4f637ede8c
Phase 1a - Database Setup: - Add PostgreSQL connection pooling with pg client - Create 8 SQL migrations for all database schemas - Implement migration execution system with tracking - Add environment configuration for database and JWT settings Phase 1b - Authentication & Authorization: - Implement password hashing with bcrypt - Create JWT token generation (access + refresh tokens) - Implement RBAC with 5 roles (Admin, Manager, Analyst, Auditor, Viewer) - Create auth middleware for authentication and authorization - Add auth routes (login, register, refresh, logout, profile) Phase 1c - API Endpoints (Full CRUD): - Transaction endpoints with evaluation and batch processing - Account management (treasury and subledger accounts) - User management (admin-only) - FX contract management - Compliance endpoints (rules, results, thresholds) - Reporting endpoints (summary, compliance, audit logs) - Health check endpoints with database status Phase 1d - Data Seeding: - Create database seeding system with roles, permissions, users - Add sample data (treasury accounts, FX contracts) - Implement admin user creation from environment variables All endpoints protected with authentication and role-based access control.
160 lines
4.3 KiB
TypeScript
160 lines
4.3 KiB
TypeScript
/**
|
|
* Role and Permission Definitions
|
|
* Defines RBAC roles and their permissions
|
|
*/
|
|
|
|
export enum Role {
|
|
ADMIN = 'Admin',
|
|
MANAGER = 'Manager',
|
|
ANALYST = 'Analyst',
|
|
AUDITOR = 'Auditor',
|
|
VIEWER = 'Viewer',
|
|
}
|
|
|
|
export const ROLE_DESCRIPTIONS: Record<Role, string> = {
|
|
[Role.ADMIN]: 'Full access to all features and user management',
|
|
[Role.MANAGER]: 'Can create, update, and manage transactions and accounts',
|
|
[Role.ANALYST]: 'Can create and view transactions, generate reports',
|
|
[Role.AUDITOR]: 'Read-only access to all data and audit logs',
|
|
[Role.VIEWER]: 'Read-only access to dashboard and summary reports',
|
|
};
|
|
|
|
export enum Permission {
|
|
// User management
|
|
USER_CREATE = 'user:create',
|
|
USER_READ = 'user:read',
|
|
USER_UPDATE = 'user:update',
|
|
USER_DELETE = 'user:delete',
|
|
|
|
// Transaction management
|
|
TRANSACTION_CREATE = 'transaction:create',
|
|
TRANSACTION_READ = 'transaction:read',
|
|
TRANSACTION_UPDATE = 'transaction:update',
|
|
TRANSACTION_DELETE = 'transaction:delete',
|
|
|
|
// Account management
|
|
ACCOUNT_CREATE = 'account:create',
|
|
ACCOUNT_READ = 'account:read',
|
|
ACCOUNT_UPDATE = 'account:update',
|
|
ACCOUNT_DELETE = 'account:delete',
|
|
|
|
// FX Contracts
|
|
FX_CONTRACT_CREATE = 'fx_contract:create',
|
|
FX_CONTRACT_READ = 'fx_contract:read',
|
|
FX_CONTRACT_UPDATE = 'fx_contract:update',
|
|
FX_CONTRACT_DELETE = 'fx_contract:delete',
|
|
|
|
// Compliance & Regulatory
|
|
COMPLIANCE_READ = 'compliance:read',
|
|
COMPLIANCE_UPDATE = 'compliance:update',
|
|
|
|
// Reports & Audit
|
|
REPORT_READ = 'report:read',
|
|
REPORT_CREATE = 'report:create',
|
|
AUDIT_READ = 'audit:read',
|
|
|
|
// System
|
|
SYSTEM_ADMIN = 'system:admin',
|
|
}
|
|
|
|
export const ROLE_PERMISSIONS: Record<Role, Permission[]> = {
|
|
[Role.ADMIN]: [
|
|
// Full access to everything
|
|
Permission.USER_CREATE,
|
|
Permission.USER_READ,
|
|
Permission.USER_UPDATE,
|
|
Permission.USER_DELETE,
|
|
Permission.TRANSACTION_CREATE,
|
|
Permission.TRANSACTION_READ,
|
|
Permission.TRANSACTION_UPDATE,
|
|
Permission.TRANSACTION_DELETE,
|
|
Permission.ACCOUNT_CREATE,
|
|
Permission.ACCOUNT_READ,
|
|
Permission.ACCOUNT_UPDATE,
|
|
Permission.ACCOUNT_DELETE,
|
|
Permission.FX_CONTRACT_CREATE,
|
|
Permission.FX_CONTRACT_READ,
|
|
Permission.FX_CONTRACT_UPDATE,
|
|
Permission.FX_CONTRACT_DELETE,
|
|
Permission.COMPLIANCE_READ,
|
|
Permission.COMPLIANCE_UPDATE,
|
|
Permission.REPORT_READ,
|
|
Permission.REPORT_CREATE,
|
|
Permission.AUDIT_READ,
|
|
Permission.SYSTEM_ADMIN,
|
|
],
|
|
|
|
[Role.MANAGER]: [
|
|
Permission.TRANSACTION_CREATE,
|
|
Permission.TRANSACTION_READ,
|
|
Permission.TRANSACTION_UPDATE,
|
|
Permission.ACCOUNT_CREATE,
|
|
Permission.ACCOUNT_READ,
|
|
Permission.ACCOUNT_UPDATE,
|
|
Permission.FX_CONTRACT_CREATE,
|
|
Permission.FX_CONTRACT_READ,
|
|
Permission.FX_CONTRACT_UPDATE,
|
|
Permission.COMPLIANCE_READ,
|
|
Permission.REPORT_READ,
|
|
Permission.REPORT_CREATE,
|
|
],
|
|
|
|
[Role.ANALYST]: [
|
|
Permission.TRANSACTION_CREATE,
|
|
Permission.TRANSACTION_READ,
|
|
Permission.TRANSACTION_UPDATE,
|
|
Permission.ACCOUNT_READ,
|
|
Permission.FX_CONTRACT_READ,
|
|
Permission.COMPLIANCE_READ,
|
|
Permission.REPORT_READ,
|
|
Permission.REPORT_CREATE,
|
|
],
|
|
|
|
[Role.AUDITOR]: [
|
|
Permission.TRANSACTION_READ,
|
|
Permission.ACCOUNT_READ,
|
|
Permission.FX_CONTRACT_READ,
|
|
Permission.COMPLIANCE_READ,
|
|
Permission.REPORT_READ,
|
|
Permission.AUDIT_READ,
|
|
],
|
|
|
|
[Role.VIEWER]: [
|
|
Permission.TRANSACTION_READ,
|
|
Permission.REPORT_READ,
|
|
],
|
|
};
|
|
|
|
/**
|
|
* Check if a role has a specific permission
|
|
*/
|
|
export function hasPermission(role: Role, permission: Permission): boolean {
|
|
return ROLE_PERMISSIONS[role]?.includes(permission) ?? false;
|
|
}
|
|
|
|
/**
|
|
* Check if any of the given roles have a specific permission
|
|
*/
|
|
export function hasPermissionAny(roles: Role[], permission: Permission): boolean {
|
|
return roles.some((role) => hasPermission(role, permission));
|
|
}
|
|
|
|
/**
|
|
* Check if all of the given roles have a specific permission
|
|
*/
|
|
export function hasPermissionAll(roles: Role[], permission: Permission): boolean {
|
|
return roles.every((role) => hasPermission(role, permission));
|
|
}
|
|
|
|
/**
|
|
* Get all permissions for given roles
|
|
*/
|
|
export function getPermissionsForRoles(roles: Role[]): Permission[] {
|
|
const permissionSet = new Set<Permission>();
|
|
for (const role of roles) {
|
|
const rolePermissions = ROLE_PERMISSIONS[role] || [];
|
|
rolePermissions.forEach((p) => permissionSet.add(p));
|
|
}
|
|
return Array.from(permissionSet);
|
|
}
|