Aller au contenu principal

Technical Constraints and Integration Requirements

Existing Technology Stack​

Languages: TypeScript (both frontend and backend) Frameworks: NestJS API with TypeORM, Next.js 15 with App Router, React 19, Material-UI Database: PostgreSQL with TypeORM for type-safe operations Infrastructure: Cloud deployment for independent API and frontend services Authentication: Custom JWT with Passport (passport-local + passport-jwt), bcrypt for password hashing External Dependencies: Swagger for API docs

Integration Approach​

Database Integration Strategy:

  • Leverage existing foreign key relationships (clientId) for tenant isolation - no new tenant_id columns needed
  • Enhance User entity with clientAccess array to support multi-client access for EMTB staff
  • Use database-level constraints and indexes on existing relationships to enforce tenant isolation
  • Leverage TypeORM query builders and middleware for automatic tenant filtering on all queries

API Integration Strategy:

  • Extend existing NestJS Passport guards (JwtAuthGuard, LocalStrategy) for role-based authorization
  • Implement tenant context injection from custom JWT tokens into NestJS request pipeline
  • Add role validation decorators (@Roles, @RequireTenantAccess) to existing controllers
  • Maintain existing Swagger documentation while adding security schema definitions

Frontend Integration Strategy:

  • Create authentication hooks to access JWT token claims (role, clientId, clientAccess)
  • Implement role-based route protection using Next.js middleware and JWT verification
  • Create role-aware components that conditionally render UI elements based on permissions
  • Extend existing MUI layouts with role-based navigation and menu systems

Testing Integration Strategy:

  • Extend existing Jest test suites with role-based test scenarios for all API endpoints
  • Add tenant isolation tests to ensure no cross-tenant data access
  • Create role-based UI testing scenarios using existing testing framework
  • Implement security-focused integration tests for authentication flows

Code Organization and Standards​

File Structure Approach: Follow existing monorepo structure with security enhancements in:

  • apps/api/src/auth/ - Auth service, strategies (LocalStrategy âś…, JwtStrategy âś…), controllers
  • apps/api/src/auth/guards/ - Authorization guards (JwtAuthGuard âś…, RolesGuard âś…, TenantAccessGuard NEW)
  • apps/frontend/src/lib/auth/ - Custom auth hooks for JWT token management
  • apps/frontend/src/ui/rbac/ - Role-based UI components

Naming Conventions: Maintain existing TypeScript/NestJS naming patterns:

  • Role-based decorators: @RequireRoles(), @RequireTenant()
  • Guard classes: RoleBasedAuthGuard, TenantIsolationGuard
  • Service classes: RoleService, TenantService

Coding Standards: Follow existing ESLint and Prettier configurations with additional security-focused rules:

  • Mandatory authorization checks on all new API endpoints
  • Explicit tenant context validation in all database operations
  • Type-safe role definitions using TypeScript enums and interfaces

Deployment and Operations​

Build Process Integration: Enhance existing build scripts with:

  • Database migration scripts for enhancing User entity with clientAccess array
  • Environment variable validation for JWT_SECRET and JWT_REFRESH_SECRET
  • Security testing as part of existing CI/CD pipeline

Deployment Strategy: Leverage existing cloud infrastructure with:

  • Zero-downtime deployment using existing independent service architecture
  • Database migrations executed during maintenance windows
  • Feature flags for gradual rollout of RBAC functionality

Monitoring and Logging: Extend existing logging with:

  • Security audit logs for all authorization decisions
  • Performance monitoring of authorization overhead
  • Tenant isolation verification alerts

Configuration Management: Enhance existing environment configuration:

  • Role definitions managed in database (User.role field)
  • JWT configuration (JWT_SECRET, JWT_EXPIRES_IN, JWT_REFRESH_SECRET)
  • Tenant isolation settings

Risk Assessment and Mitigation​

Technical Risks:

  • Database migration complexity for enhancing User entity with clientAccess array
  • Performance impact of authorization middleware on existing API endpoints
  • JWT token size increase when adding clientAccess array to payload

Integration Risks:

  • Breaking existing custom JWT authentication flow during enhancement
  • Frontend component compatibility with new role-based rendering logic
  • Data integrity during User entity migration to support multi-client access

Deployment Risks:

  • Data isolation failures during migration leading to cross-tenant access
  • Authorization bypass vulnerabilities in existing API endpoints
  • User access disruption during role-based authentication rollout

Mitigation Strategies:

  • Comprehensive database backup and rollback procedures before migration
  • Feature flag implementation allowing gradual RBAC rollout per user segment
  • Extensive security testing including penetration testing of tenant isolation
  • Staging environment replication of production data for migration validation