np-dms/lcbp3
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

251206:1710 specs: frontend plan P1,P3 wait Verification
Some checks failed
Spec Validation / validate-markdown (push) Has been cancelled
Details
Spec Validation / validate-diagrams (push) Has been cancelled
Details
Spec Validation / check-todos (push) Has been cancelled
Details

Browse Source
This commit is contained in:
admin
2025-12-06 17:10:56 +07:00
parent be3b71007a
commit 5c49bac772
40 changed files with 977 additions and 244 deletions
Download Patch File Download Diff File Expand all files Collapse all files

59
backend/src/common/auth/auth.controller.ts
View File

@@ -18,10 +18,16 @@ import { LoginDto } from './dto/login.dto.js';
import { RegisterDto } from './dto/register.dto.js';
import { JwtAuthGuard } from '../guards/jwt-auth.guard.js';
import { JwtRefreshGuard } from '../guards/jwt-refresh.guard.js';
import { ApiTags, ApiOperation, ApiBearerAuth } from '@nestjs/swagger';
import { Request } from 'express'; // ✅ Import Request
import {
ApiTags,
ApiOperation,
ApiBearerAuth,
ApiResponse,
ApiBody,
} from '@nestjs/swagger';
import { Request } from 'express';
// สร้าง Interface สำหรับ Request ที่มี User (เพื่อให้ TS รู้จัก req.user)
// สร้าง Interface สำหรับ Request ที่มี User
interface RequestWithUser extends Request {
user: any;
}
@@ -34,11 +40,24 @@ export class AuthController {
@Post('login')
@Throttle({ default: { limit: 5, ttl: 60000 } })
@HttpCode(HttpStatus.OK)
@ApiOperation({ summary: 'เข้าสู่ระบบเพื่อรับ Access & Refresh Token' })
@ApiOperation({ summary: 'Login to get Access & Refresh Token' })
@ApiBody({ type: LoginDto })
@ApiResponse({
status: 200,
description: 'Login successful',
schema: {
type: 'object',
properties: {
access_token: { type: 'string' },
refresh_token: { type: 'string' },
user: { type: 'object' },
},
},
})
async login(@Body() loginDto: LoginDto) {
const user = await this.authService.validateUser(
loginDto.username,
loginDto.password,
loginDto.password
);
if (!user) {
@@ -51,7 +70,9 @@ export class AuthController {
@Post('register-admin')
@UseGuards(JwtAuthGuard)
@ApiBearerAuth()
@ApiOperation({ summary: 'สร้างบัญชีผู้ใช้ใหม่ (Admin Only)' })
@ApiOperation({ summary: 'Create new user (Admin Only)' })
@ApiBody({ type: RegisterDto })
@ApiResponse({ status: 201, description: 'User registered' })
async register(@Body() registerDto: RegisterDto) {
return this.authService.register(registerDto);
}
@@ -59,9 +80,20 @@ export class AuthController {
@UseGuards(JwtRefreshGuard)
@Post('refresh')
@HttpCode(HttpStatus.OK)
@ApiOperation({ summary: 'ขอ Access Token ใหม่ด้วย Refresh Token' })
@ApiBearerAuth()
@ApiOperation({ summary: 'Refresh Access Token using Refresh Token' })
@ApiResponse({
status: 200,
description: 'Token refreshed',
schema: {
type: 'object',
properties: {
access_token: { type: 'string' },
refresh_token: { type: 'string' },
},
},
})
async refresh(@Req() req: RequestWithUser) {
// ✅ ระบุ Type ชัดเจน
return this.authService.refreshToken(req.user.sub, req.user.refreshToken);
}
@@ -69,23 +101,24 @@ export class AuthController {
@Post('logout')
@HttpCode(HttpStatus.OK)
@ApiBearerAuth()
@ApiOperation({ summary: 'ออกจากระบบ (Revoke Token)' })
@ApiOperation({ summary: 'Logout (Revoke Tokens)' })
@ApiResponse({ status: 200, description: 'Logged out successfully' })
async logout(@Req() req: RequestWithUser) {
// ✅ ระบุ Type ชัดเจน
const token = req.headers.authorization?.split(' ')[1];
// ต้องเช็คว่ามี token หรือไม่ เพื่อป้องกัน runtime error
if (!token) {
return { message: 'No token provided' };
}
// ส่ง refresh token ไปด้วยถ้ามี (ใน header หรือ body)
// สำหรับตอนนี้ส่งแค่ access token ไป blacklist
return this.authService.logout(req.user.sub, token);
}
@UseGuards(JwtAuthGuard)
@Get('profile')
@ApiBearerAuth()
@ApiOperation({ summary: 'ดึงข้อมูลผู้ใช้ปัจจุบัน' })
@ApiOperation({ summary: 'Get current user profile' })
@ApiResponse({ status: 200, description: 'User profile' })
getProfile(@Req() req: RequestWithUser) {
// ✅ ระบุ Type ชัดเจน
return req.user;
}
}

24
backend/src/common/auth/auth.module.ts
View File

@@ -1,6 +1,7 @@
// File: src/common/auth/auth.module.ts
// บันทึกการแก้ไข: แก้ไข Type Mismatch ของ expiresIn (Fix TS2322)
// [P0-1] เพิ่ม CASL RBAC Integration
// [P2-2] Register RefreshToken Entity
import { Module } from '@nestjs/common';
import { JwtModule } from '@nestjs/jwt';
@@ -13,18 +14,19 @@ import { UserModule } from '../../modules/user/user.module.js';
import { JwtStrategy } from './strategies/jwt.strategy.js';
import { JwtRefreshStrategy } from './strategies/jwt-refresh.strategy.js';
import { User } from '../../modules/user/entities/user.entity';
import { CaslModule } from './casl/casl.module'; // [P0-1] Import CASL
import { PermissionsGuard } from './guards/permissions.guard'; // [P0-1] Import Guard
import { RefreshToken } from './entities/refresh-token.entity'; // [P2-2]
import { CaslModule } from './casl/casl.module';
import { PermissionsGuard } from './guards/permissions.guard';
@Module({
imports: [
TypeOrmModule.forFeature([User]),
TypeOrmModule.forFeature([User, RefreshToken]), // [P2-2] Added RefreshToken
UserModule,
PassportModule,
JwtModule.registerAsync({
imports: [ConfigModule],
inject: [ConfigService],
useFactory: async (configService: ConfigService) => ({
useFactory: (configService: ConfigService) => ({
secret: configService.get<string>('JWT_SECRET'),
signOptions: {
expiresIn: (configService.get<string>('JWT_EXPIRATION') ||
@@ -32,18 +34,10 @@ import { PermissionsGuard } from './guards/permissions.guard'; // [P0-1] Import
},
}),
}),
CaslModule, // [P0-1] Import CASL module
],
providers: [
AuthService,
JwtStrategy,
JwtRefreshStrategy,
PermissionsGuard, // [P0-1] Register PermissionsGuard
CaslModule,
],
providers: [AuthService, JwtStrategy, JwtRefreshStrategy, PermissionsGuard],
controllers: [AuthController],
exports: [
AuthService,
PermissionsGuard, // [P0-1] Export for use in other modules
],
exports: [AuthService, PermissionsGuard],
})
export class AuthModule {}

154
backend/src/common/auth/auth.service.ts
View File

@@ -2,6 +2,7 @@
// บันทึกการแก้ไข:
// 1. แก้ไข Type Mismatch ใน signAsync
// 2. แก้ไข validateUser ให้ดึง password_hash ออกมาด้วย (Fix HTTP 500: data and hash arguments required)
// 3. [P2-2] Implement Refresh Token storage & rotation
import {
Injectable,
@@ -12,14 +13,16 @@ import {
import { JwtService } from '@nestjs/jwt';
import { ConfigService } from '@nestjs/config';
import { CACHE_MANAGER } from '@nestjs/cache-manager';
import { InjectRepository } from '@nestjs/typeorm'; // [NEW]
import { Repository } from 'typeorm'; // [NEW]
import { InjectRepository } from '@nestjs/typeorm';
import { Repository } from 'typeorm';
import type { Cache } from 'cache-manager';
import * as bcrypt from 'bcrypt';
import * as crypto from 'crypto';
import { UserService } from '../../modules/user/user.service.js';
import { User } from '../../modules/user/entities/user.entity.js'; // [NEW] ต้อง Import Entity เพื่อใช้ Repository
import { User } from '../../modules/user/entities/user.entity.js';
import { RegisterDto } from './dto/register.dto.js';
import { RefreshToken } from './entities/refresh-token.entity.js'; // [P2-2]
@Injectable()
export class AuthService {
@@ -28,31 +31,27 @@ export class AuthService {
private jwtService: JwtService,
private configService: ConfigService,
@Inject(CACHE_MANAGER) private cacheManager: Cache,
// [NEW] Inject Repository เพื่อใช้ QueryBuilder
@InjectRepository(User)
private usersRepository: Repository<User>,
// [P2-2] Inject RefreshToken Repository
@InjectRepository(RefreshToken)
private refreshTokenRepository: Repository<RefreshToken>
) {}
// 1. ตรวจสอบ Username/Password
async validateUser(username: string, pass: string): Promise<any> {
console.log(`🔍 Checking login for: ${username}`); // [DEBUG]
// [FIXED] ใช้ createQueryBuilder เพื่อ addSelect field 'password' ที่ถูกซ่อนไว้
console.log(`🔍 Checking login for: ${username}`);
const user = await this.usersRepository
.createQueryBuilder('user')
.addSelect('user.password') // สำคัญ! สั่งให้ดึง column password มาด้วย
.addSelect('user.password')
.where('user.username = :username', { username })
.getOne();
if (!user) {
console.log('❌ User not found in database'); // [DEBUG]
console.log('❌ User not found in database');
return null;
}
console.log('✅ User found. Hash from DB:', user.password); // [DEBUG]
const isMatch = await bcrypt.compare(pass, user.password);
console.log(`🔐 Password match result: ${isMatch}`); // [DEBUG]
// ตรวจสอบว่ามี user และมี password hash หรือไม่
if (user && user.password && (await bcrypt.compare(pass, user.password))) {
// eslint-disable-next-line @typescript-eslint/no-unused-vars
@@ -62,7 +61,7 @@ export class AuthService {
return null;
}
// 2. Login: สร้าง Access & Refresh Token
// 2. Login: สร้าง Access & Refresh Token และบันทึกลง DB
async login(user: any) {
const payload = {
username: user.username,
@@ -70,20 +69,20 @@ export class AuthService {
scope: 'Global',
};
const [accessToken, refreshToken] = await Promise.all([
this.jwtService.signAsync(payload, {
secret: this.configService.get<string>('JWT_SECRET'),
// ✅ Fix: Cast as any
expiresIn: (this.configService.get<string>('JWT_EXPIRATION') ||
'15m') as any,
}),
this.jwtService.signAsync(payload, {
secret: this.configService.get<string>('JWT_REFRESH_SECRET'),
// ✅ Fix: Cast as any
expiresIn: (this.configService.get<string>('JWT_REFRESH_EXPIRATION') ||
'7d') as any,
}),
]);
const accessToken = await this.jwtService.signAsync(payload, {
secret: this.configService.get<string>('JWT_SECRET'),
expiresIn: (this.configService.get<string>('JWT_EXPIRATION') ||
'15m') as any,
});
const refreshToken = await this.jwtService.signAsync(payload, {
secret: this.configService.get<string>('JWT_REFRESH_SECRET'),
expiresIn: (this.configService.get<string>('JWT_REFRESH_EXPIRATION') ||
'7d') as any,
});
// [P2-2] Store Refresh Token in DB
await this.storeRefreshToken(user.user_id, refreshToken);
return {
access_token: accessToken,
@@ -92,10 +91,28 @@ export class AuthService {
};
}
// [P2-2] Store Refresh Token Logic
private async storeRefreshToken(userId: number, token: string) {
// Hash token before storing for security
const hash = crypto.createHash('sha256').update(token).digest('hex');
const expiresInDays = 7; // Should match JWT_REFRESH_EXPIRATION
const expiresAt = new Date();
expiresAt.setDate(expiresAt.getDate() + expiresInDays);
const refreshTokenEntity = this.refreshTokenRepository.create({
userId,
tokenHash: hash,
expiresAt,
isRevoked: false,
});
await this.refreshTokenRepository.save(refreshTokenEntity);
}
// 3. Register (สำหรับ Admin)
async register(userDto: RegisterDto) {
const existingUser = await this.userService.findOneByUsername(
userDto.username,
userDto.username
);
if (existingUser) {
throw new BadRequestException('Username already exists');
@@ -110,27 +127,79 @@ export class AuthService {
});
}
// 4. Refresh Token: ออก Token ใหม่
// 4. Refresh Token: ตรวจสอบและออก Token ใหม่ (Rotation)
async refreshToken(userId: number, refreshToken: string) {
// Hash incoming token to match with DB
const hash = crypto.createHash('sha256').update(refreshToken).digest('hex');
// Find token in DB
const storedToken = await this.refreshTokenRepository.findOne({
where: { tokenHash: hash },
});
if (!storedToken) {
throw new UnauthorizedException('Invalid refresh token');
}
if (storedToken.isRevoked) {
// Possible token theft! Invalidate all user tokens family
await this.revokeAllUserTokens(userId);
throw new UnauthorizedException('Refresh token revoked - Security alert');
}
if (storedToken.expiresAt < new Date()) {
throw new UnauthorizedException('Refresh token expired');
}
// Valid token -> Rotate it
const user = await this.userService.findOne(userId);
if (!user) throw new UnauthorizedException('User not found');
const payload = { username: user.username, sub: user.user_id };
const accessToken = await this.jwtService.signAsync(payload, {
// Generate NEW tokens
const newAccessToken = await this.jwtService.signAsync(payload, {
secret: this.configService.get<string>('JWT_SECRET'),
// ✅ Fix: Cast as any
expiresIn: (this.configService.get<string>('JWT_EXPIRATION') ||
'15m') as any,
});
const newRefreshToken = await this.jwtService.signAsync(payload, {
secret: this.configService.get<string>('JWT_REFRESH_SECRET'),
expiresIn: (this.configService.get<string>('JWT_REFRESH_EXPIRATION') ||
'7d') as any,
});
// Revoke OLD token and point to NEW one
const newHash = crypto
.createHash('sha256')
.update(newRefreshToken)
.digest('hex');
storedToken.isRevoked = true;
storedToken.replacedByToken = newHash;
await this.refreshTokenRepository.save(storedToken);
// Save NEW token
await this.storeRefreshToken(userId, newRefreshToken);
return {
access_token: accessToken,
access_token: newAccessToken,
refresh_token: newRefreshToken,
};
}
// 5. Logout: นำ Token เข้า Blacklist ใน Redis
async logout(userId: number, accessToken: string) {
// [P2-2] Helper: Revoke all tokens for a user (Security Measure)
private async revokeAllUserTokens(userId: number) {
await this.refreshTokenRepository.update(
{ userId, isRevoked: false },
{ isRevoked: true }
);
}
// 5. Logout: Revoke current refresh token & Blacklist Access Token
async logout(userId: number, accessToken: string, refreshToken?: string) {
// Blacklist Access Token
try {
const decoded = this.jwtService.decode(accessToken);
if (decoded && decoded.exp) {
@@ -139,13 +208,26 @@ export class AuthService {
await this.cacheManager.set(
`blacklist:token:${accessToken}`,
true,
ttl * 1000,
ttl * 1000
);
}
}
} catch (error) {
// Ignore decoding error
}
// [P2-2] Revoke Refresh Token if provided
if (refreshToken) {
const hash = crypto
.createHash('sha256')
.update(refreshToken)
.digest('hex');
await this.refreshTokenRepository.update(
{ tokenHash: hash },
{ isRevoked: true }
);
}
return { message: 'Logged out successfully' };
}
}

29
backend/src/common/auth/casl/ability.factory.ts
View File

@@ -1,11 +1,5 @@
import { Injectable } from '@nestjs/common';
import {
Ability,
AbilityBuilder,
AbilityClass,
ExtractSubjectType,
InferSubjects,
} from '@casl/ability';
import { Ability, AbilityBuilder, AbilityClass } from '@casl/ability';
import { User } from '../../../modules/user/entities/user.entity';
import { UserAssignment } from '../../../modules/user/entities/user-assignment.entity';
@@ -45,7 +39,7 @@ export class AbilityFactory {
* - Level 4: Contract
*/
createForUser(user: User, context: ScopeContext): AppAbility {
const { can, cannot, build } = new AbilityBuilder<AppAbility>(
const { can, build } = new AbilityBuilder<AppAbility>(
Ability as AbilityClass<AppAbility>
);
@@ -54,12 +48,13 @@ export class AbilityFactory {
return build();
}
// Iterate through user's role assignments
// Iterate through user's role assignments
user.assignments.forEach((assignment: UserAssignment) => {
// Check if assignment matches the current context
if (this.matchesScope(assignment, context)) {
// Grant permissions from the role
assignment.role.permissions.forEach((permission) => {
assignment.role.permissions?.forEach((permission) => {
const [action, subject] = this.parsePermission(
permission.permissionName
);
@@ -70,8 +65,10 @@ export class AbilityFactory {
return build({
// Detect subject type (for future use with objects)
detectSubjectType: (item) =>
item.constructor as ExtractSubjectType<Subjects>,
detectSubjectType: (item: any) => {
if (typeof item === 'string') return item;
return item.constructor;
},
});
}
@@ -120,17 +117,17 @@ export class AbilityFactory {
* "project.view" → ["view", "project"]
*/
private parsePermission(permissionName: string): [string, string] {
// Fallback for special permissions like "system.manage_all"
if (permissionName === 'system.manage_all') {
return ['manage', 'all'];
}
const parts = permissionName.split('.');
if (parts.length === 2) {
const [subject, action] = parts;
return [action, subject];
}
// Fallback for special permissions like "system.manage_all"
if (permissionName === 'system.manage_all') {
return ['manage', 'all'];
}
throw new Error(`Invalid permission format: ${permissionName}`);
}
}

6
backend/src/common/auth/dto/login.dto.ts
View File

@@ -1,10 +1,16 @@
import { IsNotEmpty, IsString } from 'class-validator';
import { ApiProperty } from '@nestjs/swagger';
export class LoginDto {
@ApiProperty({
description: 'Username (Email)',
example: 'admin@np-dms.work',
})
@IsString()
@IsNotEmpty()
username!: string;
@ApiProperty({ description: 'Password', example: 'password123' })
@IsString()
@IsNotEmpty()
password!: string;

38
backend/src/common/auth/entities/refresh-token.entity.ts Normal file
View File

@@ -0,0 +1,38 @@
import {
Entity,
Column,
PrimaryGeneratedColumn,
CreateDateColumn,
ManyToOne,
JoinColumn,
} from 'typeorm';
import { User } from '../../../modules/user/entities/user.entity';
@Entity('refresh_tokens')
export class RefreshToken {
@PrimaryGeneratedColumn({ name: 'token_id' })
tokenId!: number;
@Column({ name: 'user_id' })
userId!: number;
@Column({ name: 'token_hash', length: 255 })
tokenHash!: string;
@Column({ name: 'expires_at' })
expiresAt!: Date;
@Column({ name: 'is_revoked', default: false })
isRevoked!: boolean;
@CreateDateColumn({ name: 'created_at' })
createdAt!: Date;
@Column({ name: 'replaced_by_token', nullable: true, length: 255 })
replacedByToken?: string; // For rotation support
// Relations
@ManyToOne(() => User, { onDelete: 'CASCADE' })
@JoinColumn({ name: 'user_id' })
user?: User;
}

2
backend/src/common/auth/guards/permissions.guard.ts
View File

@@ -43,7 +43,7 @@ export class PermissionsGuard implements CanActivate {
// Check if user has ALL required permissions
const hasPermission = requiredPermissions.every((permission) => {
const [action, subject] = this.parsePermission(permission);
return ability.can(action, subject);
return ability.can(action as any, subject as any);
});
if (!hasPermission) {

26
backend/src/common/guards/rbac.guard.ts
View File

@@ -5,25 +5,25 @@ import {
ForbiddenException,
} from '@nestjs/common';
import { Reflector } from '@nestjs/core';
import { PERMISSION_KEY } from '../decorators/require-permission.decorator.js';
import { UserService } from '../../modules/user/user.service.js';
import { PERMISSIONS_KEY } from '../decorators/require-permission.decorator';
import { UserService } from '../../modules/user/user.service';
@Injectable()
export class RbacGuard implements CanActivate {
constructor(
private reflector: Reflector,
private userService: UserService,
private userService: UserService
) {}
async canActivate(context: ExecutionContext): Promise<boolean> {
// 1. ดูว่า Controller นี้ต้องการสิทธิ์อะไร?
const requiredPermission = this.reflector.getAllAndOverride<string>(
PERMISSION_KEY,
[context.getHandler(), context.getClass()],
const requiredPermissions = this.reflector.getAllAndOverride<string[]>(
PERMISSIONS_KEY,
[context.getHandler(), context.getClass()]
);
// ถ้าไม่ต้องการสิทธิ์อะไรเลย ก็ปล่อยผ่าน
if (!requiredPermission) {
if (!requiredPermissions || requiredPermissions.length === 0) {
return true;
}
@@ -36,17 +36,19 @@ export class RbacGuard implements CanActivate {
// 3. (สำคัญ) ดึงสิทธิ์ทั้งหมดของ User คนนี้จาก Database
// เราต้องเขียนฟังก์ชัน getUserPermissions ใน UserService เพิ่ม (เดี๋ยวพาทำ)
const userPermissions = await this.userService.getUserPermissions(
user.userId,
user.userId
);
// 4. ตรวจสอบว่ามีสิทธิ์ที่ต้องการไหม?
const hasPermission = userPermissions.some(
(p) => p === requiredPermission || p === 'system.manage_all', // Superadmin ทะลุทุกสิทธิ์
// 4. ตรวจสอบว่ามีสิทธิ์ที่ต้องการไหม? (User ต้องมีครบทุกสิทธิ์)
const hasPermission = requiredPermissions.every((req) =>
userPermissions.some(
(p) => p === req || p === 'system.manage_all' // Superadmin ทะลุทุกสิทธิ์
)
);
if (!hasPermission) {
throw new ForbiddenException(
`You do not have permission: ${requiredPermission}`,
`You do not have permission: ${requiredPermissions.join(', ')}`
);
}

21
backend/src/main.ts
View File

@@ -22,11 +22,24 @@ async function bootstrap() {
const logger = new Logger('Bootstrap');
// 🛡️ 2. Security (Helmet & CORS)
app.use(helmet());
// ปรับ CSP ให้รองรับ Swagger UI
app.use(
helmet({
contentSecurityPolicy: {
directives: {
defaultSrc: ["'self'"],
scriptSrc: ["'self'", "'unsafe-inline'", "'unsafe-eval'"],
styleSrc: ["'self'", "'unsafe-inline'"],
imgSrc: ["'self'", 'data:', 'blob:'],
},
},
crossOriginEmbedderPolicy: false,
})
);
// ตั้งค่า CORS (ใน Production ควรระบุ origin ให้ชัดเจนจาก Config)
app.enableCors({
origin: true, // หรือ configService.get('CORS_ORIGIN')
origin: configService.get<string>('CORS_ORIGIN') || true,
methods: 'GET,HEAD,PUT,PATCH,POST,DELETE',
credentials: true,
});
@@ -47,7 +60,7 @@ async function bootstrap() {
transformOptions: {
enableImplicitConversion: true, // ช่วยแปลง Type ใน Query Params
},
}),
})
);
// ลงทะเบียน Global Interceptor และ Filter ที่เราสร้างไว้
@@ -78,4 +91,4 @@ async function bootstrap() {
logger.log(`Application is running on: ${await app.getUrl()}/api`);
logger.log(`Swagger UI is available at: ${await app.getUrl()}/docs`);
}
bootstrap();
void bootstrap();

25
backend/src/modules/correspondence/dto/create-correspondence.dto.ts
View File

@@ -1,4 +1,3 @@
// File: src/modules/correspondence/dto/create-correspondence.dto.ts
import {
IsInt,
IsString,
@@ -7,42 +6,64 @@ import {
IsBoolean,
IsObject,
} from 'class-validator';
import { ApiProperty, ApiPropertyOptional } from '@nestjs/swagger';
export class CreateCorrespondenceDto {
@ApiProperty({ description: 'Project ID', example: 1 })
@IsInt()
@IsNotEmpty()
projectId!: number;
@ApiProperty({ description: 'Document Type ID', example: 1 })
@IsInt()
@IsNotEmpty()
typeId!: number; // ID ของประเภทเอกสาร (เช่น RFA, LETTER)
@ApiPropertyOptional({ description: 'Discipline ID', example: 2 })
@IsInt()
@IsOptional()
disciplineId?: number; // [Req 6B] สาขางาน (เช่น GEN, STR)
@ApiPropertyOptional({ description: 'Sub Type ID', example: 3 })
@IsInt()
@IsOptional()
subTypeId?: number; // [Req 6B] ประเภทย่อย (เช่น MAT, SHP สำหรับ Transmittal/RFA)
@ApiProperty({
description: 'Correspondence Title',
example: 'Monthly Progress Report',
})
@IsString()
@IsNotEmpty()
title!: string;
@ApiPropertyOptional({
description: 'Correspondence Description',
example: 'Detailed report...',
})
@IsString()
@IsOptional()
description?: string;
@ApiPropertyOptional({
description: 'Additional details (JSON)',
example: { key: 'value' },
})
@IsObject()
@IsOptional()
details?: Record<string, any>; // ข้อมูล JSON (เช่น RFI question)
@ApiPropertyOptional({ description: 'Is internal document?', default: false })
@IsBoolean()
@IsOptional()
isInternal?: boolean;
// ✅ เพิ่ม Field สำหรับ Impersonation (เลือกองค์กรผู้ส่ง)
@ApiPropertyOptional({
description: 'Originator Organization ID (for impersonation)',
example: 1,
})
@IsInt()
@IsOptional()
originatorId?: number;
}
}

4
backend/src/modules/correspondence/entities/routing-template.entity.ts
View File

@@ -1,6 +1,6 @@
import { Entity, Column, PrimaryGeneratedColumn, OneToMany } from 'typeorm';
import { BaseEntity } from '../../../common/entities/base.entity.js'; // ถ้าไม่ได้ใช้ BaseEntity ก็ลบออกแล้วใส่ createdAt เอง
import { RoutingTemplateStep } from './routing-template-step.entity.js'; // เดี๋ยวสร้าง
import { BaseEntity } from '../../../common/entities/base.entity'; // ถ้าไม่ได้ใช้ BaseEntity ก็ลบออกแล้วใส่ createdAt เอง
import { RoutingTemplateStep } from './routing-template-step.entity'; // เดี๋ยวสร้าง
@Entity('correspondence_routing_templates')
export class RoutingTemplate {

2
backend/src/modules/document-numbering/document-numbering.service.ts
View File

@@ -182,7 +182,7 @@ export class DocumentNumberingService implements OnModuleInit, OnModuleDestroy {
throw new InternalServerErrorException(
'Failed to generate document number after retries.'
);
} catch (error) {
} catch (error: any) {
this.logger.error(`Error generating number for ${resourceKey}`, error);
// [P0-4] Log error

9
backend/src/modules/monitoring/controllers/health.controller.ts
View File

@@ -8,7 +8,6 @@ import {
MemoryHealthIndicator,
DiskHealthIndicator,
} from '@nestjs/terminus';
import { MetricsService } from '../services/metrics.service';
@Controller()
export class HealthController {
@@ -17,8 +16,7 @@ export class HealthController {
private http: HttpHealthIndicator,
private db: TypeOrmHealthIndicator,
private memory: MemoryHealthIndicator,
private disk: DiskHealthIndicator,
private metricsService: MetricsService,
private disk: DiskHealthIndicator
) {}
@Get('health')
@@ -37,9 +35,4 @@ export class HealthController {
this.disk.checkStorage('storage', { path: '/', thresholdPercent: 0.9 }),
]);
}
@Get('metrics')
async getMetrics() {
return await this.metricsService.getMetrics();
}
}

41
backend/src/modules/monitoring/monitoring.module.ts
View File

@@ -4,6 +4,11 @@ import { Global, Module } from '@nestjs/common';
import { TerminusModule } from '@nestjs/terminus';
import { HttpModule } from '@nestjs/axios';
import { APP_INTERCEPTOR } from '@nestjs/core';
import {
PrometheusModule,
makeCounterProvider,
makeHistogramProvider,
} from '@willsoto/nestjs-prometheus';
// Existing Components
import { HealthController } from './controllers/health.controller';
@@ -14,21 +19,39 @@ import { PerformanceInterceptor } from '../../common/interceptors/performance.in
import { MonitoringController } from './monitoring.controller';
import { MonitoringService } from './monitoring.service';
@Global() // Module นี้เป็น Global (ดีแล้วครับ)
@Global()
@Module({
imports: [TerminusModule, HttpModule],
controllers: [
HealthController, // ✅ ของเดิม: /health
MonitoringController, // ✅ ของใหม่: /monitoring/maintenance
imports: [
TerminusModule,
HttpModule,
PrometheusModule.register({
path: '/metrics',
defaultMetrics: {
enabled: true,
},
}),
],
controllers: [HealthController, MonitoringController],
providers: [
MetricsService, // ✅ ของเดิม
MonitoringService, // ✅ ของใหม่ (Logic เปิด/ปิด Maintenance)
MetricsService,
MonitoringService,
{
provide: APP_INTERCEPTOR,
useClass: PerformanceInterceptor, // ✅ ของเดิม (จับเวลา Response Time)
useClass: PerformanceInterceptor,
},
// Metrics Providers
makeCounterProvider({
name: 'http_requests_total',
help: 'Total number of HTTP requests',
labelNames: ['method', 'route', 'status_code'],
}),
makeHistogramProvider({
name: 'http_request_duration_seconds',
help: 'Duration of HTTP requests in seconds',
labelNames: ['method', 'route', 'status_code'],
buckets: [0.1, 0.2, 0.5, 1.0, 1.5, 2.0, 5.0],
}),
],
exports: [MetricsService, MonitoringService],
exports: [MetricsService, MonitoringService, PrometheusModule],
})
export class MonitoringModule {}

56
backend/src/modules/monitoring/services/metrics.service.ts
View File

@@ -1,54 +1,16 @@
// File: src/modules/monitoring/services/metrics.service.ts
import { Injectable } from '@nestjs/common';
import { Registry, Counter, Histogram, Gauge } from 'prom-client';
import { Counter, Histogram } from 'prom-client';
import { InjectMetric } from '@willsoto/nestjs-prometheus';
@Injectable()
export class MetricsService {
private readonly registry: Registry;
public readonly httpRequestsTotal: Counter<string>;
public readonly httpRequestDuration: Histogram<string>;
public readonly systemMemoryUsage: Gauge<string>;
constructor(
@InjectMetric('http_requests_total')
public readonly httpRequestsTotal: Counter<string>,
@InjectMetric('http_request_duration_seconds')
public readonly httpRequestDuration: Histogram<string>
) {}
constructor() {
this.registry = new Registry();
this.registry.setDefaultLabels({ app: 'lcbp3-backend' });
// นับจำนวน HTTP Request ทั้งหมด แยกตาม method, route, status_code
this.httpRequestsTotal = new Counter({
name: 'http_requests_total',
help: 'Total number of HTTP requests',
labelNames: ['method', 'route', 'status_code'],
registers: [this.registry],
});
// วัดระยะเวลา Response Time (Histogram)
this.httpRequestDuration = new Histogram({
name: 'http_request_duration_seconds',
help: 'Duration of HTTP requests in seconds',
labelNames: ['method', 'route', 'status_code'],
buckets: [0.1, 0.2, 0.5, 1.0, 1.5, 2.0, 5.0], // Buckets สำหรับวัด Latency
registers: [this.registry],
});
// วัดการใช้ Memory (Gauge)
this.systemMemoryUsage = new Gauge({
name: 'system_memory_usage_bytes',
help: 'Heap memory usage in bytes',
registers: [this.registry],
});
// เริ่มเก็บ Metrics พื้นฐานของ Node.js (Optional)
// client.collectDefaultMetrics({ register: this.registry });
}
/**
* ดึงข้อมูล Metrics ทั้งหมดในรูปแบบ Text สำหรับ Prometheus Scrape
*/
async getMetrics(): Promise<string> {
// อัปเดต Memory Usage ก่อน Return
const memoryUsage = process.memoryUsage();
this.systemMemoryUsage.set(memoryUsage.heapUsed);
return this.registry.metrics();
}
// Removed manual getMetrics() as PrometheusModule handles /metrics
}

4
backend/src/modules/project/entities/contract.entity.ts
View File

@@ -5,8 +5,8 @@ import {
ManyToOne,
JoinColumn,
} from 'typeorm';
import { BaseEntity } from '../../../common/entities/base.entity.js';
import { Project } from './project.entity.js';
import { BaseEntity } from '../../../common/entities/base.entity';
import { Project } from './project.entity';
@Entity('contracts')
export class Contract extends BaseEntity {

2
backend/src/modules/project/entities/organization.entity.ts
View File

@@ -1,5 +1,5 @@
import { Entity, Column, PrimaryGeneratedColumn } from 'typeorm';
import { BaseEntity } from '../../../common/entities/base.entity.js';
import { BaseEntity } from '../../../common/entities/base.entity';
@Entity('organizations')
export class Organization extends BaseEntity {

2
backend/src/modules/project/entities/project.entity.ts
View File

@@ -1,5 +1,5 @@
import { Entity, Column, PrimaryGeneratedColumn } from 'typeorm';
import { BaseEntity } from '../../../common/entities/base.entity.js';
import { BaseEntity } from '../../../common/entities/base.entity';
@Entity('projects')
export class Project extends BaseEntity {

33
backend/src/modules/rfa/dto/create-rfa-revision.dto.ts
View File

@@ -1,4 +1,3 @@
// File: src/modules/rfa/dto/create-rfa-revision.dto.ts
import {
IsString,
IsNotEmpty,
@@ -8,44 +7,76 @@ import {
IsObject,
IsArray,
} from 'class-validator';
import { ApiProperty, ApiPropertyOptional } from '@nestjs/swagger';
export class CreateRfaRevisionDto {
@ApiProperty({ description: 'RFA Title', example: 'RFA for Building A' })
@IsString()
@IsNotEmpty()
title!: string;
@ApiProperty({ description: 'RFA Status Code ID', example: 1 })
@IsInt()
@IsNotEmpty()
rfaStatusCodeId!: number;
@ApiPropertyOptional({ description: 'RFA Approve Code ID', example: 1 })
@IsInt()
@IsOptional()
rfaApproveCodeId?: number;
@ApiPropertyOptional({
description: 'Document Date',
example: '2025-12-06T00:00:00Z',
})
@IsDateString()
@IsOptional()
documentDate?: string;
@ApiPropertyOptional({
description: 'Issued Date',
example: '2025-12-06T00:00:00Z',
})
@IsDateString()
@IsOptional()
issuedDate?: string;
@ApiPropertyOptional({
description: 'Received Date',
example: '2025-12-06T00:00:00Z',
})
@IsDateString()
@IsOptional()
receivedDate?: string;
@ApiPropertyOptional({
description: 'Approved Date',
example: '2025-12-06T00:00:00Z',
})
@IsDateString()
@IsOptional()
approvedDate?: string;
@ApiPropertyOptional({
description: 'Description',
example: 'Details about the RFA...',
})
@IsString()
@IsOptional()
description?: string;
@ApiPropertyOptional({
description: 'Additional Details (JSON)',
example: { key: 'value' },
})
@IsObject()
@IsOptional()
details?: Record<string, any>;
@ApiPropertyOptional({
description: 'Linked Shop Drawing Revision IDs',
example: [1, 2],
})
@IsArray()
@IsOptional()
shopDrawingRevisionIds?: number[]; // IDs of linked Shop Drawings

30
backend/src/modules/rfa/rfa.controller.ts
View File

@@ -8,12 +8,19 @@ import {
Post,
UseGuards,
} from '@nestjs/common';
import { ApiBearerAuth, ApiOperation, ApiTags } from '@nestjs/swagger';
import {
ApiTags,
ApiOperation,
ApiResponse,
ApiBearerAuth,
ApiParam,
ApiBody,
} from '@nestjs/swagger';
import { WorkflowActionDto } from '../correspondence/dto/workflow-action.dto';
import { User } from '../user/entities/user.entity';
import { CreateRfaDto } from './dto/create-rfa.dto';
import { SubmitRfaDto } from './dto/submit-rfa.dto'; // ✅ Import DTO ใหม่
import { SubmitRfaDto } from './dto/submit-rfa.dto';
import { RfaService } from './rfa.service';
import { Audit } from '../../common/decorators/audit.decorator';
@@ -31,6 +38,8 @@ export class RfaController {
@Post()
@ApiOperation({ summary: 'Create new RFA (Draft)' })
@ApiBody({ type: CreateRfaDto })
@ApiResponse({ status: 201, description: 'RFA created successfully' })
@RequirePermission('rfa.create')
@Audit('rfa.create', 'rfa')
create(@Body() createDto: CreateRfaDto, @CurrentUser() user: User) {
@@ -39,30 +48,41 @@ export class RfaController {
@Post(':id/submit')
@ApiOperation({ summary: 'Submit RFA to Workflow' })
@ApiParam({ name: 'id', description: 'RFA ID' })
@ApiBody({ type: SubmitRfaDto })
@ApiResponse({ status: 200, description: 'RFA submitted successfully' })
@RequirePermission('rfa.create')
@Audit('rfa.submit', 'rfa')
submit(
@Param('id', ParseIntPipe) id: number,
@Body() submitDto: SubmitRfaDto, // ✅ ใช้ DTO
@CurrentUser() user: User,
@Body() submitDto: SubmitRfaDto,
@CurrentUser() user: User
) {
return this.rfaService.submit(id, submitDto.templateId, user);
}
@Post(':id/action')
@ApiOperation({ summary: 'Process Workflow Action (Approve/Reject)' })
@ApiParam({ name: 'id', description: 'RFA ID' })
@ApiBody({ type: WorkflowActionDto })
@ApiResponse({
status: 200,
description: 'Workflow action processed successfully',
})
@RequirePermission('workflow.action_review')
@Audit('rfa.action', 'rfa')
processAction(
@Param('id', ParseIntPipe) id: number,
@Body() actionDto: WorkflowActionDto,
@CurrentUser() user: User,
@CurrentUser() user: User
) {
return this.rfaService.processAction(id, actionDto, user);
}
@Get(':id')
@ApiOperation({ summary: 'Get RFA details with revisions and items' })
@ApiParam({ name: 'id', description: 'RFA ID' })
@ApiResponse({ status: 200, description: 'RFA details' })
@RequirePermission('document.view')
findOne(@Param('id', ParseIntPipe) id: number) {
return this.rfaService.findOne(id);

12
backend/src/modules/user/dto/create-user.dto.ts
View File

@@ -7,37 +7,49 @@ import {
IsBoolean,
IsInt,
} from 'class-validator';
import { ApiProperty, ApiPropertyOptional } from '@nestjs/swagger';
export class CreateUserDto {
@ApiProperty({ description: 'Username', example: 'john_doe' })
@IsString()
@IsNotEmpty()
username!: string;
@ApiProperty({
description: 'Password (min 6 chars)',
example: 'password123',
})
@IsString()
@IsNotEmpty()
@MinLength(6, { message: 'Password must be at least 6 characters' })
password!: string;
@ApiProperty({ description: 'Email address', example: 'john.d@example.com' })
@IsEmail()
@IsNotEmpty()
email!: string;
@ApiPropertyOptional({ description: 'First name', example: 'John' })
@IsString()
@IsOptional()
firstName?: string;
@ApiPropertyOptional({ description: 'Last name', example: 'Doe' })
@IsString()
@IsOptional()
lastName?: string;
@ApiPropertyOptional({ description: 'Line ID', example: 'john.line' })
@IsString()
@IsOptional()
lineId?: string;
@ApiPropertyOptional({ description: 'Primary Organization ID', example: 1 })
@IsInt()
@IsOptional()
primaryOrganizationId?: number; // รับเป็น ID ของ Organization
@ApiPropertyOptional({ description: 'Is user active?', default: true })
@IsBoolean()
@IsOptional()
isActive?: boolean;

20
backend/src/modules/user/entities/role.entity.ts
View File

@@ -1,4 +1,11 @@
import { Entity, PrimaryGeneratedColumn, Column } from 'typeorm';
import {
Entity,
PrimaryGeneratedColumn,
Column,
ManyToMany,
JoinTable,
} from 'typeorm';
import { Permission } from './permission.entity';
export enum RoleScope {
GLOBAL = 'Global',
@@ -26,4 +33,15 @@ export class Role {
@Column({ name: 'is_system', default: false })
isSystem!: boolean;
@ManyToMany(() => Permission)
@JoinTable({
name: 'role_permissions',
joinColumn: { name: 'role_id', referencedColumnName: 'roleId' },
inverseJoinColumn: {
name: 'permission_id',
referencedColumnName: 'permissionId',
},
})
permissions?: Permission[];
}

47
backend/src/modules/user/user.controller.ts
View File

@@ -1,6 +1,3 @@
// File: src/modules/user/user.controller.ts
// บันทึกการแก้ไข: เพิ่ม Endpoints สำหรับ User Preferences (T1.3)
import {
Controller,
Get,
@@ -12,18 +9,25 @@ import {
UseGuards,
ParseIntPipe,
} from '@nestjs/common';
import { ApiTags, ApiOperation, ApiBearerAuth } from '@nestjs/swagger';
import {
ApiTags,
ApiOperation,
ApiBearerAuth,
ApiResponse,
ApiBody,
ApiParam,
} from '@nestjs/swagger';
import { UserService } from './user.service';
import { UserAssignmentService } from './user-assignment.service';
import { UserPreferenceService } from './user-preference.service'; // ✅ เพิ่ม
import { UserPreferenceService } from './user-preference.service';
import { CreateUserDto } from './dto/create-user.dto';
import { UpdateUserDto } from './dto/update-user.dto';
import { AssignRoleDto } from './dto/assign-role.dto';
import { UpdatePreferenceDto } from './dto/update-preference.dto'; // ✅ เพิ่ม DTO
import { UpdatePreferenceDto } from './dto/update-preference.dto';
import { JwtAuthGuard } from '../../common/guards/jwt-auth.guard';
import { RbacGuard } from '../../common/guards/rbac.guard'; // สมมติว่ามีแล้ว ถ้ายังไม่มีให้คอมเมนต์ไว้ก่อน
import { RbacGuard } from '../../common/guards/rbac.guard';
import { RequirePermission } from '../../common/decorators/require-permission.decorator';
import { CurrentUser } from '../../common/decorators/current-user.decorator';
import { User } from './entities/user.entity';
@@ -31,36 +35,39 @@ import { User } from './entities/user.entity';
@ApiTags('Users')
@ApiBearerAuth()
@Controller('users')
@UseGuards(JwtAuthGuard, RbacGuard) // RbacGuard จะเช็ค permission
@UseGuards(JwtAuthGuard, RbacGuard)
export class UserController {
constructor(
private readonly userService: UserService,
private readonly assignmentService: UserAssignmentService,
private readonly preferenceService: UserPreferenceService, // ✅ Inject Service
private readonly preferenceService: UserPreferenceService
) {}
// --- User Preferences (Me) ---
// ต้องวางไว้ก่อน :id เพื่อไม่ให้ route ชนกัน
@Get('me/preferences')
@ApiOperation({ summary: 'Get my preferences' })
@UseGuards(JwtAuthGuard) // Bypass RBAC check for self
@ApiResponse({ status: 200, description: 'User preferences' })
@UseGuards(JwtAuthGuard)
getMyPreferences(@CurrentUser() user: User) {
return this.preferenceService.findByUser(user.user_id);
}
@Patch('me/preferences')
@ApiOperation({ summary: 'Update my preferences' })
@UseGuards(JwtAuthGuard) // Bypass RBAC check for self
@ApiBody({ type: UpdatePreferenceDto })
@ApiResponse({ status: 200, description: 'Preferences updated' })
@UseGuards(JwtAuthGuard)
updateMyPreferences(
@CurrentUser() user: User,
@Body() dto: UpdatePreferenceDto,
@Body() dto: UpdatePreferenceDto
) {
return this.preferenceService.update(user.user_id, dto);
}
@Get('me/permissions')
@ApiOperation({ summary: 'Get my permissions' })
@ApiResponse({ status: 200, description: 'User permissions' })
@UseGuards(JwtAuthGuard)
getMyPermissions(@CurrentUser() user: User) {
return this.userService.getUserPermissions(user.user_id);
@@ -70,6 +77,8 @@ export class UserController {
@Post()
@ApiOperation({ summary: 'Create new user' })
@ApiBody({ type: CreateUserDto })
@ApiResponse({ status: 201, description: 'User created' })
@RequirePermission('user.create')
create(@Body() createUserDto: CreateUserDto) {
return this.userService.create(createUserDto);
@@ -77,6 +86,7 @@ export class UserController {
@Get()
@ApiOperation({ summary: 'List all users' })
@ApiResponse({ status: 200, description: 'List of users' })
@RequirePermission('user.view')
findAll() {
return this.userService.findAll();
@@ -84,6 +94,8 @@ export class UserController {
@Get(':id')
@ApiOperation({ summary: 'Get user details' })
@ApiParam({ name: 'id', description: 'User ID' })
@ApiResponse({ status: 200, description: 'User details' })
@RequirePermission('user.view')
findOne(@Param('id', ParseIntPipe) id: number) {
return this.userService.findOne(id);
@@ -91,16 +103,21 @@ export class UserController {
@Patch(':id')
@ApiOperation({ summary: 'Update user' })
@ApiParam({ name: 'id', description: 'User ID' })
@ApiBody({ type: UpdateUserDto })
@ApiResponse({ status: 200, description: 'User updated' })
@RequirePermission('user.edit')
update(
@Param('id', ParseIntPipe) id: number,
@Body() updateUserDto: UpdateUserDto,
@Body() updateUserDto: UpdateUserDto
) {
return this.userService.update(id, updateUserDto);
}
@Delete(':id')
@ApiOperation({ summary: 'Delete user (Soft delete)' })
@ApiParam({ name: 'id', description: 'User ID' })
@ApiResponse({ status: 200, description: 'User deleted' })
@RequirePermission('user.delete')
remove(@Param('id', ParseIntPipe) id: number) {
return this.userService.remove(id);
@@ -110,6 +127,8 @@ export class UserController {
@Post('assign-role')
@ApiOperation({ summary: 'Assign role to user' })
@ApiBody({ type: AssignRoleDto })
@ApiResponse({ status: 201, description: 'Role assigned' })
@RequirePermission('permission.assign')
assignRole(@Body() dto: AssignRoleDto, @CurrentUser() user: User) {
return this.assignmentService.assignRole(dto, user);

25
backend/src/modules/workflow-engine/dsl/parser.service.ts
View File

@@ -34,7 +34,7 @@ export class WorkflowDslParser {
// Step 5: Save to database
return await this.workflowDefRepo.save(definition);
} catch (error) {
} catch (error: any) {
if (error instanceof SyntaxError) {
throw new BadRequestException(`Invalid JSON: ${error.message}`);
}
@@ -132,11 +132,14 @@ export class WorkflowDslParser {
*/
private buildDefinition(dsl: WorkflowDsl): WorkflowDefinition {
const definition = new WorkflowDefinition();
definition.name = dsl.name;
definition.version = dsl.version;
definition.workflow_code = dsl.name;
// Map Semver (1.0.0) to version int (1)
const majorVersion = parseInt(dsl.version.split('.')[0], 10);
definition.version = isNaN(majorVersion) ? 1 : majorVersion;
definition.description = dsl.description;
definition.dslContent = JSON.stringify(dsl, null, 2); // Pretty print for readability
definition.isActive = true;
definition.dsl = dsl;
definition.compiled = dsl;
definition.is_active = true;
return definition;
}
@@ -144,7 +147,7 @@ export class WorkflowDslParser {
/**
* Get parsed DSL from WorkflowDefinition
*/
async getParsedDsl(definitionId: number): Promise<WorkflowDsl> {
async getParsedDsl(definitionId: string): Promise<WorkflowDsl> {
const definition = await this.workflowDefRepo.findOne({
where: { id: definitionId },
});
@@ -156,14 +159,14 @@ export class WorkflowDslParser {
}
try {
const dsl = JSON.parse(definition.dslContent);
const dsl = definition.dsl;
return WorkflowDslSchema.parse(dsl);
} catch (error) {
} catch (error: any) {
this.logger.error(
`Failed to parse stored DSL for definition ${definitionId}`,
error
);
throw new BadRequestException(`Invalid stored DSL: ${error.message}`);
throw new BadRequestException(`Invalid stored DSL: ${error?.message}`);
}
}
@@ -176,10 +179,10 @@ export class WorkflowDslParser {
const dsl = WorkflowDslSchema.parse(rawDsl);
this.validateStateMachine(dsl);
return { valid: true };
} catch (error) {
} catch (error: any) {
return {
valid: false,
errors: [error.message],
errors: [error?.message || 'Unknown validation error'],
};
}
}

2
backend/src/modules/workflow-engine/dsl/workflow-dsl.schema.ts
View File

@@ -137,7 +137,7 @@ export const RFA_WORKFLOW_EXAMPLE: WorkflowDsl = {
config: { status: 'APPROVED' },
},
{
type: 'send_notification',
type: 'create_notification',
config: {
message: 'RFA has been approved',
type: 'success',