feat: enhance identities management with new invitation handling and search filters

- Introduced functionality to manage expired invitations for identities, allowing for better tracking and re-invitation processes.
- Updated the IdentitiesCrudController to include new query parameters for filtering based on invitation expiration.
- Enhanced the PasswdService to support initialization of outdated identities, improving user management capabilities.
- Refactored search logic to accommodate new filters, ensuring efficient data retrieval and handling.
- Added new UI components for displaying and managing outdated identities in the frontend.

Author: tacxou

apps/api/src/management/identities/_schemas/identities.schema.ts

@@ -99,4 +99,5 @@ export const IdentitiesSchema = SchemaFactory.createForClass(Identities)
       return ctx.inetOrgPerson.employeeType === 'LOCAL';
     },
   })
-  .index({ 'inetOrgPerson.employeeNumber': 1, 'inetOrgPerson.employeeType': 1 }, { unique: true });
+  .index({ 'inetOrgPerson.employeeNumber': 1, 'inetOrgPerson.employeeType': 1 }, { unique: true })
+  .index({ initState: 1, 'initInfo.initDate': 1, deletedFlag: 1 });

apps/api/src/management/identities/identities-crud.controller.ts

@@ -1,24 +1,6 @@
-import {
-  BadRequestException,
-  Body,
-  Controller,
-  Delete,
-  Get,
-  HttpStatus,
-  Param,
-  Patch,
-  Post,
-  Query,
-  Res,
-} from '@nestjs/common';
+import { BadRequestException, Body, Controller, Get, HttpStatus, Param, Patch, Post, Query, Res } from '@nestjs/common';
 import { ApiOperation, ApiParam, ApiTags } from '@nestjs/swagger';
-import {
-  FilterOptions,
-  filterSchema,
-  FilterSchema,
-  SearchFilterOptions,
-  SearchFilterSchema,
-} from '~/_common/restools';
+import { FilterOptions, filterSchema, FilterSchema, SearchFilterOptions, SearchFilterSchema } from '~/_common/restools';
 import { Response } from 'express';
 import { Document, Types } from 'mongoose';
 import { AbstractController } from '~/_common/abstracts/abstract.controller';
@@ -39,6 +21,13 @@ import { TransformersFilestorageService } from '~/core/filestorage/_services/tra
 import { IdentitiesCrudService } from '~/management/identities/identities-crud.service';
 import { UseRoles } from '~/_common/decorators/use-roles.decorator';
 import { AC_ACTIONS, AC_DEFAULT_POSSESSION } from '~/_common/types/ac-types';
+import { PasswdadmService } from '~/settings/passwdadm.service';
+import {
+  buildExpiredInitInvitationFilter,
+  buildNonExpiredInitInvitationFilter,
+  INIT_INVITATION_EXPIRED_QUERY_PARAM,
+  parseInitInvitationExpiredQuery,
+} from '~/management/passwd/init-invitation-expiration.helper';
 
 @ApiTags('management/identities')
 @Controller('identities')
@@ -48,6 +37,7 @@ export class IdentitiesCrudController extends AbstractController {
     protected readonly _validation: IdentitiesValidationService,
     protected readonly filestorage: FilestorageService,
     private readonly transformerService: TransformersFilestorageService,
+    private readonly passwdadmService: PasswdadmService,
   ) {
     super();
   }
@@ -96,16 +86,12 @@ export class IdentitiesCrudController extends AbstractController {
       body.inetOrgPerson.employeeType = 'LOCAL';
     }
     if (!body.inetOrgPerson.cn) {
-      body.inetOrgPerson.cn = [
-        body.inetOrgPerson.sn?.toUpperCase(),
-        body.inetOrgPerson.givenName,
-      ].join(' ').trim();
+      body.inetOrgPerson.cn = [body.inetOrgPerson.sn?.toUpperCase(), body.inetOrgPerson.givenName].join(' ').trim();
     }
     if (!body.inetOrgPerson.displayName) {
-      body.inetOrgPerson.displayName = [
-        body.inetOrgPerson.givenName,
-        body.inetOrgPerson.sn?.toUpperCase(),
-      ].join(' ').trim();
+      body.inetOrgPerson.displayName = [body.inetOrgPerson.givenName, body.inetOrgPerson.sn?.toUpperCase()]
+        .join(' ')
+        .trim();
     }
     const data = await this._service.create<Identities>(body);
     // If the state is TO_COMPLETE, the identity is created but additional fields are missing or invalid
@@ -165,45 +151,62 @@ export class IdentitiesCrudController extends AbstractController {
     @Query('search') search: string,
     @SearchFilterSchema() searchFilterSchema: FilterSchema,
     @SearchFilterOptions({ allowUnlimited: true }) searchFilterOptions: FilterOptions,
-  ): Promise<Response<{
-    statusCode: number;
-    data?: Document<Identities, any, Identities>;
-    total?: number;
-    message?: string;
-    validations?: MixedValue;
-  }>> {
-    const searchFilter = {}
+    @Query(INIT_INVITATION_EXPIRED_QUERY_PARAM) initInvitationExpired: string,
+  ): Promise<
+    Response<{
+      statusCode: number;
+      data?: Document<Identities, any, Identities>;
+      total?: number;
+      message?: string;
+      validations?: MixedValue;
+    }>
+  > {
+    const searchFilters = [];
     // Par défaut, on cache les identités "ne pas synchroniser" dans la recherche.
     // Si le client fournit déjà un filtre `state`, on ne l'écrase pas.
     // Le type `FilterSchema` est récursif (valeurs attendues), alors que pour Mongo on injecte parfois
     // des opérateurs comme `{ $ne: ... }`. On garde un cast `any` ici côté controller.
-    const effectiveSearchFilterSchema: any = { ...searchFilterSchema }
+    const effectiveSearchFilterSchema: any = { ...searchFilterSchema };
     if (!Object.prototype.hasOwnProperty.call(effectiveSearchFilterSchema, 'state')) {
-      effectiveSearchFilterSchema.state = { $ne: IdentityState.DONT_SYNC }
+      effectiveSearchFilterSchema.state = { $ne: IdentityState.DONT_SYNC };
     }
 
     if (search && search.trim().length > 0) {
-      const searchRequest = {}
-      searchRequest['$or'] = Object.keys(IdentitiesCrudController.searchFields).map((key) => {
-        return { [key]: { $regex: `^${search}`, $options: 'i' } }
-      }).filter(item => item !== undefined)
-      searchFilter['$and'] = [searchRequest]
-      searchFilter['$and'].push(effectiveSearchFilterSchema)
+      const searchRequest = {};
+      searchRequest['$or'] = Object.keys(IdentitiesCrudController.searchFields)
+        .map((key) => {
+          return { [key]: { $regex: `^${search}`, $options: 'i' } };
+        })
+        .filter((item) => item !== undefined);
+      searchFilters.push(searchRequest);
+      searchFilters.push(effectiveSearchFilterSchema);
     } else {
-      Object.assign(searchFilter, effectiveSearchFilterSchema)
+      searchFilters.push(effectiveSearchFilterSchema);
+    }
+
+    const expiredQuery = parseInitInvitationExpiredQuery(initInvitationExpired);
+    if (expiredQuery !== null) {
+      const policies = await this.passwdadmService.getPolicies();
+      searchFilters.push(
+        expiredQuery
+          ? buildExpiredInitInvitationFilter(policies?.initTokenTTL)
+          : buildNonExpiredInitInvitationFilter(policies?.initTokenTTL),
+      );
     }
 
+    const searchFilter = searchFilters.length === 1 ? searchFilters[0] : { $and: searchFilters };
+
     const [data, total] = await this._service.findAndCount(
       searchFilter,
       IdentitiesCrudController.projection,
       searchFilterOptions,
-    )
+    );
 
     return res.status(HttpStatus.OK).json({
       statusCode: HttpStatus.OK,
       total,
       data,
-    })
+    });
   }
 
   @Get(':_id([0-9a-fA-F]{24})')
@@ -255,24 +258,30 @@ export class IdentitiesCrudController extends AbstractController {
   @ApiOperation({ summary: "Compte le nombre d'identitées en fonctions des filtres fournis via un body de counts" })
   public async countAll(
     @Res() res: Response,
-    @Body() body: {
+    @Body()
+    body: {
       [key: string]: FilterSchema;
     },
     @SearchFilterOptions() searchFilterOptions: FilterOptions,
-  ): Promise<Response<{
-    statusCode: number;
-    data: {
-      [key: string]: number;
-    };
-  }>> {
-    let filters: Record<string, FilterSchema>
+  ): Promise<
+    Response<{
+      statusCode: number;
+      data: {
+        [key: string]: number;
+      };
+    }>
+  > {
+    let filters: Record<string, FilterSchema>;
     try {
-      filters = Object.entries(body).reduce((acc, [key, value]) => {
-        acc[key] = filterSchema(value)
-        return acc
-      }, {} as Record<string, FilterSchema>)
+      filters = Object.entries(body).reduce(
+        (acc, [key, value]) => {
+          acc[key] = filterSchema(value);
+          return acc;
+        },
+        {} as Record<string, FilterSchema>,
+      );
     } catch (error: any) {
-      throw new BadRequestException(error?.message ?? 'Invalid filters')
+      throw new BadRequestException(error?.message ?? 'Invalid filters');
     }
 
     const data = await this._service.countAll(filters, searchFilterOptions);

apps/api/src/management/passwd/init-invitation-expiration.helper.ts

@@ -0,0 +1,54 @@
+import { FilterQuery } from 'mongoose';
+import { InitStatesEnum } from '~/management/identities/_enums/init-state.enum';
+import { Identities } from '~/management/identities/_schemas/identities.schema';
+
+export const INIT_INVITATION_EXPIRED_QUERY_PARAM = 'initInvitationExpired';
+export const DEFAULT_INIT_TOKEN_TTL_SECONDS = 604800;
+
+export function getInitInvitationExpirationCutoff(
+  ttlSeconds: number | string | undefined | null,
+  now: Date = new Date(),
+): Date {
+  const parsedTtlSeconds = Number(ttlSeconds);
+  const safeTtlSeconds =
+    Number.isFinite(parsedTtlSeconds) && parsedTtlSeconds > 0 ? parsedTtlSeconds : DEFAULT_INIT_TOKEN_TTL_SECONDS;
+
+  return new Date(now.getTime() - safeTtlSeconds * 1000);
+}
+
+export function buildExpiredInitInvitationFilter(
+  ttlSeconds: number | string | undefined | null,
+  now: Date = new Date(),
+): FilterQuery<Identities> {
+  return {
+    initState: InitStatesEnum.SENT,
+    'initInfo.initDate': { $lt: getInitInvitationExpirationCutoff(ttlSeconds, now) },
+  };
+}
+
+export function buildNonExpiredInitInvitationFilter(
+  ttlSeconds: number | string | undefined | null,
+  now: Date = new Date(),
+): FilterQuery<Identities> {
+  const cutoff = getInitInvitationExpirationCutoff(ttlSeconds, now);
+
+  return {
+    initState: InitStatesEnum.SENT,
+    $or: [
+      { 'initInfo.initDate': { $gte: cutoff } },
+      { 'initInfo.initDate': { $exists: false } },
+      { 'initInfo.initDate': null },
+    ],
+  };
+}
+
+export function parseInitInvitationExpiredQuery(value: unknown): boolean | null {
+  if (value === undefined || value === null || value === '') return null;
+  if (typeof value === 'boolean') return value;
+
+  const normalized = String(value).trim().toLowerCase();
+  if (/^(1|true|on|yes)$/i.test(normalized)) return true;
+  if (/^(0|false|off|no)$/i.test(normalized)) return false;
+
+  return null;
+}

apps/api/src/management/passwd/passwd.controller.ts

@@ -2,6 +2,7 @@ import { Body, Controller, Get, HttpStatus, Logger, Post, Res } from '@nestjs/co
 import { ApiOperation, ApiResponse, ApiTags } from '@nestjs/swagger';
 import { Response } from 'express';
 import { Document } from 'mongoose';
+import { FilterOptions, SearchFilterOptions } from '~/_common/restools';
 import { Identities } from '~/management/identities/_schemas/identities.schema';
 import { InitAccountDto } from '~/management/passwd/_dto/init-account.dto';
 import { InitManyDto } from '~/management/passwd/_dto/init-many.dto';
@@ -20,15 +21,15 @@ export class PasswdController {
   public constructor(
     private passwdService: PasswdService,
     private passwdadmService: PasswdadmService,
-  ) { }
+  ) {}
 
   @Post('change')
   @ApiOperation({ summary: 'Execute un job de changement de mot de passe sur le/les backends' })
   @ApiResponse({ status: HttpStatus.OK, description: 'Mot de passe synchronisé sur le/les backends' })
   public async change(@Body() body: ChangePasswordDto, @Res() res: Response): Promise<Response> {
     const debug = {};
 
-    const [_, data] = await this.passwdService.change(body);
+    const [, data] = await this.passwdService.change(body);
     this.logger.log(`Call passwd change for : ${body.uid}`);
 
     if (process.env.NODE_ENV === 'development') {
@@ -49,7 +50,7 @@ export class PasswdController {
     const debug = {};
     this.logger.log('Reset by code : ' + body.token + ' code : ' + body.code);
     try {
-      const [_, data] = await this.passwdService.resetByCode(body);
+      const [, data] = await this.passwdService.resetByCode(body);
       if (process.env.NODE_ENV === 'development') {
         debug['_debug'] = data;
       }
@@ -58,21 +59,20 @@ export class PasswdController {
         message: 'Password changed',
         ...debug,
       });
-    } catch (e) {
+    } catch {
       return res.status(HttpStatus.BAD_REQUEST).json({
         message: 'Erreur serveur',
         ...debug,
       });
     }
-
   }
 
   @Post('reset')
   @ApiOperation({ summary: 'Execute un job de réinitialisation de mot de passe sur le/les backends' })
   @ApiResponse({ status: HttpStatus.OK })
   public async reset(@Body() body: ResetPasswordDto, @Res() res: Response): Promise<Response> {
     const debug = {};
-    const [_, data] = await this.passwdService.reset(body);
+    const [, data] = await this.passwdService.reset(body);
 
     if (process.env.NODE_ENV === 'development') {
       debug['_debug'] = data;
@@ -115,6 +115,20 @@ export class PasswdController {
     });
   }
 
+  @Post('initoutdated')
+  @ApiOperation({ summary: "Initialise toutes les identités dont l'invitation est périmée" })
+  @ApiResponse({ status: HttpStatus.OK })
+  public async initOutdated(
+    @Body() body: Pick<InitManyDto, 'template' | 'variables'>,
+    @Res() res: Response,
+  ): Promise<Response> {
+    const data = await this.passwdService.initOutdated(body);
+    return res.status(HttpStatus.OK).json({
+      message: 'identités initialisées',
+      data,
+    });
+  }
+
   @Post('initreset')
   @ApiOperation({ summary: 'Demande l envoi de mail pour le reset' })
   @ApiResponse({ status: HttpStatus.OK })
@@ -131,16 +145,18 @@ export class PasswdController {
 
   @Get('ioutdated')
   @ApiOperation({ summary: 'Compte donc l invitation d init n a pas été repondue dans les temps' })
-  public async search(@Res() res: Response): Promise<
+  public async search(
+    @Res() res: Response,
+    @SearchFilterOptions() searchFilterOptions: FilterOptions,
+  ): Promise<
     Response<
       {
         data?: Document<Identities, any, Identities>;
       },
       any
     >
   > {
-    const data = await this.passwdService.checkInitOutDated();
-    const total = data.length;
+    const [data, total] = await this.passwdService.checkInitOutDated(searchFilterOptions);
     return res.status(HttpStatus.OK).json({
       statusCode: HttpStatus.OK,
       total,