+  Repository2()
+], RoleRepository);
+// src/roles/RoleValidator.ts
+import { Injectable as Injectable4, t as t2 } from "najm-api";
+var __decorate6 = function(decorators, target, key, desc) {
+  var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+  if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+  else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+  return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata3 = function(k, v) {
+  if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var _a7;
+var _a8;
+var RoleValidator = (_a8 = class {
+  constructor(roleRepository) {
+    this.roleRepository = roleRepository;
   }
-  async getRolesByPermission(permissionId) {
-    await this.permissionValidator.checkPermissionExists(permissionId);
-    return await this.permissionRepository.getRolesByPermission(permissionId);
+  async validateCreateRole(data) {
+    return parseSchema(roleSchema, data);
   }
-  async assignPermissionToRole(roleId, permissionId) {
-    await this.permissionValidator.checkRoleHasPermission(roleId, permissionId);
-    return await this.permissionRepository.assignPermissionToRole(roleId, permissionId);
+  async isRoleNameExists(roleName) {
+    const existingRole = await this.roleRepository.getByName(roleName);
+    return !!existingRole;
   }
-  async removePermissionFromRole(roleId, permissionId) {
-    return await this.permissionRepository.removePermissionFromRole(roleId, permissionId);
+  async isRoleIdExists(id) {
+    const existingRole = await this.roleRepository.getById(id);
+    return !!existingRole;
   }
-  async seedDefaultPermissions(defaultPermissions) {
-    const createdPermissions = [];
-    for (const permission of defaultPermissions) {
-      try {
-        const permissionEntity = await this.create(permission);
-        createdPermissions.push(permissionEntity);
-      } catch (error) {
-        continue;
-      }
+  async checkNameUnique(roleName, excludeId = null) {
+    if (!roleName)
+      return;
+    const existingRole = await this.roleRepository.getByName(roleName);
+    if (existingRole && existingRole.id !== excludeId) {
+      throw new Error(t2("roles.errors.exists"));
     }
-    return createdPermissions;
   }
-  async seedDefaultRolePermissions(defaultRolePermissions) {
-    const results = [];
-    for (const { roleName, permissions } of defaultRolePermissions) {
-      try {
-        await this.permissionValidator.checkRoleExistsByName(roleName);
-        const role = await this.roleService.getByName(roleName);
-        for (const permissionName of permissions) {
-          try {
-            await this.permissionValidator.checkPermissionExistsByName(permissionName);
-            const permission = await this.getByName(permissionName);
-            await this.permissionValidator.checkRoleHasPermission(role.id, permission.id);
-            await this.assignPermissionToRole(role.id, permission.id);
-            results.push({ role: roleName, permission: permissionName });
-          } catch (error) {
-            continue;
-          }
-        }
-      } catch (error) {
-        continue;
-      }
+  async checkRoleExists(id) {
+    const roleIdExists = await this.isRoleIdExists(id);
+    if (!roleIdExists) {
+      throw new Error(t2("roles.errors.notFound"));
     }
-    return results;
   }
-  async deleteAll() {
-    return await this.permissionRepository.deleteAll();
+  async checkRoleExistsByName(roleName) {
+    const roleNameExists = await this.isRoleNameExists(roleName);
+    if (!roleNameExists) {
+      throw new Error(t2("roles.errors.notFound"));
+    }
   }
-};
-PermissionService = __decorateClass([
-  Injectable6()
-], PermissionService);
+  async checkAdminRoleExists() {
+    const adminRole = await this.roleRepository.getByName("admin");
+    if (!adminRole) {
+      throw new Error(t2("users.errors.adminRoleNotFound"));
+    }
+    return adminRole;
+  }
+}, __name(_a8, "RoleValidator"), _a8);
+RoleValidator = __decorate6([
+  Injectable4(),
+  __metadata3("design:paramtypes", [typeof (_a7 = typeof RoleRepository !== "undefined" && RoleRepository) === "function" ? _a7 : Object])
+], RoleValidator);
-// src/permissions/PermissionValidator.ts
-import { Injectable as Injectable7, t as t4 } from "najm-api";
+// src/roles/RoleGuards.ts
+import { Injectable as Injectable6, Headers, createGuard, GuardParams, Ctx } from "najm-api";
-// src/shared/index.ts
-import * as fs from "fs/promises";
-import * as path from "path";
-import _isEmpty from "lodash.isempty";
-var avatarsPath = path.join(process.cwd(), "avatars");
-var parseSchema = async (schema, data) => {
-  try {
-    return await schema.parseAsync(data);
-  } catch (error) {
-    const errors = error.issues || error.errors || [];
-    const errorMessage = errors.map((err) => `${err.path.join(".")}: ${err.message}`).join("; ");
-    throw new Error(errorMessage);
-  }
+// src/tokens/TokenRepository.ts
+import { eq as eq3 } from "drizzle-orm";
+import { Repository as Repository3 } from "najm-api";
+var __decorate7 = function(decorators, target, key, desc) {
+  var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+  if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+  else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+  return c > 3 && r && Object.defineProperty(target, key, r), r;
 };
-var clean = (obj) => {
-  const cleaned = {};
-  for (const [key, value] of Object.entries(obj)) {
-    if (value !== null && value !== void 0 && value !== "") {
-      cleaned[key] = value;
-    }
+var _a9;
+var TokenRepository = (_a9 = class {
+  async storeRefreshToken(tokenData) {
+    return await this.db.insert(tokensTable).values(tokenData).onConflictDoUpdate({
+      target: tokensTable.userId,
+      set: {
+        token: tokenData.token,
+        expiresAt: tokenData.expiresAt
+      }
+    }).returning();
   }
-  return cleaned;
-};
-var getAvatarFile = async (fileName) => {
-  try {
-    const filePath = path.join(avatarsPath, fileName);
-    const buffer = await fs.readFile(filePath);
-    const file = new File([buffer], fileName, {
-      type: "image/png"
-    });
-    return file;
-  } catch (error) {
-    return null;
+  async getRefreshToken(userId) {
+    const [token] = await this.db.select().from(tokensTable).where(eq3(tokensTable.userId, userId));
+    return token?.token;
   }
-};
-var formatDate = (dateValue) => {
-  if (!dateValue) return null;
-  let date;
-  if (dateValue instanceof Date) {
-    date = dateValue;
-  } else if (typeof dateValue === "string") {
-    date = new Date(dateValue);
-  } else {
-    return null;
+  async revokeToken(userId) {
+    const [deletedToken] = await this.db.delete(tokensTable).where(eq3(tokensTable.userId, userId)).returning();
+    return deletedToken;
   }
-  if (isNaN(date.getTime())) return null;
-  return date.toISOString().split("T")[0];
+  async isUserExists(userId) {
+    const [user] = await this.db.select({ id: usersTable.id }).from(usersTable).where(eq3(usersTable.id, userId)).limit(1);
+    return !!user;
+  }
+  async getRoleNameById(userId) {
+    const [role] = await this.db.select({
+      roleName: rolesTable.name
+    }).from(usersTable).leftJoin(rolesTable, eq3(usersTable.roleId, rolesTable.id)).where(eq3(usersTable.id, userId)).limit(1);
+    return role?.roleName;
+  }
+  async getUserPermissions(userId) {
+    const [user] = await this.db.select({ roleId: usersTable.roleId }).from(usersTable).where(eq3(usersTable.id, userId)).limit(1);
+    if (!user || !user.roleId)
+      return [];
+    const userPermissions = await this.db.select({
+      name: permissionsTable.name
+    }).from(rolePermissionsTable).leftJoin(permissionsTable, eq3(rolePermissionsTable.permissionId, permissionsTable.id)).where(eq3(rolePermissionsTable.roleId, user.roleId));
+    return userPermissions.map((p) => p.name).filter((name) => name);
+  }
+  async getUser(userId) {
+    const [user] = await this.db.select({
+      id: usersTable.id,
+      email: usersTable.email,
+      status: usersTable.status,
+      roleId: usersTable.roleId,
+      roleName: rolesTable.name,
+      createdAt: usersTable.createdAt,
+      updatedAt: usersTable.updatedAt
+    }).from(usersTable).leftJoin(rolesTable, eq3(usersTable.roleId, rolesTable.id)).where(eq3(usersTable.id, userId)).limit(1);
+    return user ? { ...user, role: user.roleName } : null;
+  }
+}, __name(_a9, "TokenRepository"), _a9);
+TokenRepository = __decorate7([
+  Repository3()
+], TokenRepository);
+// src/tokens/TokenService.ts
+import { t as t3 } from "najm-api";
+import { getCookie, Injectable as Injectable5 } from "najm-api";
+import jwt from "jsonwebtoken";
+import { jwtDecode } from "jwt-decode";
+import timestring2 from "timestring";
+var __decorate8 = function(decorators, target, key, desc) {
+  var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+  if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+  else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+  return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata4 = function(k, v) {
+  if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
 };
-function calculateAge(dateOfBirth) {
-  if (!dateOfBirth) return null;
-  const formattedDate = formatDate(dateOfBirth);
-  if (!formattedDate) return null;
-  const birth = new Date(formattedDate);
-  const today = /* @__PURE__ */ new Date();
-  let age = today.getFullYear() - birth.getFullYear();
-  const monthDiff = today.getMonth() - birth.getMonth();
-  if (monthDiff < 0 || monthDiff === 0 && today.getDate() < birth.getDate()) {
-    age--;
+var _a10;
+var _a11;
+var TokenService = (_a11 = class {
+  constructor(tokenRepository) {
+    this.tokenRepository = tokenRepository;
+    this.accessSecretKey = process.env.JWT_ACCESS_SECRET;
+    this.accessExpiresIn = process.env.ACCESS_EXPIRES_IN;
+    this.refreshSecretKey = process.env.JWT_REFRESH_SECRET;
+    this.refreshExpiresIn = process.env.REFRESH_EXPIRES_IN;
   }
-  return age;
-}
-function calculateYearsOfExperience(hireDate) {
-  if (!hireDate) return null;
-  const formattedDate = formatDate(hireDate);
-  if (!formattedDate) return null;
-  const hire = new Date(formattedDate);
-  const today = /* @__PURE__ */ new Date();
-  let years = today.getFullYear() - hire.getFullYear();
-  const monthDiff = today.getMonth() - hire.getMonth();
-  if (monthDiff < 0 || monthDiff === 0 && today.getDate() < hire.getDate()) {
-    years--;
+  //==== Validate tokens
+  extractAccessToken(authorization) {
+    if (authorization && authorization.startsWith("Bearer")) {
+      return authorization.split(" ")[1];
+    }
+    throw new Error(t3("auth.errors.tokenMissing"));
   }
-  return years;
-}
-function pickProps(source, keys) {
-  const result = {};
-  for (const key of keys) {
-    if (source[key] !== void 0) {
-      result[key] = source[key];
+  verifyAccessToken(token) {
+    try {
+      return jwt.verify(token, this.accessSecretKey);
+    } catch (error) {
+      throw new Error(t3("auth.errors.tokenVerificationFailed"));
     }
   }
-  return result;
-}
-var isEmpty = _isEmpty;
-var isPath = (img) => typeof img === "string" && img.trim().length > 0 && (img.startsWith("/") || img.startsWith("http") || img.startsWith("storage/"));
-var isFile = (img) => !!img && typeof img !== "string" && img instanceof File;
-// src/permissions/PermissionValidator.ts
-import { z as z3 } from "zod";
-var permissionSchema = z3.object({
-  name: z3.string().min(1, "Permission name is required"),
-  description: z3.string().optional(),
-  resource: z3.string().min(1, "Resource is required"),
-  action: z3.string().min(1, "Action is required")
-});
-var PermissionValidator = class {
-  constructor(permissionRepository, roleValidator) {
-    this.permissionRepository = permissionRepository;
-    this.roleValidator = roleValidator;
+  verifyRefreshToken(token) {
+    try {
+      const decoded = jwt.verify(token, this.refreshSecretKey);
+      return decoded.userId;
+    } catch (error) {
+      throw new Error(t3("auth.errors.tokenVerificationFailed"));
+    }
   }
-  async validateCreatePermission(data) {
-    return parseSchema(permissionSchema, data);
+  async getUserIdByAccessToken(header) {
+    const token = this.extractAccessToken(header);
+    const decodedToken = this.verifyAccessToken(token);
+    const userId = decodedToken.userId;
+    const userExists = await this.tokenRepository.isUserExists(userId);
+    if (!userExists) {
+      throw new Error(t3("users.errors.notFound"));
+    }
+    return userId;
   }
-  async isPermissionExists(id) {
-    const existingPermission = await this.permissionRepository.getById(id);
-    return !!existingPermission;
+  //=== Generate tokens
+  async storeRefreshToken(userId, refreshToken) {
+    const expireInSecond = timestring2(this.refreshExpiresIn, "s");
+    const tokenData = {
+      userId,
+      token: refreshToken,
+      expiresAt: new Date(Date.now() + expireInSecond * 1e3).toISOString()
+    };
+    await this.tokenRepository.storeRefreshToken(tokenData);
   }
-  async isPermissionNameExists(name) {
-    const existingPermission = await this.permissionRepository.getByName(name);
-    return !!existingPermission;
+  getTokenExpire(token) {
+    return jwtDecode(token).exp;
   }
-  //======================= throw errors
-  async checkPermissionExists(id) {
-    const permissionExists = await this.isPermissionExists(id);
-    if (!permissionExists) {
-      throw new Error(t4("permissions.errors.notFound"));
-    }
-    return permissionExists;
+  generateAccessToken(data) {
+    const options = { expiresIn: this.accessExpiresIn };
+    return jwt.sign(data, this.accessSecretKey, options);
   }
-  async checkPermissionExistsByName(name) {
-    const permissionExists = await this.isPermissionNameExists(name);
-    if (!permissionExists) {
-      throw new Error(t4("permissions.errors.notFound"));
-    }
-    return permissionExists;
+  generateRefreshToken(data) {
+    const options = { expiresIn: this.refreshExpiresIn };
+    return jwt.sign(data, this.refreshSecretKey, options);
   }
-  async checkPermissionNameUnique(name, excludeId = null) {
-    if (!name) return;
-    const existingPermission = await this.permissionRepository.getByName(name);
-    if (existingPermission && existingPermission.id !== excludeId) {
-      throw new Error(t4("permissions.errors.nameExists"));
+  async generateTokens(userId) {
+    const tokenData = { userId };
+    const accessToken = await this.generateAccessToken(tokenData);
+    const refreshToken = await this.generateRefreshToken(tokenData);
+    const accessTokenExpiresAt = this.getTokenExpire(accessToken);
+    const refreshTokenExpiresAt = this.getTokenExpire(refreshToken);
+    await this.storeRefreshToken(userId, refreshToken);
+    return {
+      accessToken,
+      refreshToken,
+      accessTokenExpiresAt,
+      refreshTokenExpiresAt
+    };
+  }
+  async refreshTokens() {
+    const newRefreshToken = getCookie("refreshToken");
+    const userId = this.verifyRefreshToken(newRefreshToken);
+    const userExists = await this.tokenRepository.isUserExists(userId);
+    if (!userExists) {
+      throw new Error(t3("users.errors.notFound"));
+    }
+    const storedRefreshToken = await this.tokenRepository.getRefreshToken(userId);
+    if (newRefreshToken != storedRefreshToken) {
+      throw new Error(t3("auth.errors.refreshTokenInvalid"));
     }
+    return await this.generateTokens(userId);
   }
-  async checkRoleExists(id) {
-    return await this.roleValidator.checkRoleExists(id);
+  async revokeToken(userId) {
+    return await this.tokenRepository.revokeToken(userId);
   }
-  async checkRoleExistsByName(name) {
-    return await this.roleValidator.checkRoleExistsByName(name);
+  async getUserPermissions(auth) {
+    if (!auth)
+      return;
+    const userId = await this.getUserIdByAccessToken(auth);
+    const permissions = await this.tokenRepository.getUserPermissions(userId);
+    return permissions;
   }
-  async checkRoleHasPermission(roleId, permissionId) {
-    await this.roleValidator.checkRoleExists(roleId);
-    await this.checkPermissionExists(permissionId);
-    const hasPermission = await this.permissionRepository.checkRoleHasPermission(roleId, permissionId);
-    if (hasPermission) {
-      throw new Error(t4("permissions.errors.roleAlreadyHasPermission"));
+  async getUserRole(auth) {
+    if (!auth)
+      return;
+    const userId = await this.getUserIdByAccessToken(auth);
+    const roleName = await this.tokenRepository.getRoleNameById(userId);
+    return roleName;
+  }
+  async getUser(auth) {
+    if (!auth)
+      return;
+    const userId = await this.getUserIdByAccessToken(auth);
+    const user = await this.tokenRepository.getUser(userId);
+    if (!user)
+      return null;
+    return user;
+  }
+  async storeUserInCache(auth, ctx) {
+    const cachedUser = ctx.get("user");
+    if (cachedUser)
+      return cachedUser;
+    const user = await this.getUser(auth);
+    if (user) {
+      ctx.set("user", user);
     }
+    return user;
   }
-};
-PermissionValidator = __decorateClass([
-  Injectable7()
-], PermissionValidator);
+}, __name(_a11, "TokenService"), _a11);
+TokenService = __decorate8([
+  Injectable5(),
+  __metadata4("design:paramtypes", [typeof (_a10 = typeof TokenRepository !== "undefined" && TokenRepository) === "function" ? _a10 : Object])
+], TokenService);
-// src/roles/RoleRepository.ts
-import { eq as eq2 } from "drizzle-orm";
-import { Repository as Repository2 } from "najm-api";
-var RoleRepository = class {
-  async getAll() {
-    return await this.db.select().from(rolesTable);
+// src/roles/RoleGuards.ts
+var __decorate9 = function(decorators, target, key, desc) {
+  var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+  if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+  else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+  return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata5 = function(k, v) {
+  if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param = function(paramIndex, decorator) {
+  return function(target, key) {
+    decorator(target, key, paramIndex);
+  };
+};
+var _a12;
+var ROLES = {
+  ADMIN: "admin",
+  PRINCIPAL: "principal",
+  ACCOUNTING: "accounting",
+  SECRETARY: "secretary",
+  TEACHER: "teacher",
+  STUDENT: "student",
+  PARENT: "parent"
+};
+var ROLE_GROUPS = {
+  ADMINISTRATORS: [ROLES.ADMIN, ROLES.PRINCIPAL],
+  FINANCIAL: [ROLES.ADMIN, ROLES.ACCOUNTING],
+  STAFF: [ROLES.ADMIN, ROLES.PRINCIPAL, ROLES.ACCOUNTING, ROLES.SECRETARY, ROLES.TEACHER],
+  END_USERS: [ROLES.STUDENT, ROLES.PARENT],
+  ALL: [ROLES.ADMIN, ROLES.PRINCIPAL, ROLES.ACCOUNTING, ROLES.SECRETARY, ROLES.TEACHER, ROLES.STUDENT, ROLES.PARENT]
+};
+var _a13;
+var RoleChecker = (_a13 = class {
+  isInGroup(userRole, group) {
+    return group.includes(userRole?.toLowerCase());
   }
-  async getById(id) {
-    const [existingRole] = await this.db.select().from(rolesTable).where(eq2(rolesTable.id, id));
-    return existingRole;
+  isAdministrator(userRole) {
+    return this.isInGroup(userRole, ROLE_GROUPS.ADMINISTRATORS);
   }
-  async getByName(name) {
-    const [existingRole] = await this.db.select().from(rolesTable).where(eq2(rolesTable.name, name));
-    return existingRole;
+  isStaff(userRole) {
+    return this.isInGroup(userRole, ROLE_GROUPS.STAFF);
   }
-  async create(data) {
-    const [newRole] = await this.db.insert(rolesTable).values(data).returning();
-    return newRole;
+  hasAnyRole(userRole, roles) {
+    return roles.includes(userRole?.toLowerCase());
   }
-  async update(id, data) {
-    const [updatedRole] = await this.db.update(rolesTable).set(data).where(eq2(rolesTable.id, id)).returning();
-    return updatedRole;
+  hasExactRole(userRole, requiredRole) {
+    return userRole?.toLowerCase() === requiredRole?.toLowerCase();
   }
-  async delete(id) {
-    const [deletedRole] = await this.db.delete(rolesTable).where(eq2(rolesTable.id, id)).returning();
-    return deletedRole;
+}, __name(_a13, "RoleChecker"), _a13);
+RoleChecker = __decorate9([
+  Injectable6()
+], RoleChecker);
+var _a14;
+var RoleGuards = (_a14 = class {
+  constructor(roleChecker, tokenService) {
+    this.roleChecker = roleChecker;
+    this.tokenService = tokenService;
   }
-};
-RoleRepository = __decorateClass([
-  Repository2()
-], RoleRepository);
+  async isAuth(auth, ctx) {
+    const user = await this.tokenService.storeUserInCache(auth, ctx);
+    return !!user;
+  }
+  async hasRoles(auth, ctx, roles) {
+    try {
+      const user = await this.tokenService.storeUserInCache(auth, ctx);
+      if (!user?.role)
+        return false;
+      const roleArray = Array.isArray(roles) ? roles : [roles];
+      return this.roleChecker.hasAnyRole(user.role, roleArray);
+    } catch {
+      return false;
+    }
+  }
+}, __name(_a14, "RoleGuards"), _a14);
+__decorate9([
+  __param(0, Headers("authorization")),
+  __param(1, Ctx()),
+  __metadata5("design:type", Function),
+  __metadata5("design:paramtypes", [Object, Object]),
+  __metadata5("design:returntype", Promise)
+], RoleGuards.prototype, "isAuth", null);
+__decorate9([
+  __param(0, Headers("authorization")),
+  __param(1, Ctx()),
+  __param(2, GuardParams()),
+  __metadata5("design:type", Function),
+  __metadata5("design:paramtypes", [Object, Object, Object]),
+  __metadata5("design:returntype", Promise)
+], RoleGuards.prototype, "hasRoles", null);
+RoleGuards = __decorate9([
+  Injectable6(),
+  __metadata5("design:paramtypes", [RoleChecker, typeof (_a12 = typeof TokenService !== "undefined" && TokenService) === "function" ? _a12 : Object])
+], RoleGuards);
+var isAdmin = /* @__PURE__ */ __name(() => Role("admin"), "isAdmin");
+var isPrincipal = /* @__PURE__ */ __name(() => Role("principal"), "isPrincipal");
+var isAccounting = /* @__PURE__ */ __name(() => Role("accounting"), "isAccounting");
+var isSecretary = /* @__PURE__ */ __name(() => Role("secretary"), "isSecretary");
+var isTeacher = /* @__PURE__ */ __name(() => Role("teacher"), "isTeacher");
+var isParent = /* @__PURE__ */ __name(() => Role("parent"), "isParent");
+var isStudent = /* @__PURE__ */ __name(() => Role("student"), "isStudent");
+var isAdministrator = /* @__PURE__ */ __name(() => Role("admin", "principal"), "isAdministrator");
+var isFinancial = /* @__PURE__ */ __name(() => Role("admin", "accounting"), "isFinancial");
+var isStaff = /* @__PURE__ */ __name(() => Role("admin", "principal", "accounting", "secretary", "teacher"), "isStaff");
+var isAuth = createGuard(RoleGuards, "isAuth");
+var Role = /* @__PURE__ */ __name((...roles) => createGuard(RoleGuards, "hasRoles")(...roles), "Role");
-// src/roles/RoleValidator.ts
-import { Injectable as Injectable8, t as t5 } from "najm-api";
-var RoleValidator = class {
-  constructor(roleRepository) {
+// src/roles/RoleController.ts
+import { Controller, Get, Post, Put, Delete, Params, Body, t as t4 } from "najm-api";
+// src/roles/RoleService.ts
+import { Injectable as Injectable7 } from "najm-api";
+var __decorate10 = function(decorators, target, key, desc) {
+  var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+  if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+  else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+  return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata6 = function(k, v) {
+  if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var _a15;
+var _b2;
+var _a16;
+var RoleService = (_a16 = class {
+  constructor(roleRepository, roleValidator) {
     this.roleRepository = roleRepository;
+    this.roleValidator = roleValidator;
   }
-  async validateCreateRole(data) {
-    return parseSchema(roleSchema, data);
+  async getAll() {
+    return await this.roleRepository.getAll();
+  }
+  async getById(id) {
+    await this.roleValidator.checkRoleExists(id);
+    return await this.roleRepository.getById(id);
   }
-  async isRoleNameExists(roleName) {
-    const existingRole = await this.roleRepository.getByName(roleName);
-    return !!existingRole;
+  async getByName(name) {
+    return await this.roleRepository.getByName(name);
   }
-  async isRoleIdExists(id) {
-    const existingRole = await this.roleRepository.getById(id);
-    return !!existingRole;
+  async create(data) {
+    await this.roleValidator.validateCreateRole(data);
+    await this.roleValidator.checkNameUnique(data.name);
+    return await this.roleRepository.create(data);
   }
-  async checkNameUnique(roleName, excludeId = null) {
-    if (!roleName) return;
-    const existingRole = await this.roleRepository.getByName(roleName);
-    if (existingRole && existingRole.id !== excludeId) {
-      throw new Error(t5("roles.errors.exists"));
-    }
+  async update(id, data) {
+    await this.roleValidator.checkRoleExists(id);
+    await this.roleValidator.checkNameUnique(data.name, id);
+    return await this.roleRepository.update(id, data);
   }
-  async checkRoleExists(id) {
-    const roleIdExists = await this.isRoleIdExists(id);
-    if (!roleIdExists) {
-      throw new Error(t5("roles.errors.notFound"));
-    }
+  async delete(id) {
+    await this.roleValidator.checkRoleExists(id);
+    return await this.roleRepository.delete(id);
   }
-  async checkRoleExistsByName(roleName) {
-    const roleNameExists = await this.isRoleNameExists(roleName);
-    if (!roleNameExists) {
-      throw new Error(t5("roles.errors.notFound"));
+  async seedDefaultRoles(defaultRoles) {
+    const rolesToCreate = [];
+    for (const role of defaultRoles) {
+      const exists = await this.roleValidator.isRoleNameExists(role.name);
+      if (!exists) {
+        rolesToCreate.push(role);
+      }
     }
+    const createdRoles = await Promise.all(rolesToCreate.map((role) => this.roleRepository.create(role)));
+    return createdRoles;
   }
-  async checkAdminRoleExists() {
-    const adminRole = await this.roleRepository.getByName("admin");
-    if (!adminRole) {
-      throw new Error(t5("users.errors.adminRoleNotFound"));
-    }
-    return adminRole;
+  async getRoleIdByName(name) {
+    const teacherRole = await this.getByName(name);
+    return teacherRole?.id;
   }
-};
-RoleValidator = __decorateClass([
-  Injectable8()
-], RoleValidator);
+}, __name(_a16, "RoleService"), _a16);
+RoleService = __decorate10([
+  Injectable7(),
+  __metadata6("design:paramtypes", [typeof (_a15 = typeof RoleRepository !== "undefined" && RoleRepository) === "function" ? _a15 : Object, typeof (_b2 = typeof RoleValidator !== "undefined" && RoleValidator) === "function" ? _b2 : Object])
+], RoleService);
 // src/roles/RoleController.ts
-import { Controller as Controller3, Get as Get3, Post as Post3, Put as Put2, Delete as Delete2, Params as Params3, Body as Body3, t as t6 } from "najm-api";
-var RoleController = class {
+var __decorate11 = function(decorators, target, key, desc) {
+  var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+  if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+  else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+  return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata7 = function(k, v) {
+  if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param2 = function(paramIndex, decorator) {
+  return function(target, key) {
+    decorator(target, key, paramIndex);
+  };
+};
+var _a17;
+var _a18;
+var RoleController = (_a18 = class {
   constructor(roleService) {
     this.roleService = roleService;
   }
@@ -1724,7 +1737,7 @@ var RoleController = class {
     const roles = await this.roleService.getAll();
     return {
       data: roles,
-      message: t6("roles.success.retrieved"),
+      message: t4("roles.success.retrieved"),
       status: "success"
     };
   }
@@ -1732,7 +1745,7 @@ var RoleController = class {
     const role = await this.roleService.getById(id);
     return {
       data: role,
-      message: t6("roles.success.retrieved"),
+      message: t4("roles.success.retrieved"),
       status: "success"
     };
   }
@@ -1740,7 +1753,7 @@ var RoleController = class {
     const newRole = await this.roleService.create(body);
     return {
       data: newRole,
-      message: t6("roles.success.created"),
+      message: t4("roles.success.created"),
       status: "success"
     };
   }
@@ -1748,7 +1761,7 @@ var RoleController = class {
     const updatedRole = await this.roleService.update(id, body);
     return {
       data: updatedRole,
-      message: t6("roles.success.updated"),
+      message: t4("roles.success.updated"),
       status: "success"
     };
   }
@@ -1756,761 +1769,1133 @@ var RoleController = class {
     const result = await this.roleService.delete(id);
     return {
       data: result,
-      message: t6("roles.success.deleted"),
+      message: t4("roles.success.deleted"),
       status: "success"
     };
   }
-};
-__decorateClass([
-  Get3(),
-  isAdmin()
-], RoleController.prototype, "getRoles", 1);
-__decorateClass([
-  Get3("/:id"),
+}, __name(_a18, "RoleController"), _a18);
+__decorate11([
+  Get(),
   isAdmin(),
-  __decorateParam(0, Params3("id"))
-], RoleController.prototype, "getRole", 1);
-__decorateClass([
-  Post3(),
+  __metadata7("design:type", Function),
+  __metadata7("design:paramtypes", []),
+  __metadata7("design:returntype", Promise)
+], RoleController.prototype, "getRoles", null);
+__decorate11([
+  Get("/:id"),
   isAdmin(),
-  __decorateParam(0, Body3())
-], RoleController.prototype, "createRole", 1);
-__decorateClass([
-  Put2("/:id"),
+  __param2(0, Params("id")),
+  __metadata7("design:type", Function),
+  __metadata7("design:paramtypes", [Object]),
+  __metadata7("design:returntype", Promise)
+], RoleController.prototype, "getRole", null);
+__decorate11([
+  Post(),
   isAdmin(),
-  __decorateParam(0, Params3("id")),
-  __decorateParam(1, Body3())
-], RoleController.prototype, "updateRole", 1);
-__decorateClass([
-  Delete2("/:id"),
+  __param2(0, Body()),
+  __metadata7("design:type", Function),
+  __metadata7("design:paramtypes", [Object]),
+  __metadata7("design:returntype", Promise)
+], RoleController.prototype, "createRole", null);
+__decorate11([
+  Put("/:id"),
+  isAdmin(),
+  __param2(0, Params("id")),
+  __param2(1, Body()),
+  __metadata7("design:type", Function),
+  __metadata7("design:paramtypes", [Object, Object]),
+  __metadata7("design:returntype", Promise)
+], RoleController.prototype, "updateRole", null);
+__decorate11([
+  Delete("/:id"),
   isAdmin(),
-  __decorateParam(0, Params3("id"))
-], RoleController.prototype, "deleteRole", 1);
-RoleController = __decorateClass([
-  Controller3("/roles")
+  __param2(0, Params("id")),
+  __metadata7("design:type", Function),
+  __metadata7("design:paramtypes", [Object]),
+  __metadata7("design:returntype", Promise)
+], RoleController.prototype, "deleteRole", null);
+RoleController = __decorate11([
+  Controller("/roles"),
+  __metadata7("design:paramtypes", [typeof (_a17 = typeof RoleService !== "undefined" && RoleService) === "function" ? _a17 : Object])
 ], RoleController);
-// src/roles/RoleService.ts
-import { Injectable as Injectable9 } from "najm-api";
-var RoleService = class {
-  constructor(roleRepository, roleValidator) {
-    this.roleRepository = roleRepository;
+// src/users/UserService.ts
+import { nanoid as nanoid2 } from "nanoid";
+var __decorate12 = function(decorators, target, key, desc) {
+  var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+  if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+  else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+  return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata8 = function(k, v) {
+  if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var _a19;
+var _b3;
+var _c;
+var _d;
+var _e;
+var _a20;
+var UserService = (_a20 = class {
+  constructor(roleValidator, roleService, userRepository, userValidator, encryptionService) {
     this.roleValidator = roleValidator;
+    this.roleService = roleService;
+    this.userRepository = userRepository;
+    this.userValidator = userValidator;
+    this.encryptionService = encryptionService;
+  }
+  sanitizeUser(user) {
+    if (!user)
+      return user;
+    const { password, ...sanitizedUser } = user;
+    return sanitizedUser;
+  }
+  sanitizeUsers(users) {
+    return users.map((user) => this.sanitizeUser(user));
+  }
+  async resolveUserRole(roleId, roleName) {
+    if (roleId) {
+      await this.roleValidator.checkRoleExists(roleId);
+      return roleId;
+    }
+    if (roleName) {
+      const roleByName = await this.roleService.getByName(roleName);
+      if (roleByName) {
+        return roleByName.id;
+      }
+      throw new Error(`Role '${roleName}' not found`);
+    }
+    const defaultRole = await this.roleService.getByName("Student");
+    return defaultRole.id;
   }
   async getAll() {
-    return await this.roleRepository.getAll();
+    const users = await this.userRepository.getAll();
+    return this.sanitizeUsers(users);
   }
   async getById(id) {
-    await this.roleValidator.checkRoleExists(id);
-    return await this.roleRepository.getById(id);
+    await this.userValidator.checkUserExists(id);
+    const user = await this.userRepository.getById(id);
+    return this.sanitizeUser(user);
   }
-  async getByName(name) {
-    return await this.roleRepository.getByName(name);
+  async getByEmail(email) {
+    const user = await this.userValidator.checkUserExistsByEmail(email);
+    return this.sanitizeUser(user);
   }
   async create(data) {
-    await this.roleValidator.validateCreateRole(data);
-    await this.roleValidator.checkNameUnique(data.name);
-    return await this.roleRepository.create(data);
+    const { id, email, image, emailVerified, password, roleId, role } = data;
+    let userId = id || nanoid2(5);
+    let pass = password || "12345678";
+    await this.userValidator.checkEmailUnique(data.email);
+    await this.userValidator.checkUserIdIsUnique(id);
+    const hashedPassword = await this.encryptionService.hashPassword(pass);
+    const resolvedRoleId = await this.resolveUserRole(roleId, role);
+    const userDetails = {
+      id: userId,
+      email,
+      image,
+      password: hashedPassword,
+      roleId: resolvedRoleId,
+      emailVerified,
+      status: "pending"
+    };
+    await this.userValidator.validateCreateUser(userDetails);
+    const newUser = await this.userRepository.create(userDetails);
+    return this.sanitizeUser(newUser);
   }
   async update(id, data) {
-    await this.roleValidator.checkRoleExists(id);
-    await this.roleValidator.checkNameUnique(data.name, id);
-    return await this.roleRepository.update(id, data);
+    const { password, image } = data;
+    await this.userValidator.checkUserExists(id);
+    await this.userValidator.checkEmailUnique(data.email, id);
+    const currentUser = await this.userRepository.getById(id);
+    const hashedPassword = await this.encryptionService.hashPassword(password);
+    const updateData = {
+      ...data,
+      image,
+      ...hashedPassword && { password: hashedPassword }
+    };
+    const cleanedUpdateData = clean(updateData);
+    const updatedUser = await this.userRepository.update(id, cleanedUpdateData);
+    return this.sanitizeUser(updatedUser);
   }
   async delete(id) {
-    await this.roleValidator.checkRoleExists(id);
-    return await this.roleRepository.delete(id);
+    await this.userValidator.checkUserExists(id);
+    const user = await this.userRepository.delete(id);
+    return this.sanitizeUser(user);
   }
-  async seedDefaultRoles(defaultRoles) {
-    const rolesToCreate = [];
-    for (const role of defaultRoles) {
-      const exists = await this.roleValidator.isRoleNameExists(role.name);
-      if (!exists) {
-        rolesToCreate.push(role);
-      }
+  async deleteAll() {
+    const deletedUsers = await this.userRepository.deleteAll();
+    return this.sanitizeUsers(deletedUsers);
+  }
+  async getRoleName(id) {
+    await this.userValidator.checkUserExists(id);
+    return await this.userRepository.getRoleNameById(id);
+  }
+  async getPassword(email) {
+    await this.userValidator.checkUserExistsByEmail(email);
+    return await this.userRepository.getUserPassword(email);
+  }
+  async assignRole(id, roleId, roleName) {
+    await this.userValidator.checkUserExists(id);
+    const resolvedRoleId = await this.resolveUserRole(roleId, roleName);
+    const updatedUser = await this.userRepository.update(id, { roleId: resolvedRoleId });
+    return this.sanitizeUser(updatedUser);
+  }
+  async removeRole(id) {
+    await this.userValidator.checkUserExists(id);
+    const updatedUser = await this.userRepository.update(id, { roleId: null });
+    return this.sanitizeUser(updatedUser);
+  }
+  async seedAdminUser() {
+    const email = "admin@admin.com";
+    const adminRole = await this.roleValidator.checkAdminRoleExists();
+    const existingUser = await this.userRepository.getByEmail(email);
+    if (existingUser) {
+      await this.delete(existingUser.id);
     }
-    const createdRoles = await Promise.all(
-      rolesToCreate.map((role) => this.roleRepository.create(role))
-    );
-    return createdRoles;
+    const newAdminUser = await this.create({
+      id: "USR00",
+      name: "System Administrator",
+      email,
+      password: "12345678",
+      image: null,
+      roleId: adminRole.id,
+      status: "active",
+      emailVerified: true
+    });
+    return this.sanitizeUser(newAdminUser);
   }
-  async getRoleIdByName(name) {
-    const teacherRole = await this.getByName(name);
-    return teacherRole?.id;
+  async updateLang(language) {
+    setLanguage(language);
+    return language;
   }
-};
-RoleService = __decorateClass([
-  Injectable9()
-], RoleService);
+  async getLang() {
+    return getCurrentLanguage();
+  }
+}, __name(_a20, "UserService"), _a20);
+__decorate12([
+  Transactional(),
+  __metadata8("design:type", Function),
+  __metadata8("design:paramtypes", [Object]),
+  __metadata8("design:returntype", Promise)
+], UserService.prototype, "create", null);
+UserService = __decorate12([
+  Injectable8(),
+  __metadata8("design:paramtypes", [typeof (_a19 = typeof RoleValidator !== "undefined" && RoleValidator) === "function" ? _a19 : Object, typeof (_b3 = typeof RoleService !== "undefined" && RoleService) === "function" ? _b3 : Object, typeof (_c = typeof UserRepository !== "undefined" && UserRepository) === "function" ? _c : Object, typeof (_d = typeof UserValidator !== "undefined" && UserValidator) === "function" ? _d : Object, typeof (_e = typeof EncryptionService !== "undefined" && EncryptionService) === "function" ? _e : Object])
+], UserService);
-// src/tokens/TokenRepository.ts
-import { eq as eq3 } from "drizzle-orm";
-import { Repository as Repository3 } from "najm-api";
-var TokenRepository = class {
-  async storeRefreshToken(tokenData) {
-    return await this.db.insert(tokensTable).values(tokenData).onConflictDoUpdate({
-      target: tokensTable.userId,
-      set: {
-        token: tokenData.token,
-        expiresAt: tokenData.expiresAt
-      }
-    }).returning();
+// src/users/UserController.ts
+import { Controller as Controller2, Get as Get2, Post as Post2, Put as Put2, Delete as Delete2, Params as Params2, Body as Body2, t as t5 } from "najm-api";
+var __decorate13 = function(decorators, target, key, desc) {
+  var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+  if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+  else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+  return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata9 = function(k, v) {
+  if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param3 = function(paramIndex, decorator) {
+  return function(target, key) {
+    decorator(target, key, paramIndex);
+  };
+};
+var _a21;
+var _a22;
+var UserController = (_a22 = class {
+  constructor(userService) {
+    this.userService = userService;
+  }
+  async getUsers() {
+    const users = await this.userService.getAll();
+    return {
+      data: users,
+      message: t5("users.success.retrieved"),
+      status: "success"
+    };
+  }
+  async getLang() {
+    const language = await this.userService.getLang();
+    return {
+      data: { language },
+      message: t5("users.success.retrieved"),
+      status: "success"
+    };
+  }
+  async updateLang(language) {
+    const data = await this.userService.updateLang(language);
+    return {
+      data,
+      message: t5("users.success.updated"),
+      status: "success"
+    };
+  }
+  async getUser(id) {
+    const user = await this.userService.getById(id);
+    return {
+      data: user,
+      message: t5("users.success.retrieved"),
+      status: "success"
+    };
+  }
+  async getByEmail(email) {
+    const user = await this.userService.getByEmail(email);
+    return {
+      data: user,
+      message: t5("users.success.retrieved"),
+      status: "success"
+    };
   }
-  async getRefreshToken(userId) {
-    const [token] = await this.db.select().from(tokensTable).where(eq3(tokensTable.userId, userId));
-    return token?.token;
+  async getRole(userId) {
+    const role = await this.userService.getRoleName(userId);
+    return {
+      data: role,
+      message: t5("users.success.retrieved"),
+      status: "success"
+    };
   }
-  async revokeToken(userId) {
-    const [deletedToken] = await this.db.delete(tokensTable).where(eq3(tokensTable.userId, userId)).returning();
-    return deletedToken;
+  async create(body) {
+    const newUser = await this.userService.create(body);
+    return {
+      data: newUser,
+      message: t5("users.success.created"),
+      status: "success"
+    };
   }
-  async isUserExists(userId) {
-    const [user] = await this.db.select({ id: usersTable.id }).from(usersTable).where(eq3(usersTable.id, userId)).limit(1);
-    return !!user;
+  async update(id, body) {
+    const updatedUser = await this.userService.update(id, body);
+    return {
+      data: updatedUser,
+      message: t5("users.success.updated"),
+      status: "success"
+    };
   }
-  async getRoleNameById(userId) {
-    const [role] = await this.db.select({
-      roleName: rolesTable.name
-    }).from(usersTable).leftJoin(rolesTable, eq3(usersTable.roleId, rolesTable.id)).where(eq3(usersTable.id, userId)).limit(1);
-    return role?.roleName;
+  async delete(id) {
+    const result = await this.userService.delete(id);
+    return {
+      data: result,
+      message: t5("users.success.deleted"),
+      status: "success"
+    };
   }
-  async getUserPermissions(userId) {
-    const [user] = await this.db.select({ roleId: usersTable.roleId }).from(usersTable).where(eq3(usersTable.id, userId)).limit(1);
-    if (!user || !user.roleId) return [];
-    const userPermissions = await this.db.select({
-      name: permissionsTable.name
-    }).from(rolePermissionsTable).leftJoin(permissionsTable, eq3(rolePermissionsTable.permissionId, permissionsTable.id)).where(eq3(rolePermissionsTable.roleId, user.roleId));
-    return userPermissions.map((p) => p.name).filter((name) => name);
+  async deleteAll() {
+    const result = await this.userService.deleteAll();
+    return {
+      data: result,
+      message: t5("users.success.allDeleted"),
+      status: "success"
+    };
   }
-  async getUser(userId) {
-    const [user] = await this.db.select({
-      id: usersTable.id,
-      email: usersTable.email,
-      status: usersTable.status,
-      roleId: usersTable.roleId,
-      roleName: rolesTable.name,
-      createdAt: usersTable.createdAt,
-      updatedAt: usersTable.updatedAt
-    }).from(usersTable).leftJoin(rolesTable, eq3(usersTable.roleId, rolesTable.id)).where(eq3(usersTable.id, userId)).limit(1);
-    return user ? { ...user, role: user.roleName } : null;
+  async assignRole(userId, roleId) {
+    await this.userService.assignRole(userId, roleId);
+    return {
+      message: t5("users.success.updated"),
+      status: "success"
+    };
   }
-};
-TokenRepository = __decorateClass([
-  Repository3()
-], TokenRepository);
+  async removeRole(userId) {
+    await this.userService.removeRole(userId);
+    return {
+      message: t5("users.success.updated"),
+      status: "success"
+    };
+  }
+}, __name(_a22, "UserController"), _a22);
+__decorate13([
+  Get2(),
+  isAdmin(),
+  __metadata9("design:type", Function),
+  __metadata9("design:paramtypes", []),
+  __metadata9("design:returntype", Promise)
+], UserController.prototype, "getUsers", null);
+__decorate13([
+  Get2("/lang"),
+  isAuth(),
+  __metadata9("design:type", Function),
+  __metadata9("design:paramtypes", []),
+  __metadata9("design:returntype", Promise)
+], UserController.prototype, "getLang", null);
+__decorate13([
+  Post2("/lang/:language"),
+  isAuth(),
+  __param3(0, Params2("language")),
+  __metadata9("design:type", Function),
+  __metadata9("design:paramtypes", [Object]),
+  __metadata9("design:returntype", Promise)
+], UserController.prototype, "updateLang", null);
+__decorate13([
+  Get2("/:id"),
+  isAdmin(),
+  __param3(0, Params2("id")),
+  __metadata9("design:type", Function),
+  __metadata9("design:paramtypes", [Object]),
+  __metadata9("design:returntype", Promise)
+], UserController.prototype, "getUser", null);
+__decorate13([
+  Get2("/email/:email"),
+  isAdmin(),
+  __param3(0, Params2("email")),
+  __metadata9("design:type", Function),
+  __metadata9("design:paramtypes", [Object]),
+  __metadata9("design:returntype", Promise)
+], UserController.prototype, "getByEmail", null);
+__decorate13([
+  Get2("/role/:userId"),
+  isAdmin(),
+  __param3(0, Params2("userId")),
+  __metadata9("design:type", Function),
+  __metadata9("design:paramtypes", [Object]),
+  __metadata9("design:returntype", Promise)
+], UserController.prototype, "getRole", null);
+__decorate13([
+  Post2(),
+  isAdmin(),
+  __param3(0, Body2()),
+  __metadata9("design:type", Function),
+  __metadata9("design:paramtypes", [Object]),
+  __metadata9("design:returntype", Promise)
+], UserController.prototype, "create", null);
+__decorate13([
+  Put2("/:id"),
+  isAdmin(),
+  __param3(0, Params2("id")),
+  __param3(1, Body2()),
+  __metadata9("design:type", Function),
+  __metadata9("design:paramtypes", [Object, Object]),
+  __metadata9("design:returntype", Promise)
+], UserController.prototype, "update", null);
+__decorate13([
+  Delete2("/:id"),
+  isAdmin(),
+  __param3(0, Params2("id")),
+  __metadata9("design:type", Function),
+  __metadata9("design:paramtypes", [Object]),
+  __metadata9("design:returntype", Promise)
+], UserController.prototype, "delete", null);
+__decorate13([
+  Delete2(),
+  isAdmin(),
+  __metadata9("design:type", Function),
+  __metadata9("design:paramtypes", []),
+  __metadata9("design:returntype", Promise)
+], UserController.prototype, "deleteAll", null);
+__decorate13([
+  Post2("/assign/:userId/:roleId"),
+  isAdmin(),
+  __param3(0, Params2("userId")),
+  __param3(1, Params2("roleId")),
+  __metadata9("design:type", Function),
+  __metadata9("design:paramtypes", [Object, Object]),
+  __metadata9("design:returntype", Promise)
+], UserController.prototype, "assignRole", null);
+__decorate13([
+  Delete2("/remove/:userId"),
+  isAdmin(),
+  __param3(0, Params2("userId")),
+  __metadata9("design:type", Function),
+  __metadata9("design:paramtypes", [Object]),
+  __metadata9("design:returntype", Promise)
+], UserController.prototype, "removeRole", null);
+UserController = __decorate13([
+  Controller2("/users"),
+  __metadata9("design:paramtypes", [typeof (_a21 = typeof UserService !== "undefined" && UserService) === "function" ? _a21 : Object])
+], UserController);
-// src/tokens/TokenService.ts
-import { t as t7 } from "najm-api";
-import { getCookie, Injectable as Injectable10 } from "najm-api";
-import jwt from "jsonwebtoken";
-import { jwtDecode } from "jwt-decode";
-import timestring2 from "timestring";
-var TokenService = class {
-  constructor(tokenRepository) {
-    this.tokenRepository = tokenRepository;
-    this.accessSecretKey = process.env.JWT_ACCESS_SECRET;
-    this.accessExpiresIn = process.env.ACCESS_EXPIRES_IN;
-    this.refreshSecretKey = process.env.JWT_REFRESH_SECRET;
-    this.refreshExpiresIn = process.env.REFRESH_EXPIRES_IN;
+// src/auth/AuthService.ts
+var __decorate14 = function(decorators, target, key, desc) {
+  var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+  if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+  else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+  return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata10 = function(k, v) {
+  if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var _a23;
+var _b4;
+var _c2;
+var _d2;
+var _a24;
+var AuthService = (_a24 = class {
+  constructor(tokenService, userService, userValidator, cookieService) {
+    this.tokenService = tokenService;
+    this.userService = userService;
+    this.userValidator = userValidator;
+    this.cookieService = cookieService;
   }
-  //==== Validate tokens
-  extractAccessToken(authorization) {
-    if (authorization && authorization.startsWith("Bearer")) {
-      return authorization.split(" ")[1];
-    }
-    throw new Error(t7("auth.errors.tokenMissing"));
+  async registerUser(body) {
+    return await this.userService.create(body);
   }
-  verifyAccessToken(token) {
-    try {
-      return jwt.verify(token, this.accessSecretKey);
-    } catch (error) {
-      throw new Error(t7("auth.errors.tokenVerificationFailed"));
+  async loginUser(body) {
+    const { email, password } = body;
+    if (!email || !password) {
+      throw new Error(t6("auth.errors.invalidCredentials"));
     }
+    const existingPassword = await this.userService.getPassword(email);
+    const { id } = await this.userService.getByEmail(email);
+    await this.userValidator.checkPasswordValid(password, existingPassword);
+    const data = await this.tokenService.generateTokens(id);
+    this.cookieService.setRefreshCookie(data.refreshToken);
+    return data;
   }
-  verifyRefreshToken(token) {
-    try {
-      const decoded = jwt.verify(token, this.refreshSecretKey);
-      return decoded.userId;
-    } catch (error) {
-      throw new Error(t7("auth.errors.tokenVerificationFailed"));
-    }
+  async refreshTokens() {
+    const data = await this.tokenService.refreshTokens();
+    this.cookieService.setRefreshCookie(data.refreshToken);
+    return data;
   }
-  async getUserIdByAccessToken(header) {
-    const token = this.extractAccessToken(header);
-    const decodedToken = this.verifyAccessToken(token);
-    const userId = decodedToken.userId;
-    const userExists = await this.tokenRepository.isUserExists(userId);
-    if (!userExists) {
-      throw new Error(t7("users.errors.notFound"));
-    }
-    return userId;
+  async logoutUser(userId) {
+    await this.userValidator.checkUserExists(userId);
+    await this.tokenService.revokeToken(userId);
+    this.cookieService.clearRefreshCookie();
+    return { data: null, message: t6("auth.success.logout") };
   }
-  //=== Generate tokens
-  async storeRefreshToken(userId, refreshToken) {
-    const expireInSecond = timestring2(this.refreshExpiresIn, "s");
-    const tokenData = {
-      userId,
-      token: refreshToken,
-      expiresAt: new Date(Date.now() + expireInSecond * 1e3).toISOString()
+  async getUserProfile(userData) {
+    const lang = getCurrentLanguage2();
+    return {
+      ...userData,
+      language: lang
     };
-    await this.tokenRepository.storeRefreshToken(tokenData);
   }
-  getTokenExpire(token) {
-    return jwtDecode(token).exp;
+  async forgotPassword(email) {
   }
-  generateAccessToken(data) {
-    const options = { expiresIn: this.accessExpiresIn };
-    return jwt.sign(data, this.accessSecretKey, options);
+}, __name(_a24, "AuthService"), _a24);
+AuthService = __decorate14([
+  Injectable9(),
+  __metadata10("design:paramtypes", [typeof (_a23 = typeof TokenService !== "undefined" && TokenService) === "function" ? _a23 : Object, typeof (_b4 = typeof UserService !== "undefined" && UserService) === "function" ? _b4 : Object, typeof (_c2 = typeof UserValidator !== "undefined" && UserValidator) === "function" ? _c2 : Object, typeof (_d2 = typeof CookieService !== "undefined" && CookieService) === "function" ? _d2 : Object])
+], AuthService);
+// src/auth/AuthController.ts
+var __decorate15 = function(decorators, target, key, desc) {
+  var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+  if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+  else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+  return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata11 = function(k, v) {
+  if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param4 = function(paramIndex, decorator) {
+  return function(target, key) {
+    decorator(target, key, paramIndex);
+  };
+};
+var _a25;
+var _a26;
+var AuthController = (_a26 = class {
+  constructor(authService) {
+    this.authService = authService;
   }
-  generateRefreshToken(data) {
-    const options = { expiresIn: this.refreshExpiresIn };
-    return jwt.sign(data, this.refreshSecretKey, options);
+  async registerUser(body) {
+    const data = await this.authService.registerUser(body);
+    return {
+      data,
+      message: t7("auth.success.register"),
+      status: "success"
+    };
   }
-  async generateTokens(userId) {
-    const tokenData = { userId };
-    const accessToken = await this.generateAccessToken(tokenData);
-    const refreshToken = await this.generateRefreshToken(tokenData);
-    const accessTokenExpiresAt = this.getTokenExpire(accessToken);
-    const refreshTokenExpiresAt = this.getTokenExpire(refreshToken);
-    await this.storeRefreshToken(userId, refreshToken);
+  async loginUser(body) {
+    const data = await this.authService.loginUser(body);
     return {
-      accessToken,
-      refreshToken,
-      accessTokenExpiresAt,
-      refreshTokenExpiresAt
+      data,
+      message: t7("auth.success.login"),
+      status: "success"
     };
   }
   async refreshTokens() {
-    const newRefreshToken = getCookie("refreshToken");
-    const userId = this.verifyRefreshToken(newRefreshToken);
-    const userExists = await this.tokenRepository.isUserExists(userId);
-    if (!userExists) {
-      throw new Error(t7("users.errors.notFound"));
-    }
-    const storedRefreshToken = await this.tokenRepository.getRefreshToken(userId);
-    if (newRefreshToken != storedRefreshToken) {
-      throw new Error(t7("auth.errors.refreshTokenInvalid"));
-    }
-    return await this.generateTokens(userId);
-  }
-  async revokeToken(userId) {
-    return await this.tokenRepository.revokeToken(userId);
-  }
-  async getUserPermissions(auth) {
-    if (!auth) return;
-    const userId = await this.getUserIdByAccessToken(auth);
-    const permissions = await this.tokenRepository.getUserPermissions(userId);
-    return permissions;
-  }
-  async getUserRole(auth) {
-    if (!auth) return;
-    const userId = await this.getUserIdByAccessToken(auth);
-    const roleName = await this.tokenRepository.getRoleNameById(userId);
-    return roleName;
+    const data = await this.authService.refreshTokens();
+    return {
+      data,
+      message: t7("auth.success.tokenRefreshed"),
+      status: "success"
+    };
   }
-  async getUser(auth) {
-    if (!auth) return;
-    const userId = await this.getUserIdByAccessToken(auth);
-    const user = await this.tokenRepository.getUser(userId);
-    if (!user) return null;
-    return user;
+  async logoutUser(id) {
+    const data = await this.authService.logoutUser(id);
+    return {
+      data,
+      message: t7("auth.success.logout"),
+      status: "success"
+    };
   }
-  async storeUserInCache(auth, ctx) {
-    const cachedUser = ctx.get("user");
-    if (cachedUser) return cachedUser;
-    const user = await this.getUser(auth);
-    if (user) {
-      ctx.set("user", user);
-    }
-    return user;
+  async userProfile(user) {
+    const data = await this.authService.getUserProfile(user);
+    return {
+      data,
+      message: t7("users.success.retrieved"),
+      status: "success"
+    };
   }
-};
-TokenService = __decorateClass([
-  Injectable10()
-], TokenService);
-// src/users/UserRepository.ts
-import { eq as eq4, ne } from "drizzle-orm";
-import { Repository as Repository4 } from "najm-api";
-var UserRepository = class {
-  getUser() {
+  async forgotPassword(body) {
+    const data = await this.authService.forgotPassword(body.email);
     return {
-      id: usersTable.id,
-      email: usersTable.email,
-      emailVerified: usersTable.emailVerified,
-      image: usersTable.image,
-      status: usersTable.status,
-      roleId: usersTable.roleId,
-      role: rolesTable.name,
-      createdAt: usersTable.createdAt,
-      updatedAt: usersTable.updatedAt
+      data,
+      message: t7("auth.success.passwordReset"),
+      status: "success"
     };
   }
+}, __name(_a26, "AuthController"), _a26);
+__decorate15([
+  Post3("/register"),
+  __param4(0, Body3()),
+  __metadata11("design:type", Function),
+  __metadata11("design:paramtypes", [Object]),
+  __metadata11("design:returntype", Promise)
+], AuthController.prototype, "registerUser", null);
+__decorate15([
+  Post3("/login"),
+  __param4(0, Body3()),
+  __metadata11("design:type", Function),
+  __metadata11("design:paramtypes", [Object]),
+  __metadata11("design:returntype", Promise)
+], AuthController.prototype, "loginUser", null);
+__decorate15([
+  Get3("/refresh"),
+  __metadata11("design:type", Function),
+  __metadata11("design:paramtypes", []),
+  __metadata11("design:returntype", Promise)
+], AuthController.prototype, "refreshTokens", null);
+__decorate15([
+  Get3("/logout/:id"),
+  __param4(0, Params3("id")),
+  __metadata11("design:type", Function),
+  __metadata11("design:paramtypes", [Object]),
+  __metadata11("design:returntype", Promise)
+], AuthController.prototype, "logoutUser", null);
+__decorate15([
+  Get3("/me"),
+  isAuth(),
+  __param4(0, User()),
+  __metadata11("design:type", Function),
+  __metadata11("design:paramtypes", [Object]),
+  __metadata11("design:returntype", Promise)
+], AuthController.prototype, "userProfile", null);
+__decorate15([
+  Post3("/forgot-password"),
+  isAuth(),
+  __param4(0, Body3()),
+  __metadata11("design:type", Function),
+  __metadata11("design:paramtypes", [Object]),
+  __metadata11("design:returntype", Promise)
+], AuthController.prototype, "forgotPassword", null);
+AuthController = __decorate15([
+  Controller3("/auth"),
+  __metadata11("design:paramtypes", [typeof (_a25 = typeof AuthService !== "undefined" && AuthService) === "function" ? _a25 : Object])
+], AuthController);
+// src/permissions/PermissionRepository.ts
+import { eq as eq4, and } from "drizzle-orm";
+import { Repository as Repository4 } from "najm-api";
+var __decorate16 = function(decorators, target, key, desc) {
+  var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+  if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+  else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+  return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var _a27;
+var PermissionRepository = (_a27 = class {
   async getAll() {
-    const allUsers = await this.db.select(this.getUser()).from(usersTable).leftJoin(rolesTable, eq4(usersTable.roleId, rolesTable.id));
-    return Promise.all(allUsers.map(async (user) => ({
-      ...user,
-      permissions: await this.getUserPermissions(user.id)
-    })));
+    return await this.db.select().from(permissionsTable);
   }
   async getById(id) {
-    const [user] = await this.db.select(this.getUser()).from(usersTable).leftJoin(rolesTable, eq4(usersTable.roleId, rolesTable.id)).where(eq4(usersTable.id, id)).limit(1);
-    if (!user) return user;
-    return {
-      ...user,
-      permissions: await this.getUserPermissions(user.id)
-    };
+    const [existingPermission] = await this.db.select().from(permissionsTable).where(eq4(permissionsTable.id, id));
+    return existingPermission;
   }
-  async getByEmail(email) {
-    const [existingUser] = await this.db.select(this.getUser()).from(usersTable).leftJoin(rolesTable, eq4(usersTable.roleId, rolesTable.id)).where(eq4(usersTable.email, email));
-    return existingUser;
+  async getByName(name) {
+    const [existingPermission] = await this.db.select().from(permissionsTable).where(eq4(permissionsTable.name, name));
+    return existingPermission;
   }
   async create(data) {
-    const [newUser] = await this.db.insert(usersTable).values(data).returning();
-    return newUser;
+    const [newPermission] = await this.db.insert(permissionsTable).values(data).returning();
+    return newPermission;
   }
   async update(id, data) {
-    const [updatedUser] = await this.db.update(usersTable).set(data).where(eq4(usersTable.id, id)).returning();
-    return updatedUser;
+    const [updatedPermission] = await this.db.update(permissionsTable).set(data).where(eq4(permissionsTable.id, id)).returning();
+    return updatedPermission;
   }
   async delete(id) {
-    const [deletedUser] = await this.db.delete(usersTable).where(eq4(usersTable.id, id)).returning();
-    return deletedUser;
+    const [deletedPermission] = await this.db.delete(permissionsTable).where(eq4(permissionsTable.id, id)).returning();
+    return deletedPermission;
   }
-  async deleteAll() {
-    const adminRole = await this.db.select({ id: rolesTable.id }).from(rolesTable).where(eq4(rolesTable.name, "admin")).limit(1);
-    if (adminRole.length === 0) {
-      const deletedUsers2 = await this.db.delete(usersTable).returning();
-      return deletedUsers2;
-    }
-    const deletedUsers = await this.db.delete(usersTable).where(ne(usersTable.roleId, adminRole[0].id)).returning();
-    return deletedUsers;
+  async getPermissionsByRole(roleId) {
+    return await this.db.select({
+      id: permissionsTable.id,
+      name: permissionsTable.name,
+      description: permissionsTable.description,
+      resource: permissionsTable.resource,
+      action: permissionsTable.action
+    }).from(rolePermissionsTable).leftJoin(permissionsTable, eq4(rolePermissionsTable.permissionId, permissionsTable.id)).where(eq4(rolePermissionsTable.roleId, roleId));
   }
-  async getRoleNameById(userId) {
-    const [role] = await this.db.select({
-      roleName: rolesTable.name
-    }).from(usersTable).leftJoin(rolesTable, eq4(usersTable.roleId, rolesTable.id)).where(eq4(usersTable.id, userId));
-    return role.roleName;
+  async getRolesByPermission(permissionId) {
+    return await this.db.select({
+      id: rolesTable.id,
+      name: rolesTable.name,
+      description: rolesTable.description
+    }).from(rolePermissionsTable).leftJoin(rolesTable, eq4(rolePermissionsTable.roleId, rolesTable.id)).where(eq4(rolePermissionsTable.permissionId, permissionId));
   }
-  async getUserPassword(email) {
-    const [user] = await this.db.select({
-      id: usersTable.id,
-      email: usersTable.email,
-      password: usersTable.password
-    }).from(usersTable).where(eq4(usersTable.email, email)).limit(1);
-    return user.password;
+  async assignPermissionToRole(roleId, permissionId) {
+    const [newRolePermission] = await this.db.insert(rolePermissionsTable).values({ roleId, permissionId }).returning();
+    return newRolePermission;
   }
-  async getUserPermissions(userId) {
-    const [user] = await this.db.select({ roleId: usersTable.roleId }).from(usersTable).where(eq4(usersTable.id, userId)).limit(1);
-    if (!user || !user.roleId) return [];
-    const userPermissions = await this.db.select({
-      name: permissionsTable.name
-    }).from(rolePermissionsTable).leftJoin(permissionsTable, eq4(rolePermissionsTable.permissionId, permissionsTable.id)).where(eq4(rolePermissionsTable.roleId, user.roleId));
-    return userPermissions.map((p) => p.name).filter((name) => name);
+  async removePermissionFromRole(roleId, permissionId) {
+    const [deletedRolePermission] = await this.db.delete(rolePermissionsTable).where(and(eq4(rolePermissionsTable.roleId, roleId), eq4(rolePermissionsTable.permissionId, permissionId))).returning();
+    return deletedRolePermission;
   }
-};
-UserRepository = __decorateClass([
+  async checkRoleHasPermission(roleId, permissionId) {
+    const [rolePermission] = await this.db.select().from(rolePermissionsTable).where(and(eq4(rolePermissionsTable.roleId, roleId), eq4(rolePermissionsTable.permissionId, permissionId)));
+    return !!rolePermission;
+  }
+  async deleteAll() {
+    await this.db.delete(rolePermissionsTable);
+    const deletedPermissions = await this.db.delete(permissionsTable).returning();
+    return deletedPermissions;
+  }
+}, __name(_a27, "PermissionRepository"), _a27);
+PermissionRepository = __decorate16([
   Repository4()
-], UserRepository);
+], PermissionRepository);
-// src/users/UserValidator.ts
-import { Injectable as Injectable11, t as t8 } from "najm-api";
-var UserValidator = class {
-  constructor(userRepository, encryptionService) {
-    this.userRepository = userRepository;
-    this.encryptionService = encryptionService;
+// src/permissions/PermissionGuards.ts
+import { createGuard as createGuard2, Injectable as Injectable10, GuardParams as GuardParams2, Headers as Headers2, Ctx as Ctx2 } from "najm-api";
+var __decorate17 = function(decorators, target, key, desc) {
+  var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+  if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+  else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+  return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata12 = function(k, v) {
+  if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param5 = function(paramIndex, decorator) {
+  return function(target, key) {
+    decorator(target, key, paramIndex);
+  };
+};
+var _a28;
+var _a29;
+var PermissionGuards = (_a29 = class {
+  constructor(tokenService) {
+    this.tokenService = tokenService;
   }
-  async validateCreateUser(data) {
-    return parseSchema(userSchema, data);
+  async getUserPermissions(auth) {
+    const permissions = await this.tokenService.getUserPermissions(auth);
+    if (!permissions || !Array.isArray(permissions))
+      return null;
+    return permissions;
   }
-  async isEmailExists(email) {
-    const existingUser = await this.userRepository.getByEmail(email);
-    return !!existingUser;
+  checkPermissionMatch(permissions, requiredPermission) {
+    if (permissions.includes(requiredPermission)) {
+      return true;
+    }
+    const [requiredAction, requiredResource] = requiredPermission.split(":");
+    if (requiredAction && requiredResource) {
+      if (permissions.includes(`${requiredAction}:*`)) {
+        return true;
+      }
+      if (permissions.includes(`*:${requiredResource}`)) {
+        return true;
+      }
+    }
+    if (permissions.includes("*:*")) {
+      return true;
+    }
+    return false;
   }
-  async isPasswordValid(password, hashedPassword) {
-    const isPasswordValid = await this.encryptionService.comparePassword(password, hashedPassword);
-    return !!isPasswordValid;
+  async hasPermission(auth, ctx, requiredPermission) {
+    await this.tokenService.storeUserInCache(auth, ctx);
+    const permissions = await this.getUserPermissions(auth);
+    if (!permissions)
+      return false;
+    const check = this.checkPermissionMatch(permissions, requiredPermission);
+    return check;
   }
-  async isUserExist(id) {
-    const existingUser = await this.userRepository.getById(id);
-    return !!existingUser;
+}, __name(_a29, "PermissionGuards"), _a29);
+__decorate17([
+  __param5(0, Headers2("authorization")),
+  __param5(1, Ctx2()),
+  __param5(2, GuardParams2()),
+  __metadata12("design:type", Function),
+  __metadata12("design:paramtypes", [Object, Object, Object]),
+  __metadata12("design:returntype", Promise)
+], PermissionGuards.prototype, "hasPermission", null);
+PermissionGuards = __decorate17([
+  Injectable10(),
+  __metadata12("design:paramtypes", [typeof (_a28 = typeof TokenService !== "undefined" && TokenService) === "function" ? _a28 : Object])
+], PermissionGuards);
+var Permission = /* @__PURE__ */ __name((...permissions) => createGuard2(PermissionGuards, "hasPermission")(...permissions), "Permission");
+// src/permissions/PermissionController.ts
+import { Controller as Controller4, Get as Get4, Post as Post4, Put as Put3, Delete as Delete3, Params as Params4, Body as Body4, t as t9 } from "najm-api";
+// src/permissions/PermissionService.ts
+import { Injectable as Injectable12 } from "najm-api";
+// src/permissions/PermissionValidator.ts
+import { Injectable as Injectable11, t as t8 } from "najm-api";
+import { z as z3 } from "zod";
+var __decorate18 = function(decorators, target, key, desc) {
+  var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+  if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+  else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+  return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata13 = function(k, v) {
+  if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var _a30;
+var _b5;
+var permissionSchema = z3.object({
+  name: z3.string().min(1, "Permission name is required"),
+  description: z3.string().optional(),
+  resource: z3.string().min(1, "Resource is required"),
+  action: z3.string().min(1, "Action is required")
+});
+var _a31;
+var PermissionValidator = (_a31 = class {
+  constructor(permissionRepository, roleValidator) {
+    this.permissionRepository = permissionRepository;
+    this.roleValidator = roleValidator;
   }
-  async checkUserIdIsUnique(id) {
-    if (!id) return;
-    const existingUser = await this.userRepository.getById(id);
-    if (existingUser) {
-      throw new Error(t8("users.errors.idExists"));
-    }
+  async validateCreatePermission(data) {
+    return parseSchema(permissionSchema, data);
   }
-  async isCorrectPass(password) {
-    return password && typeof password === "string" && password.trim().length > 0;
+  async isPermissionExists(id) {
+    const existingPermission = await this.permissionRepository.getById(id);
+    return !!existingPermission;
   }
-  async hasRole(userId, roles) {
-    const roleName = await this.userRepository.getRoleNameById(userId);
-    if (!roleName) {
-      throw Error(t8("auth.errors.accessDenied"));
-    }
-    const hasRole = roles.some(
-      (item) => roleName.toLowerCase() === item.toLowerCase()
-    );
-    if (!hasRole) {
-      throw Error(t8("auth.errors.accessDenied"));
-    }
-    return true;
+  async isPermissionNameExists(name) {
+    const existingPermission = await this.permissionRepository.getByName(name);
+    return !!existingPermission;
   }
   //======================= throw errors
-  async checkUserExistsByEmail(email) {
-    const user = await this.userRepository.getByEmail(email);
-    if (!user) {
-      throw new Error(t8("auth.errors.invalidCredentials"));
-    }
-    return user;
-  }
-  async checkUserExists(id) {
-    const userExists = await this.isUserExist(id);
-    if (!userExists) {
-      throw new Error(t8("users.errors.notFound"));
-    }
-    return userExists;
-  }
-  async checkEmailUnique(email, excludeId = null) {
-    if (!email) return;
-    const existingUser = await this.userRepository.getByEmail(email);
-    if (existingUser && existingUser.id !== excludeId) {
-      throw new Error(t8("auth.errors.emailExists"));
+  async checkPermissionExists(id) {
+    const permissionExists = await this.isPermissionExists(id);
+    if (!permissionExists) {
+      throw new Error(t8("permissions.errors.notFound"));
     }
+    return permissionExists;
   }
-  async checkEmailExists(email) {
-    const user = await this.userRepository.getByEmail(email);
-    if (!user) {
-      throw new Error(t8("users.errors.notFound"));
+  async checkPermissionExistsByName(name) {
+    const permissionExists = await this.isPermissionNameExists(name);
+    if (!permissionExists) {
+      throw new Error(t8("permissions.errors.notFound"));
     }
-    return user;
+    return permissionExists;
   }
-  async checkPasswordValid(password, hashedPassword) {
-    const isPasswordValid = await this.isPasswordValid(password, hashedPassword);
-    if (!isPasswordValid) {
-      throw new Error(t8("auth.errors.invalidCredentials"));
+  async checkPermissionNameUnique(name, excludeId = null) {
+    if (!name)
+      return;
+    const existingPermission = await this.permissionRepository.getByName(name);
+    if (existingPermission && existingPermission.id !== excludeId) {
+      throw new Error(t8("permissions.errors.nameExists"));
     }
   }
-};
-UserValidator = __decorateClass([
-  Injectable11()
-], UserValidator);
-// src/users/UserService.ts
-import { Injectable as Injectable12, setLanguage, getCurrentLanguage as getCurrentLanguage2, Transactional } from "najm-api";
-import { nanoid as nanoid2 } from "nanoid";
-var UserService = class {
-  constructor(roleValidator, roleService, userRepository, userValidator, encryptionService) {
-    this.roleValidator = roleValidator;
-    this.roleService = roleService;
-    this.userRepository = userRepository;
-    this.userValidator = userValidator;
-    this.encryptionService = encryptionService;
-  }
-  sanitizeUser(user) {
-    if (!user) return user;
-    const { password, ...sanitizedUser } = user;
-    return sanitizedUser;
-  }
-  sanitizeUsers(users) {
-    return users.map((user) => this.sanitizeUser(user));
-  }
-  async resolveUserRole(roleId, roleName) {
-    if (roleId) {
-      await this.roleValidator.checkRoleExists(roleId);
-      return roleId;
-    }
-    if (roleName) {
-      const roleByName = await this.roleService.getByName(roleName);
-      if (roleByName) {
-        return roleByName.id;
-      }
-      throw new Error(`Role '${roleName}' not found`);
+  async checkRoleExists(id) {
+    return await this.roleValidator.checkRoleExists(id);
+  }
+  async checkRoleExistsByName(name) {
+    return await this.roleValidator.checkRoleExistsByName(name);
+  }
+  async checkRoleHasPermission(roleId, permissionId) {
+    await this.roleValidator.checkRoleExists(roleId);
+    await this.checkPermissionExists(permissionId);
+    const hasPermission = await this.permissionRepository.checkRoleHasPermission(roleId, permissionId);
+    if (hasPermission) {
+      throw new Error(t8("permissions.errors.roleAlreadyHasPermission"));
     }
-    const defaultRole = await this.roleService.getByName("Student");
-    return defaultRole.id;
+  }
+}, __name(_a31, "PermissionValidator"), _a31);
+PermissionValidator = __decorate18([
+  Injectable11(),
+  __metadata13("design:paramtypes", [typeof (_a30 = typeof PermissionRepository !== "undefined" && PermissionRepository) === "function" ? _a30 : Object, typeof (_b5 = typeof RoleValidator !== "undefined" && RoleValidator) === "function" ? _b5 : Object])
+], PermissionValidator);
+// src/permissions/PermissionService.ts
+var __decorate19 = function(decorators, target, key, desc) {
+  var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+  if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+  else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+  return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata14 = function(k, v) {
+  if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var _a32;
+var _b6;
+var _c3;
+var _a33;
+var PermissionService = (_a33 = class {
+  constructor(permissionRepository, permissionValidator, roleService) {
+    this.permissionRepository = permissionRepository;
+    this.permissionValidator = permissionValidator;
+    this.roleService = roleService;
   }
   async getAll() {
-    const users = await this.userRepository.getAll();
-    return this.sanitizeUsers(users);
+    return await this.permissionRepository.getAll();
   }
   async getById(id) {
-    await this.userValidator.checkUserExists(id);
-    const user = await this.userRepository.getById(id);
-    return this.sanitizeUser(user);
+    await this.permissionValidator.checkPermissionExists(id);
+    return await this.permissionRepository.getById(id);
   }
-  async getByEmail(email) {
-    const user = await this.userValidator.checkUserExistsByEmail(email);
-    return this.sanitizeUser(user);
+  async getByName(name) {
+    return await this.permissionRepository.getByName(name);
+  }
+  async getByResource(resource) {
+    return await this.permissionRepository.getAll().then((permissions) => permissions.filter((p) => p.resource === resource));
   }
   async create(data) {
-    const { id, email, image, emailVerified, password, roleId, role } = data;
-    let userId = id || nanoid2(5);
-    let pass = password || "12345678";
-    await this.userValidator.checkEmailUnique(data.email);
-    await this.userValidator.checkUserIdIsUnique(id);
-    const hashedPassword = await this.encryptionService.hashPassword(pass);
-    const resolvedRoleId = await this.resolveUserRole(roleId, role);
-    const userDetails = {
-      id: userId,
-      email,
-      image,
-      password: hashedPassword,
-      roleId: resolvedRoleId,
-      emailVerified,
-      status: "pending"
-    };
-    await this.userValidator.validateCreateUser(userDetails);
-    const newUser = await this.userRepository.create(userDetails);
-    return this.sanitizeUser(newUser);
+    await this.permissionValidator.validateCreatePermission(data);
+    await this.permissionValidator.checkPermissionNameUnique(data.name);
+    return await this.permissionRepository.create(data);
   }
   async update(id, data) {
-    const { password, image } = data;
-    await this.userValidator.checkUserExists(id);
-    await this.userValidator.checkEmailUnique(data.email, id);
-    const currentUser = await this.userRepository.getById(id);
-    const hashedPassword = await this.encryptionService.hashPassword(password);
-    const updateData = {
-      ...data,
-      image,
-      ...hashedPassword && { password: hashedPassword }
-    };
-    const cleanedUpdateData = clean(updateData);
-    const updatedUser = await this.userRepository.update(id, cleanedUpdateData);
-    return this.sanitizeUser(updatedUser);
+    await this.permissionValidator.checkPermissionExists(id);
+    await this.permissionValidator.checkPermissionNameUnique(data.name, id);
+    return await this.permissionRepository.update(id, data);
   }
   async delete(id) {
-    await this.userValidator.checkUserExists(id);
-    const user = await this.userRepository.delete(id);
-    return this.sanitizeUser(user);
-  }
-  async deleteAll() {
-    const deletedUsers = await this.userRepository.deleteAll();
-    return this.sanitizeUsers(deletedUsers);
+    await this.permissionValidator.checkPermissionExists(id);
+    return await this.permissionRepository.delete(id);
   }
-  async getRoleName(id) {
-    await this.userValidator.checkUserExists(id);
-    return await this.userRepository.getRoleNameById(id);
+  async getPermissionsByRole(roleId) {
+    return await this.permissionRepository.getPermissionsByRole(roleId);
   }
-  async getPassword(email) {
-    await this.userValidator.checkUserExistsByEmail(email);
-    return await this.userRepository.getUserPassword(email);
+  async getRolesByPermission(permissionId) {
+    await this.permissionValidator.checkPermissionExists(permissionId);
+    return await this.permissionRepository.getRolesByPermission(permissionId);
   }
-  async assignRole(id, roleId, roleName) {
-    await this.userValidator.checkUserExists(id);
-    const resolvedRoleId = await this.resolveUserRole(roleId, roleName);
-    const updatedUser = await this.userRepository.update(id, { roleId: resolvedRoleId });
-    return this.sanitizeUser(updatedUser);
+  async assignPermissionToRole(roleId, permissionId) {
+    await this.permissionValidator.checkRoleHasPermission(roleId, permissionId);
+    return await this.permissionRepository.assignPermissionToRole(roleId, permissionId);
   }
-  async removeRole(id) {
-    await this.userValidator.checkUserExists(id);
-    const updatedUser = await this.userRepository.update(id, { roleId: null });
-    return this.sanitizeUser(updatedUser);
+  async removePermissionFromRole(roleId, permissionId) {
+    return await this.permissionRepository.removePermissionFromRole(roleId, permissionId);
   }
-  async seedAdminUser() {
-    const email = "admin@admin.com";
-    const adminRole = await this.roleValidator.checkAdminRoleExists();
-    const existingUser = await this.userRepository.getByEmail(email);
-    if (existingUser) {
-      await this.delete(existingUser.id);
+  async seedDefaultPermissions(defaultPermissions) {
+    const createdPermissions = [];
+    for (const permission of defaultPermissions) {
+      try {
+        const permissionEntity = await this.create(permission);
+        createdPermissions.push(permissionEntity);
+      } catch (error) {
+        continue;
+      }
     }
-    const newAdminUser = await this.create({
-      id: "USR00",
-      name: "System Administrator",
-      email,
-      password: "12345678",
-      image: null,
-      roleId: adminRole.id,
-      status: "active",
-      emailVerified: true
-    });
-    return this.sanitizeUser(newAdminUser);
+    return createdPermissions;
   }
-  async updateLang(language) {
-    setLanguage(language);
-    return language;
+  async seedDefaultRolePermissions(defaultRolePermissions) {
+    const results = [];
+    for (const { roleName, permissions } of defaultRolePermissions) {
+      try {
+        await this.permissionValidator.checkRoleExistsByName(roleName);
+        const role = await this.roleService.getByName(roleName);
+        for (const permissionName of permissions) {
+          try {
+            await this.permissionValidator.checkPermissionExistsByName(permissionName);
+            const permission = await this.getByName(permissionName);
+            await this.permissionValidator.checkRoleHasPermission(role.id, permission.id);
+            await this.assignPermissionToRole(role.id, permission.id);
+            results.push({ role: roleName, permission: permissionName });
+          } catch (error) {
+            continue;
+          }
+        }
+      } catch (error) {
+        continue;
+      }
+    }
+    return results;
   }
-  async getLang() {
-    return getCurrentLanguage2();
+  async deleteAll() {
+    return await this.permissionRepository.deleteAll();
   }
-};
-__decorateClass([
-  Transactional()
-], UserService.prototype, "create", 1);
-UserService = __decorateClass([
-  Injectable12()
-], UserService);
+}, __name(_a33, "PermissionService"), _a33);
+PermissionService = __decorate19([
+  Injectable12(),
+  __metadata14("design:paramtypes", [typeof (_a32 = typeof PermissionRepository !== "undefined" && PermissionRepository) === "function" ? _a32 : Object, typeof (_b6 = typeof PermissionValidator !== "undefined" && PermissionValidator) === "function" ? _b6 : Object, typeof (_c3 = typeof RoleService !== "undefined" && RoleService) === "function" ? _c3 : Object])
+], PermissionService);
-// src/users/UserController.ts
-import { Controller as Controller4, Get as Get4, Post as Post4, Put as Put3, Delete as Delete3, Params as Params4, Body as Body4, t as t9 } from "najm-api";
-var UserController = class {
-  constructor(userService) {
-    this.userService = userService;
+// src/permissions/PermissionController.ts
+var __decorate20 = function(decorators, target, key, desc) {
+  var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
+  if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
+  else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
+  return c > 3 && r && Object.defineProperty(target, key, r), r;
+};
+var __metadata15 = function(k, v) {
+  if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
+};
+var __param6 = function(paramIndex, decorator) {
+  return function(target, key) {
+    decorator(target, key, paramIndex);
+  };
+};
+var _a34;
+var _a35;
+var PermissionController = (_a35 = class {
+  constructor(permissionService) {
+    this.permissionService = permissionService;
   }
-  async getUsers() {
-    const users = await this.userService.getAll();
+  async getPermissions() {
+    const permissions = await this.permissionService.getAll();
     return {
-      data: users,
-      message: t9("users.success.retrieved"),
+      data: permissions,
+      message: t9("permissions.success.retrieved"),
       status: "success"
     };
   }
-  async getLang() {
-    const language = await this.userService.getLang();
+  async getPermission(id) {
+    const permission = await this.permissionService.getById(id);
     return {
-      data: { language },
-      message: t9("users.success.retrieved"),
+      data: permission,
+      message: t9("permissions.success.retrieved"),
       status: "success"
     };
   }
-  async updateLang(language) {
-    const data = await this.userService.updateLang(language);
+  async create(body) {
+    const newPermission = await this.permissionService.create(body);
     return {
-      data,
-      message: t9("users.success.updated"),
+      data: newPermission,
+      message: t9("permissions.success.created"),
       status: "success"
     };
   }
-  async getUser(id) {
-    const user = await this.userService.getById(id);
+  async update(id, body) {
+    const updatedPermission = await this.permissionService.update(id, body);
     return {
-      data: user,
-      message: t9("users.success.retrieved"),
+      data: updatedPermission,
+      message: t9("permissions.success.updated"),
       status: "success"
     };
   }
-  async getByEmail(email) {
-    const user = await this.userService.getByEmail(email);
+  async delete(id) {
+    const result = await this.permissionService.delete(id);
     return {
-      data: user,
-      message: t9("users.success.retrieved"),
+      data: result,
+      message: t9("permissions.success.deleted"),
       status: "success"
     };
   }
-  async getRole(userId) {
-    const role = await this.userService.getRoleName(userId);
+  async getByRole(roleId) {
+    const permissions = await this.permissionService.getPermissionsByRole(roleId);
     return {
-      data: role,
-      message: t9("users.success.retrieved"),
+      data: permissions,
+      message: t9("permissions.success.retrieved"),
       status: "success"
     };
   }
-  async create(body) {
-    const newUser = await this.userService.create(body);
+  async getRolesByPermission(permissionId) {
+    const roles = await this.permissionService.getRolesByPermission(permissionId);
     return {
-      data: newUser,
-      message: t9("users.success.created"),
+      data: roles,
+      message: t9("permissions.success.retrieved"),
       status: "success"
     };
   }
-  async update(id, body) {
-    const updatedUser = await this.userService.update(id, body);
+  async assignToRole(roleId, permissionId) {
+    const result = await this.permissionService.assignPermissionToRole(roleId, permissionId);
     return {
-      data: updatedUser,
-      message: t9("users.success.updated"),
+      data: result,
+      message: t9("permissions.success.assigned"),
       status: "success"
     };
   }
-  async delete(id) {
-    const result = await this.userService.delete(id);
+  async removeFromRole(roleId, permissionId) {
+    const result = await this.permissionService.removePermissionFromRole(roleId, permissionId);
     return {
       data: result,
-      message: t9("users.success.deleted"),
+      message: t9("permissions.success.removed"),
       status: "success"
     };
   }
   async deleteAll() {
-    const result = await this.userService.deleteAll();
+    const result = await this.permissionService.deleteAll();
     return {
       data: result,
-      message: t9("users.success.allDeleted"),
-      status: "success"
-    };
-  }
-  async assignRole(userId, roleId) {
-    await this.userService.assignRole(userId, roleId);
-    return {
-      message: t9("users.success.updated"),
-      status: "success"
-    };
-  }
-  async removeRole(userId) {
-    await this.userService.removeRole(userId);
-    return {
-      message: t9("users.success.updated"),
+      message: t9("permissions.success.allDeleted"),
       status: "success"
     };
   }
-};
-__decorateClass([
+}, __name(_a35, "PermissionController"), _a35);
+__decorate20([
   Get4(),
-  isAdmin()
-], UserController.prototype, "getUsers", 1);
-__decorateClass([
-  Get4("/lang"),
-  isAuth()
-], UserController.prototype, "getLang", 1);
-__decorateClass([
-  Post4("/lang/:language"),
-  isAuth(),
-  __decorateParam(0, Params4("language"))
-], UserController.prototype, "updateLang", 1);
-__decorateClass([
+  __metadata15("design:type", Function),
+  __metadata15("design:paramtypes", []),
+  __metadata15("design:returntype", Promise)
+], PermissionController.prototype, "getPermissions", null);
+__decorate20([
   Get4("/:id"),
-  isAdmin(),
-  __decorateParam(0, Params4("id"))
-], UserController.prototype, "getUser", 1);
-__decorateClass([
-  Get4("/email/:email"),
-  isAdmin(),
-  __decorateParam(0, Params4("email"))
-], UserController.prototype, "getByEmail", 1);
-__decorateClass([
-  Get4("/role/:userId"),
-  isAdmin(),
-  __decorateParam(0, Params4("userId"))
-], UserController.prototype, "getRole", 1);
-__decorateClass([
+  __param6(0, Params4("id")),
+  __metadata15("design:type", Function),
+  __metadata15("design:paramtypes", [String]),
+  __metadata15("design:returntype", Promise)
+], PermissionController.prototype, "getPermission", null);
+__decorate20([
   Post4(),
-  isAdmin(),
-  __decorateParam(0, Body4())
-], UserController.prototype, "create", 1);
-__decorateClass([
+  __param6(0, Body4()),
+  __metadata15("design:type", Function),
+  __metadata15("design:paramtypes", [Object]),
+  __metadata15("design:returntype", Promise)
+], PermissionController.prototype, "create", null);
+__decorate20([
   Put3("/:id"),
-  isAdmin(),
-  __decorateParam(0, Params4("id")),
-  __decorateParam(1, Body4())
-], UserController.prototype, "update", 1);
-__decorateClass([
+  __param6(0, Params4("id")),
+  __param6(1, Body4()),
+  __metadata15("design:type", Function),
+  __metadata15("design:paramtypes", [String, Object]),
+  __metadata15("design:returntype", Promise)
+], PermissionController.prototype, "update", null);
+__decorate20([
   Delete3("/:id"),
-  isAdmin(),
-  __decorateParam(0, Params4("id"))
-], UserController.prototype, "delete", 1);
-__decorateClass([
+  __param6(0, Params4("id")),
+  __metadata15("design:type", Function),
+  __metadata15("design:paramtypes", [String]),
+  __metadata15("design:returntype", Promise)
+], PermissionController.prototype, "delete", null);
+__decorate20([
+  Get4("/role/:roleId"),
+  __param6(0, Params4("roleId")),
+  __metadata15("design:type", Function),
+  __metadata15("design:paramtypes", [String]),
+  __metadata15("design:returntype", Promise)
+], PermissionController.prototype, "getByRole", null);
+__decorate20([
+  Get4("/roles/:permissionId"),
+  __param6(0, Params4("permissionId")),
+  __metadata15("design:type", Function),
+  __metadata15("design:paramtypes", [String]),
+  __metadata15("design:returntype", Promise)
+], PermissionController.prototype, "getRolesByPermission", null);
+__decorate20([
+  Post4("/assign/:roleId/:permissionId"),
+  __param6(0, Params4("roleId")),
+  __param6(1, Params4("permissionId")),
+  __metadata15("design:type", Function),
+  __metadata15("design:paramtypes", [String, String]),
+  __metadata15("design:returntype", Promise)
+], PermissionController.prototype, "assignToRole", null);
+__decorate20([
+  Delete3("/remove/:roleId/:permissionId"),
+  __param6(0, Params4("roleId")),
+  __param6(1, Params4("permissionId")),
+  __metadata15("design:type", Function),
+  __metadata15("design:paramtypes", [String, String]),
+  __metadata15("design:returntype", Promise)
+], PermissionController.prototype, "removeFromRole", null);
+__decorate20([
   Delete3(),
-  isAdmin()
-], UserController.prototype, "deleteAll", 1);
-__decorateClass([
-  Post4("/assign/:userId/:roleId"),
   isAdmin(),
-  __decorateParam(0, Params4("userId")),
-  __decorateParam(1, Params4("roleId"))
-], UserController.prototype, "assignRole", 1);
-__decorateClass([
-  Delete3("/remove/:userId"),
+  __metadata15("design:type", Function),
+  __metadata15("design:paramtypes", []),
+  __metadata15("design:returntype", Promise)
+], PermissionController.prototype, "deleteAll", null);
+PermissionController = __decorate20([
+  Controller4("/permissions"),
   isAdmin(),
-  __decorateParam(0, Params4("userId"))
-], UserController.prototype, "removeRole", 1);
-UserController = __decorateClass([
-  Controller4("/users")
-], UserController);
+  __metadata15("design:paramtypes", [typeof (_a34 = typeof PermissionService !== "undefined" && PermissionService) === "function" ? _a34 : Object])
+], PermissionController);
 // src/plugin.ts
 var AuthPlugin = {
   name: "najm-auth",
-  version: "0.1.3",
   database: "default",
   controllers: [
     UserController,
@@ -2539,16 +2924,7 @@ var AuthPlugin = {
     PermissionValidator,
     RoleGuards,
     PermissionGuards
-  ],
-  onSetup: async () => {
-    console.log("  \u2713 najm-auth plugin initialized");
-    console.log("    - Authentication endpoints ready");
-    console.log("    - Authorization system active");
-    console.log("    - Database connection established");
-  },
-  onTeardown: async () => {
-    console.log("  \u2713 najm-auth plugin cleanup complete");
-  }
+  ]
 };
 export {
   AuthController,
@@ -2684,19 +3060,19 @@ export {
   semesterEnum,
   settingsSchema,
   studentSchema,
-  studentStatusEnum,
+  studentStatusEnum2 as studentStatusEnum,
   subjectSchema,
   submissionTypeEnum,
   teacherFullSchema,
   teacherPersonalSchema,
   teacherProfessionalSchema,
   teacherStatusEnum,
-  tokenStatusEnum,
-  tokenTypeEnum,
+  tokenStatusEnum2 as tokenStatusEnum,
+  tokenTypeEnum2 as tokenTypeEnum,
   tokensTable,
   trackerModeEnum,
   userSchema,
-  userStatusEnum,
+  userStatusEnum2 as userStatusEnum,
   userTypeEnum,
   usersTable,
   vehicleDocumentTypeEnum,