Ensign Scope

Loading…

Title

Tags

Active — included in interview & generation

Body (markdown)

Recurring solutions to reuse. Generated scopes should reference these rather than inventing new approaches.

## Authentication (via ensign-sso)

- JWT issued by ensign-sso (24h), HS256, `iss: ensign-sso`, `aud: ensign-apps`. Claims: `sub` (user id), `company_id`, `email`, `roles`.
- **Web** uses an HttpOnly `access_token` cookie; **mobile/API** uses `Authorization: Bearer`.
- commander-api applies `JwtVerificationGuard` globally; mark open routes with `@Public()`.
- **Never `jwt.decode()`** — always verify via `JwtVerificationService.verifyToken()`.
- CSRF for cookie auth: server sets `XSRF-TOKEN`, client echoes it in `X-CSRF-Token`.
- Token refresh is transparent — frontend middleware intercepts 401s and refreshes.

## Backend (commander-api, NestJS)

- Extend **`BaseService<Entity, CreateDto, UpdateDto>`** for CRUD — gives pagination, soft-delete filtering, and auto `company_id` injection via `RequestContextService`.
- Extend **`BaseEntity`** for standard columns (id, company_id, timestamps, deleted_at).
- Module shape: `controller / service / module / dto/ / entities/ / enums/`.
- Pull JWT claims with `@GetUserId()`, `@GetCompanyId()`, `@GetUser()`, `@GetUserRoles()`.
- Sanitise inputs with the DTO decorators (`@SanitizeText()`, `@SanitizeHTML()`, `@SanitizeEmail()`…).
- Avoid N+1: `leftJoinAndSelect`, relation depth ≤ 3, paginate with `getManyAndCount()`, cap ~500 rows.

## Caching & limits (Redis)

- HTTP GET responses cached ~5 min, company-scoped keys (`TenantCacheInterceptor`); opt out with `@NoCache()`.
- Declare invalidation with `@InvalidateCache(['pattern/{id}'])`.
- Rate limit defaults: 100 req/min/IP (+ burst 20/10s); tune with `@Throttle()` / `@SkipThrottle()`.

## Frontend (project-commander, Next.js)

- **Type-safe API client**: `openapi-fetch` against generated types (`generate:types:dev`) — regenerate after backend changes.
- **Server Actions** for data fetching; **Redux Toolkit** slices (createSlice + createAsyncThunk) per domain entity, persisted with Redux Persist.
- Data grids use **TanStack Table**; forms use **React Hook Form + Zod**.
- Standalone Docker build; `@/*` path aliases.

## Data rules (apply everywhere)

- Multi-tenant: every record scoped by `company_id`, enforced server-side.
- Soft delete only (`deleted_at`); never hard delete business data.
- Money as `decimal(40,2)`; the API rounds NUMERIC to 2 places.

Cancel

Edit context doc