@mbc-cqrs-serverless/core/dist/guard/roles.guard.js

CQRS and event base core

"use strict";
var __decorate = (this && this.__decorate) || function (decorators, target, key, desc) {
    var c = arguments.length, r = c < 3 ? target : desc === null ? desc = Object.getOwnPropertyDescriptor(target, key) : desc, d;
    if (typeof Reflect === "object" && typeof Reflect.decorate === "function") r = Reflect.decorate(decorators, target, key, desc);
    else for (var i = decorators.length - 1; i >= 0; i--) if (d = decorators[i]) r = (c < 3 ? d(r) : c > 3 ? d(target, key, r) : d(target, key)) || r;
    return c > 3 && r && Object.defineProperty(target, key, r), r;
};
var __metadata = (this && this.__metadata) || function (k, v) {
    if (typeof Reflect === "object" && typeof Reflect.metadata === "function") return Reflect.metadata(k, v);
};
var RolesGuard_1;
Object.defineProperty(exports, "__esModule", { value: true });
exports.RolesGuard = void 0;
const common_1 = require("@nestjs/common");
const core_1 = require("@nestjs/core");
const constants_1 = require("../constants");
const context_1 = require("../context");
const decorators_1 = require("../decorators");
let RolesGuard = RolesGuard_1 = class RolesGuard {
    constructor(reflector) {
        this.reflector = reflector;
        this.logger = new common_1.Logger(RolesGuard_1.name);
    }
    async canActivate(context) {
        // check tenant
        const allowedTenant = await this.verifyTenant(context);
        if (!allowedTenant) {
            return false;
        }
        // check role permissions
        const allowedRole = await this.verifyRole(context);
        return allowedRole;
    }
    /**
     * Verify tenant access.
     * This method checks if the user has valid tenant access, including
     * validation for header-based tenant override.
     */
    async verifyTenant(context) {
        const userContext = (0, context_1.getUserContext)(context);
        // Tenant code is required
        if (!userContext.tenantCode) {
            return false;
        }
        // If tenant code comes from header (not from custom:tenant), verify permission
        if (this.isHeaderOverride(context, userContext)) {
            return this.canOverrideTenant(context, userContext);
        }
        return true;
    }
    /**
     * Check if tenant code was provided via header override (no custom:tenant in JWT).
     * Override this method to customize header override detection logic.
     */
    isHeaderOverride(context, userContext) {
        const claims = this.getAuthorizerClaims(context);
        // If custom:tenant exists in JWT, it's not a header override
        return !claims['custom:tenant'] && !!userContext.tenantCode;
    }
    /**
     * Check if user can override tenant via header.
     * Override this method to implement custom authorization logic for cross-tenant access.
     *
     * Default behavior:
     * - Allow access to common tenant codes (e.g., 'common')
     * - Allow users with cross-tenant roles (e.g., 'system_admin')
     */
    canOverrideTenant(context, userContext) {
        // Allow access to common tenant
        if (this.getCommonTenantCodes().includes(userContext.tenantCode)) {
            return true;
        }
        // Allow users with cross-tenant roles
        return this.getCrossTenantRoles().includes(userContext.tenantRole);
    }
    /**
     * Get list of common tenant codes that anyone can access via header.
     * By default, reads from COMMON_TENANT_CODES environment variable (comma-separated).
     * Override this method to customize common tenant codes.
     *
     * Example override in application:
     * ```typescript
     * protected getCommonTenantCodes(): string[] {
     *   const codes = this.configService.get('COMMON_TENANT_CODES', 'common')
     *   return codes.split(',').map(c => c.trim())
     * }
     * ```
     */
    getCommonTenantCodes() {
        return constants_1.DEFAULT_COMMON_TENANT_CODES;
    }
    /**
     * Get list of roles that can perform cross-tenant operations via header override.
     * By default, reads from CROSS_TENANT_ROLES environment variable (comma-separated).
     * Override this method to customize cross-tenant roles.
     *
     * Example override in application:
     * ```typescript
     * protected getCrossTenantRoles(): string[] {
     *   const roles = this.configService.get('CROSS_TENANT_ROLES', 'system_admin,general_manager')
     *   return roles.split(',').map(r => r.trim())
     * }
     * ```
     */
    getCrossTenantRoles() {
        return constants_1.DEFAULT_CROSS_TENANT_ROLES;
    }
    /**
     * Get JWT authorizer claims from execution context.
     * This is a helper method that can be used by subclasses.
     */
    getAuthorizerClaims(context) {
        const invokeContext = (0, context_1.extractInvokeContext)(context);
        return (0, context_1.getAuthorizerClaims)(invokeContext);
    }
    async verifyRole(context) {
        const requiredRoles = this.reflector.getAllAndOverride(decorators_1.ROLE_METADATA, [context.getHandler(), context.getClass()]);
        if (!requiredRoles || !requiredRoles.length) {
            // all user can access
            return true;
        }
        const userRole = await this.getUserRole(context);
        if (!userRole) {
            return false;
        }
        if (userRole === constants_1.ROLE_SYSTEM_ADMIN) {
            return true;
        }
        return requiredRoles.includes(userRole);
    }
    // eslint-disable-next-line @typescript-eslint/no-unused-vars
    async getUserRole(context) {
        const userContext = (0, context_1.getUserContext)(context);
        return userContext.tenantRole;
    }
};
exports.RolesGuard = RolesGuard;
exports.RolesGuard = RolesGuard = RolesGuard_1 = __decorate([
    (0, common_1.Injectable)(),
    __metadata("design:paramtypes", [core_1.Reflector])
], RolesGuard);
//# sourceMappingURL=roles.guard.js.map