allagroup/nextjs-elysia-allaos
Template
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
Files
setup-project
nextjs-elysia-allaos/docs/checklist-phase2-middleware.md
phaichayon 043edff93a setup
2026-04-26 00:15:22 +07:00

299 lines
7.6 KiB
Markdown
Raw Permalink Blame History

# Phase 2: Branch Middleware (ElysiaJS) - Checklist
## ✅ Overview
Implement branch validation middleware to enforce multi-tenant access control, integrate with Keycloak groups, and provide branch context to all routes.
## 📋 Completed Tasks
### Middleware Implementation
- [x] Create `src/middleware/branch.ts`
- [x] Define BranchContext interface
- [x] Define AccessibleBranch interface
- [x] Implement branchMiddleware using Elysia's derive
- [x] Add branch validation logic
- [x] Add error handling for unauthorized access
- [x] Add error handling for inactive branches
- [x] Implement default branch selection
- [x] Export helper functions (canAccessBranch, getDefaultBranch)
### Type Safety
- [x] Fix TypeScript type errors
- [x] Correct database import path
- [x] Make BranchContext extend Record<string, unknown>
- [x] Handle nullable isActive field
### Documentation
- [x] Add comprehensive JSDoc comments
- [x] Add usage examples
- [x] Document TODOs for authentication integration
## 🎯 Key Features Implemented
### 1. Branch Context Injection
- ✅ Automatically injects branch context into all routes
- ✅ Provides `currentBranchId`, `currentBranchCode`, `userId`
- ✅ Exposes `accessibleBranches` for UI controls
- ✅ Exposes `userGroups` for permission checks
### 2. Branch Access Validation
- ✅ Validates `x-branch-id` header
- ✅ Checks user's Keycloak groups
- ✅ Prevents cross-branch access
- ✅ Blocks inactive branches
### 3. Error Handling
- ✅ Clear error messages for unauthorized access
- ✅ Helpful error for missing branch access
- ✅ Inactive branch blocking
### 4. Helper Functions
-`canAccessBranch()` - Check if user can access specific branch
-`getDefaultBranch()` - Get user's default branch
-`getUserAccessibleBranches()` - Fetch accessible branches from DB
## 📊 Middleware Flow
```
Request
Extract User ID & Groups (JWT/Session)
Get Accessible Branches from DB
Check x-branch-id Header
Validate Branch Access
Inject Branch Context
Route Handler
```
## 🔧 Usage Examples
### Basic Usage
```typescript
import { Elysia } from "elysia";
import { branchMiddleware } from "@/middleware/branch";
const app = new Elysia()
.use(branchMiddleware)
.get("/customers", async ({ currentBranchId, userId }) => {
// currentBranchId is automatically available
const customers = await getCustomersByBranch(currentBranchId);
return customers;
});
```
### Branch-Specific Operations
```typescript
app.get("/quotations/:id", async ({ params, currentBranchId }) => {
const quotation = await getQuotationById(params.id, currentBranchId);
if (!quotation) {
throw new Error("Quotation not found or access denied");
}
return quotation;
});
```
### Multi-Branch UI Support
```typescript
app.get("/api/me/branches", async ({ accessibleBranches }) => {
// Return all branches user can access for UI dropdown
return accessibleBranches;
});
```
### Manual Access Check
```typescript
import { canAccessBranch } from "@/middleware/branch";
app.post(
"/admin/transfer",
async ({ body, currentBranchId, accessibleBranches }) => {
const targetBranchId = body.targetBranchId;
if (!canAccessBranch(accessibleBranches, targetBranchId)) {
throw new Error("Cannot transfer to branch you don't have access to");
}
// Proceed with transfer
},
);
```
## 🚨 Important Notes
### Authentication Integration (TODO)
The middleware currently has TODOs for proper authentication:
```typescript
// TODO: Implement proper JWT/session extraction
function extractUserIdFromRequest(request: Request): string | null {
// Replace with actual JWT verification
const token = request.headers.get("authorization")?.replace("Bearer ", "");
const decoded = jwt.verify(token, process.env.JWT_SECRET);
return decoded.userId;
}
```
This will be implemented in **Phase 3: Keycloak Integration**.
### Header Requirement
All requests must include the `x-branch-id` header to specify the target branch:
```bash
curl -H "x-branch-id: <branch-uuid>" \
-H "authorization: Bearer <jwt-token>" \
http://localhost:3000/api/customers
```
If no header is provided, the middleware uses the user's first accessible branch as default.
### Branch Inactivation
When a branch is marked as inactive (`isActive: false`):
- Users cannot switch to that branch
- Existing sessions on that branch will fail
- Data remains intact but inaccessible
## 🔍 Testing Checklist
### Unit Tests (TODO)
- [ ] Test user extraction from JWT
- [ ] Test group extraction from JWT
- [ ] Test accessible branches fetching
- [ ] Test branch validation (valid branch)
- [ ] Test branch validation (invalid branch)
- [ ] Test branch validation (inactive branch)
- [ ] Test default branch selection
- [ ] Test error messages
### Integration Tests (TODO)
- [ ] Test middleware with real Elysia app
- [ ] Test cross-branch access prevention
- [ ] Test multiple branch access
- [ ] Test header-based branch switching
- [ ] Test unauthorized user handling
## 📝 Known Limitations
1. **Authentication Not Yet Implemented**
- Current implementation returns `null` for user ID
- Must be completed in Phase 3
- Testing requires mock authentication
2. **Branch Group Mapping Hardcoded**
- Currently maps `["alla", "onvalla"]`
- Could be made configurable
- Consider dynamic branch group discovery
3. **Performance**
- Fetches branches on every request
- Consider caching accessible branches
- Could store in session/JWT
## 🔄 Next Steps
### Immediate (Phase 2)
- [ ] Write unit tests
- [ ] Write integration tests
- [ ] Add logging/middleware
- [ ] Document API changes
### Phase 3: Keycloak Integration
- [ ] Implement JWT verification
- [ ] Implement user ID extraction
- [ ] Implement group extraction
- [ ] Add token refresh logic
- [ ] Test with real Keycloak
### Phase 5: Controllers Update
- [ ] Remove `/:branch` path parameters
- [ ] Update all routes to use middleware context
- [ ] Add branch context to responses
- [ ] Update API documentation
## 📊 File Changes
### Created Files
-`src/middleware/branch.ts` (205 lines)
### Modified Files
- None yet (controllers will be updated in Phase 5)
### Documentation Files
-`docs/checklist-phase2-middleware.md`
## ✨ Success Criteria
- [x] Middleware validates branch access
- [x] Prevents cross-branch data access
- [x] Provides branch context to routes
- [x] Handles inactive branches
- [x] Returns clear error messages
- [x] TypeScript types are correct
- [x] Helper functions work correctly
- [x] Documentation is complete
- [ ] Unit tests pass
- [ ] Integration tests pass
- [ ] JWT authentication works (Phase 3)
## 🎯 Security Considerations
1. **Branch Isolation**
- Users can only access their assigned branches
- Cross-branch requests are blocked
2. **Header Validation**
- Validates branch exists and is active
- Checks user has permission
3. **Session Security** (Pending Phase 3)
- JWT tokens must be verified
- Token expiration must be checked
- Revoked tokens must be rejected
4. **Error Messages**
- Don't expose internal structure
- Don't reveal other branches
- Generic "access denied" for security
## 📚 References
- [Elysia Middleware Documentation](https://elysiajs.com/plugins/lifecycle.html#derive)
- [Drizzle ORM Documentation](https://orm.drizzle.team/)
- [Keycloak JWT Documentation](https://www.keycloak.org/docs/latest/securing_apps/#_token-introspection)
---
**Phase 2 Status:** ✅ CORE COMPLETED (Tests Pending)
**Completion Date:** 2026-04-23
**Next Phase:** Phase 3 - Keycloak Integration
**Blocking:** Tests, Phase 3 (Authentication)
Reference in New Issue View Git Blame Copy Permalink