feat/wip

sujitaw · sujitaw · commit f41357a02fd3 · 2026-06-02T17:18:57.000+05:30
Signed-off-by: sujitaw &lt;sujit.sutar@ayanworks.com&gt;
diff --git a/Dockerfiles/Dockerfile.ecosystem b/Dockerfiles/Dockerfile.ecosystem
@@ -1,19 +1,19 @@
 # Stage 1: Build the application
-FROM node:24-alpine3.21 AS build
+FROM oven/bun:1.3-alpine AS build
 RUN apk update && apk upgrade && apk add --no-cache openssl \
     && rm -rf /var/cache/apk/*
 RUN npm install -g pnpm@9.15.3 --ignore-scripts
 WORKDIR /app
-COPY package.json pnpm-lock.yaml pnpm-workspace.yaml ./
+COPY package.json pnpm-lock.yaml pnpm-workspace.yaml bun.lock ./
 ENV PUPPETEER_SKIP_DOWNLOAD=true
-RUN pnpm i --frozen-lockfile --ignore-scripts
+RUN bun i --frozen-lockfile --ignore-scripts
 COPY . .
-RUN cd libs/prisma-service && npx prisma generate
-RUN pnpm run build ecosystem
-RUN pnpm prune --prod
+RUN cd libs/prisma-service && bunx prisma generate
+RUN bun --bun run build ecosystem
+RUN bun prune --prod
 
 # Stage 2: Create the final image
-FROM node:24-alpine3.21
+FROM oven/bun:1.3-alpine
 RUN apk update && apk upgrade && apk add --no-cache openssl \
     && rm -rf /var/cache/apk/* \
     && addgroup -g 1001 -S nodejs \
@@ -23,4 +23,4 @@ COPY --from=build /app/dist/apps/ecosystem/ ./dist/apps/ecosystem/
 COPY --from=build /app/libs/ ./libs/
 COPY --from=build /app/node_modules ./node_modules
 USER nextjs
-CMD ["sh", "-c", "cd libs/prisma-service && npx prisma migrate deploy && cd ../.. && node dist/apps/ecosystem/main.js"]
+CMD ["sh", "-c", "cd libs/prisma-service && bunx prisma generate && bunx prisma migrate deploy && cd ../.. &&  bun --bun  dist/apps/ecosystem/main.js"]
diff --git a/Dockerfiles/Dockerfile.oid4vc-issuance b/Dockerfiles/Dockerfile.oid4vc-issuance
@@ -1,18 +1,17 @@
 # Stage 1: Build the application
-FROM node:24-alpine3.21 AS build
+FROM oven/bun:1.3-alpine AS build
 RUN apk update && apk upgrade && apk add --no-cache openssl && rm -rf /var/cache/apk/*
-RUN npm install -g pnpm@9.15.3 --ignore-scripts
 WORKDIR /app
-COPY package.json pnpm-lock.yaml pnpm-workspace.yaml ./
+COPY package.json bun.lock ./
 ENV PUPPETEER_SKIP_DOWNLOAD=true
-RUN pnpm i --frozen-lockfile --ignore-scripts
+RUN bun install
 COPY . .
 RUN cd libs/prisma-service && npx prisma generate
-RUN pnpm run build oid4vc-issuance
-RUN pnpm prune --prod
+RUN bun --bun run build oid4vc-issuance
+RUN bun prune --prod
 
 # Stage 2: Create the final image
-FROM node:24-alpine3.21
+FROM oven/bun:1.3-alpine
 RUN apk update && apk upgrade && apk add --no-cache openssl \
     && rm -rf /var/cache/apk/* \
     && addgroup -g 1001 -S nodejs \
@@ -22,4 +21,4 @@ COPY --from=build /app/dist/apps/oid4vc-issuance/ ./dist/apps/oid4vc-issuance/
 COPY --from=build /app/libs/ ./libs/
 COPY --from=build /app/node_modules ./node_modules
 USER nextjs
-CMD ["sh", "-c", "cd libs/prisma-service && npx prisma migrate deploy && cd ../.. && node dist/apps/oid4vc-issuance/main.js"]
+CMD ["sh", "-c", "cd libs/prisma-service && bunx prisma generate && bunx prisma migrate deploy && cd ../.. && bun --bun dist/apps/oid4vc-issuance/main.js"]
diff --git a/Dockerfiles/Dockerfile.oid4vc-verification b/Dockerfiles/Dockerfile.oid4vc-verification
@@ -1,19 +1,18 @@
 # Stage 1: Build the application
-FROM node:24-alpine3.21 AS build
+FROM oven/bun:1.3-alpine AS build
 RUN apk update && apk upgrade && apk add --no-cache openssl \
     && rm -rf /var/cache/apk/*
-RUN npm install -g pnpm@9.15.3 --ignore-scripts
 WORKDIR /app
-COPY package.json pnpm-lock.yaml pnpm-workspace.yaml ./
+COPY package.json bun.lock ./
 ENV PUPPETEER_SKIP_DOWNLOAD=true
-RUN pnpm i --frozen-lockfile --ignore-scripts
+RUN bun install
 COPY . .
-RUN cd libs/prisma-service && npx prisma generate
-RUN pnpm run build oid4vc-verification
-RUN pnpm prune --prod
+RUN cd libs/prisma-service && bunx prisma generate
+RUN bun run build oid4vc-verification
+RUN bun prune --prod
 
 # Stage 2: Create the final image
-FROM node:24-alpine3.21
+FROM oven/bun:1.3-alpine
 RUN apk update && apk upgrade && apk add --no-cache openssl \
     && rm -rf /var/cache/apk/* \
     && addgroup -g 1001 -S nodejs \
@@ -23,4 +22,4 @@ COPY --from=build /app/dist/apps/oid4vc-verification/ ./dist/apps/oid4vc-verific
 COPY --from=build /app/libs/ ./libs/
 COPY --from=build /app/node_modules ./node_modules
 USER nextjs
-CMD ["sh", "-c", "cd libs/prisma-service && npx prisma migrate deploy && cd ../.. && node dist/apps/oid4vc-verification/main.js"]
+CMD ["sh", "-c", "cd libs/prisma-service && bunx prisma generate && npx prisma migrate deploy && cd ../.. && bun --bun dist/apps/oid4vc-verification/main.js"]
diff --git a/Dockerfiles/Dockerfile.seed b/Dockerfiles/Dockerfile.seed
@@ -1,4 +1,4 @@
-FROM node:24-alpine3.21
+FROM node:24-alpine3.23
 RUN apk update && apk upgrade && apk add --no-cache \
     postgresql-client \
     openssl \
diff --git a/Dockerfiles/Dockerfile.x509 b/Dockerfiles/Dockerfile.x509
@@ -1,19 +1,18 @@
 # Stage 1: Build the application
-FROM node:24-alpine3.21 AS build
+FROM oven/bun:1.3-alpine
 RUN apk update && apk upgrade && apk add --no-cache openssl \
     && rm -rf /var/cache/apk/*
-RUN npm install -g pnpm@9.15.3 --ignore-scripts
 WORKDIR /app
-COPY package.json pnpm-lock.yaml pnpm-workspace.yaml ./
+COPY package.json bun.lock ./
 ENV PUPPETEER_SKIP_DOWNLOAD=true
-RUN pnpm i --frozen-lockfile --ignore-scripts
+RUN bun install
 COPY . .
 RUN cd libs/prisma-service && npx prisma generate
-RUN pnpm run build x509
-RUN pnpm prune --prod
+RUN bun run build x509
+RUN bun prune --prod
 
 # Stage 2: Create the final image
-FROM node:24-alpine3.21
+FROM oven/bun:1.3-alpine
 RUN apk update && apk upgrade && apk add --no-cache openssl \
     && rm -rf /var/cache/apk/* \
     && addgroup -g 1001 -S nodejs \
@@ -23,4 +22,4 @@ COPY --from=build /app/dist/apps/x509/ ./dist/apps/x509/
 COPY --from=build /app/libs/ ./libs/
 COPY --from=build /app/node_modules ./node_modules
 USER nextjs
-CMD ["sh", "-c", "cd libs/prisma-service && npx prisma migrate deploy && cd ../.. && node dist/apps/x509/main.js"]
+CMD ["sh", "-c", "cd libs/prisma-service && bunx prisma generate && bunx prisma migrate deploy && cd ../.. && bun --bun dist/apps/x509/main.js"]
diff --git a/apps/api-gateway/src/authz/guards/org-roles.guard.ts b/apps/api-gateway/src/authz/guards/org-roles.guard.ts
@@ -8,8 +8,7 @@ import { ResponseMessages } from '@credebl/common/response-messages';
 import { validate as isValidUUID } from 'uuid';
 @Injectable()
 export class OrgRolesGuard implements CanActivate {
-  constructor(private reflector: Reflector) { }            // eslint-disable-next-line array-callback-return
-
+  constructor(private reflector: Reflector) {}
 
   private logger = new Logger('Org Role Guard');
   async canActivate(context: ExecutionContext): Promise<boolean> {
@@ -25,43 +24,48 @@ export class OrgRolesGuard implements CanActivate {
 
     const req = context.switchToHttp().getRequest();
     const { user } = req;
-  
+
     if (user?.userRole && user?.userRole.includes('holder')) {
       throw new ForbiddenException('This role is a holder.');
     }
 
     req.params.orgId = req.params?.orgId ? req.params?.orgId?.trim() : '';
     req.query.orgId = req.query?.orgId ? req.query?.orgId?.trim() : '';
-    req.body.orgId = req.body?.orgId ? req.body?.orgId?.trim() : '';
-
-    const orgId = req.params.orgId || req.query.orgId || req.body.orgId;
+    if (req.body) {
+      req.body.orgId = req.body.orgId?.trim() || '';
+    }
 
-    if (orgId) {  
+    const orgId = req.params.orgId || req.query.orgId || req.body?.orgId;
+    if (orgId) {
+      if (!isValidUUID(orgId)) {
+        throw new BadRequestException(ResponseMessages.organisation.error.invalidOrgId);
+      }
 
-    if (!isValidUUID(orgId)) {
-      throw new BadRequestException(ResponseMessages.organisation.error.invalidOrgId);
-    }    
-      
+      if (user.hasOwnProperty('resource_access') && user.resource_access[orgId]) {
+        const orgRoles: string[] = user.resource_access[orgId].roles;
+        const roleAccess = requiredRoles.some((role) => orgRoles.includes(role));
 
-        if (user.hasOwnProperty('resource_access') && user.resource_access[orgId]) {
-          const orgRoles: string[] = user.resource_access[orgId].roles;
-          const roleAccess = requiredRoles.some((role) => orgRoles.includes(role));
-    
-          if (!roleAccess) {
-            throw new ForbiddenException(ResponseMessages.organisation.error.roleNotMatch, { cause: new Error(), description: ResponseMessages.errorMessages.forbidden });
-          }
-          return roleAccess;
+        if (!roleAccess) {
+          throw new ForbiddenException(ResponseMessages.organisation.error.roleNotMatch, {
+            cause: new Error(),
+            description: ResponseMessages.errorMessages.forbidden
+          });
         }
+        return roleAccess;
+      }
 
       const specificOrg = user.userOrgRoles.find((orgDetails) => {
         if (!orgDetails.orgId) {
           return false;
         }
         return orgDetails.orgId.toString().trim() === orgId.toString().trim();
       });
-      
+
       if (!specificOrg) {
-        throw new ForbiddenException(ResponseMessages.organisation.error.orgNotMatch, { cause: new Error(), description: ResponseMessages.errorMessages.forbidden });
+        throw new ForbiddenException(ResponseMessages.organisation.error.orgNotMatch, {
+          cause: new Error(),
+          description: ResponseMessages.errorMessages.forbidden
+        });
       }
 
       user.selectedOrg = specificOrg;
@@ -71,9 +75,7 @@ export class OrgRolesGuard implements CanActivate {
           return orgRoleItem.orgRole.name;
         }
       });
-
-    } else if (requiredRolesNames.includes(OrgRoles.PLATFORM_ADMIN)) {      
-
+    } else if (requiredRolesNames.includes(OrgRoles.PLATFORM_ADMIN)) {
       // eslint-disable-next-line array-callback-return
       const isPlatformAdmin = user.userOrgRoles.find((orgDetails) => {
         if (orgDetails.orgRole.name === OrgRoles.PLATFORM_ADMIN) {
@@ -86,17 +88,19 @@ export class OrgRolesGuard implements CanActivate {
       }
 
       return false;
-
     } else {
       throw new BadRequestException('Please provide valid orgId');
     }
 
     // Sending user friendly message if a user attempts to access an API that is inaccessible to their role
     const roleAccess = requiredRoles.some((role) => user.selectedOrg?.orgRoles.includes(role));
     if (!roleAccess) {
-      throw new ForbiddenException(ResponseMessages.organisation.error.roleNotMatch, { cause: new Error(), description: ResponseMessages.errorMessages.forbidden });
+      throw new ForbiddenException(ResponseMessages.organisation.error.roleNotMatch, {
+        cause: new Error(),
+        description: ResponseMessages.errorMessages.forbidden
+      });
     }
 
     return roleAccess;
   }
-}
+}
diff --git a/apps/ecosystem/src/ecosystem.module.ts b/apps/ecosystem/src/ecosystem.module.ts
@@ -5,6 +5,7 @@ import { CacheModule } from '@nestjs/cache-manager';
 import { ClientRegistrationModule } from '@credebl/client-registration';
 import { CommonConstants } from '@credebl/common/common.constant';
 import { CommonModule } from '@credebl/common';
+import { KeycloakUrlModule } from '@credebl/keycloak-url';
 import { ContextInterceptorModule } from '@credebl/context/contextInterceptorModule';
 import { EcosystemController } from './ecosystem.controller';
 import { EcosystemRepository } from '../repositories/ecosystem.repository';
@@ -34,6 +35,7 @@ import { getNatsOptions } from '@credebl/common/nats.config';
       }
     ]),
     CommonModule,
+    KeycloakUrlModule,
     GlobalConfigModule,
     LoggerModule,
     PlatformConfig,
diff --git a/apps/ecosystem/src/ecosystem.service.ts b/apps/ecosystem/src/ecosystem.service.ts
@@ -15,6 +15,8 @@ import {
 
 import { ClientProxy, RpcException } from '@nestjs/microservices';
 import { ClientRegistrationService } from '@credebl/client-registration';
+import { CommonService } from '@credebl/common';
+import { KeycloakUrlService } from '@credebl/keycloak-url';
 import { EcosystemRepository } from 'apps/ecosystem/repositories/ecosystem.repository';
 import { validateNoticeUrl } from './ecosystem.helper';
 import { CreateEcosystemInviteTemplate } from '../templates/create-ecosystem.templates';
@@ -32,7 +34,8 @@ import {
   EcosystemServiceRole,
   Invitation,
   InvitationViewRole,
-  InviteType
+  InviteType,
+  UnmanagedAttributePolicy
 } from '@credebl/enum/enum';
 
 import {
@@ -65,7 +68,9 @@ export class EcosystemService {
     private readonly emailService: EmailService,
     private readonly organizationRepository: OrganizationRepository,
     private readonly userRepository: UserRepository,
-    private readonly clientRegistrationService: ClientRegistrationService
+    private readonly clientRegistrationService: ClientRegistrationService,
+    private readonly commonService: CommonService,
+    private readonly keycloakUrlService: KeycloakUrlService
   ) {}
 
   private readonly logger = new Logger(EcosystemService.name);
@@ -968,6 +973,10 @@ export class EcosystemService {
       throw new BadRequestException(ResponseMessages.ecosystem.error.invalidEcosystemEnabledFlag);
     }
 
+    if (isEcosystemEnabled) {
+      await this.checkUnmanagedAttributeEnabled();
+    }
+
     await this.ecosystemRepository.updateEcosystemConfig({
       isEcosystemEnabled,
       userId: platformAdminId
@@ -978,6 +987,24 @@ export class EcosystemService {
     };
   }
 
+  private async checkUnmanagedAttributeEnabled(): Promise<void> {
+    const realmName = process.env.KEYCLOAK_REALM;
+    const token = await this.clientRegistrationService.getPlatformManagementToken();
+
+    if (!realmName || !token) {
+      throw new InternalServerErrorException(ResponseMessages.ecosystem.error.keycloakRealmOrTokenMissing);
+    }
+
+    const userProfileUrl = await this.keycloakUrlService.GetUserProfileURL(realmName);
+    const profileConfig = await this.commonService.httpGet(userProfileUrl, {
+      headers: { authorization: `Bearer ${token}` }
+    });
+
+    if (!profileConfig || UnmanagedAttributePolicy.ENABLED !== profileConfig.unmanagedAttributePolicy) {
+      throw new BadRequestException(ResponseMessages.ecosystem.error.unmanagedAttributeNotEnabled);
+    }
+  }
+
   async getDashboardCountEcosystem(): Promise<IPlatformDashboardCount> {
     return this.ecosystemRepository.getDashBoardCountPlatformAdmin();
   }
diff --git a/libs/common/src/response-messages/index.ts b/libs/common/src/response-messages/index.ts
@@ -299,7 +299,10 @@ export const ResponseMessages = {
       ecosystemMemberStatusFail: 'Failed to update ecosystem member status',
       failedEcosystemOrgUpdate: 'Failed to update ecosystem org',
       invitationMemberfail: 'Failed to fetch invitation members',
-      invalidEcosystemEnabledFlag: 'Invalid ecosystem enabled flag'
+      invalidEcosystemEnabledFlag: 'Invalid ecosystem enabled flag',
+      keycloakRealmOrTokenMissing: 'Keycloak realm is not configured or management token could not be obtained',
+      unmanagedAttributeNotEnabled:
+        'Unmanaged attributes are not enabled in Keycloak. Please enable unmanaged attributes in Keycloak realm settings (Realm Settings > User Profile > Unmanaged Attributes) before enabling the ecosystem feature'
     }
   },
   schema: {
diff --git a/libs/keycloak-config/src/keycloak-config.service.ts b/libs/keycloak-config/src/keycloak-config.service.ts
diff --git a/package.json b/package.json
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml

Original file line number	Diff line number	Diff line change
`@@ -1,4 +1,4 @@`
`1`		`-FROM node:24-alpine3.21`
	`1`	`+FROM node:24-alpine3.23`
`2`	`2`	`RUN apk update && apk upgrade && apk add --no-cache \`
`3`	`3`	`postgresql-client \`
`4`	`4`	`openssl \`