hrms-bangkok/hrms-api-org
7
0
Fork 0
Code Issues Pull requests Projects Releases Packages 1 Wiki Activity Actions

add script update org and sync keycloak, setup time run cronjob
All checks were successful
Build & Deploy on Dev / build (push) Successful in 1m26s
Details

Browse source
This commit is contained in:
Warunee Tamkoo 2026-02-27 10:05:13 +07:00
parent 911d9b6bc5
commit b714dfe239
7 changed files with 1694 additions and 15 deletions
Download patch file Download diff file Expand all files Collapse all files

44
src/app.ts
View file

@ -15,6 +15,7 @@ import { logMemoryStore } from "./utils/LogMemoryStore";
import { orgStructureCache } from "./utils/OrgStructureCache";
import { CommandController } from "./controllers/CommandController";
import { ProfileSalaryController } from "./controllers/ProfileSalaryController";
import { ScriptProfileOrgController } from "./controllers/ScriptProfileOrgController";
import { DateSerializer } from "./interfaces/date-serializer";
import { initWebSocket } from "./services/webSocket";
@ -52,19 +53,8 @@ async function main() {
const APP_HOST = process.env.APP_HOST || "0.0.0.0";
const APP_PORT = +(process.env.APP_PORT || 3000);
const cronTime = "0 0 3 * * *"; // ตั้งเวลาทุกวันเวลา 03:00:00
// const cronTime = "*/10 * * * * *";
cron.schedule(cronTime, async () => {
try {
const orgController = new OrganizationController();
await orgController.cronjobRevision();
} catch (error) {
console.error("Error executing function from controller:", error);
}
});
const cronTime_command = "0 0 2 * * *";
// const cronTime_command = "*/10 * * * * *";
// Cron job for executing command - every day at 00:30:00
const cronTime_command = "0 30 0 * * *";
cron.schedule(cronTime_command, async () => {
try {
const commandController = new CommandController();
@ -74,7 +64,19 @@ async function main() {
}
});
const cronTime_Oct = "0 0 1 10 *";
// Cron job for updating org revision - every day at 01:00:00
const cronTime = "0 0 1 * * *";
cron.schedule(cronTime, async () => {
try {
const orgController = new OrganizationController();
await orgController.cronjobRevision();
} catch (error) {
console.error("Error executing function from controller:", error);
}
});
// Cron job for updating retirement status - every day at 02:00:00 on the 1st of October
const cronTime_Oct = "0 0 2 10 *";
cron.schedule(cronTime_Oct, async () => {
try {
const commandController = new CommandController();
@ -84,7 +86,19 @@ async function main() {
}
});
const cronTime_Tenure = "0 0 0 * * *";
// Cron job for updating org DNA - every day at 03:00:00
const cronTime_UpdateOrg = "0 0 3 * * *";
cron.schedule(cronTime_UpdateOrg, async () => {
try {
const scriptProfileOrgController = new ScriptProfileOrgController();
await scriptProfileOrgController.cronjobUpdateOrg({} as any);
} catch (error) {
console.error("Error executing cronjobUpdateOrg:", error);
}
});
// Cron job for updating tenure - every day at 04:00:00
const cronTime_Tenure = "0 0 4 * * *";
cron.schedule(cronTime_Tenure, async () => {
try {
const profileSalaryController = new ProfileSalaryController();

254
src/controllers/KeycloakSyncController.ts Normal file
View file

@ -0,0 +1,254 @@
import {
Controller,
Post,
Get,
Route,
Security,
Tags,
Path,
Request,
Response,
Query,
Body,
} from "tsoa";
import { KeycloakAttributeService } from "../services/KeycloakAttributeService";
import HttpSuccess from "../interfaces/http-success";
import HttpStatus from "../interfaces/http-status";
import HttpError from "../interfaces/http-error";
import { RequestWithUser } from "../middlewares/user";
@Route("api/v1/org/keycloak-sync")
@Tags("Keycloak Sync")
@Security("bearerAuth")
@Response(
HttpStatus.INTERNAL_SERVER_ERROR,
"เกิดข้อผิดพลาด ไม่สามารถดำเนินการได้ กรุณาลองใหม่ในภายหลัง",
)
export class KeycloakSyncController extends Controller {
private keycloakAttributeService = new KeycloakAttributeService();
/**
* Sync attributes for the current logged-in user
*
* @summary Sync profileId and rootDnaId to Keycloak for current user
*/
@Post("sync-me")
async syncCurrentUser(@Request() request: RequestWithUser) {
const keycloakUserId = request.user.sub;
if (!keycloakUserId) {
throw new HttpError(HttpStatus.UNAUTHORIZED, "ไม่พบ Keycloak user ID");
}
// Get attributes from database before sync
const dbAttrs = await this.keycloakAttributeService.getUserProfileAttributes(keycloakUserId);
const success = await this.keycloakAttributeService.syncUserAttributes(keycloakUserId);
if (!success) {
throw new HttpError(
HttpStatus.INTERNAL_SERVER_ERROR,
"ไม่สามารถ sync ข้อมูลไปยัง Keycloak ได้ กรุณาติดต่อผู้ดูแลระบบ",
);
}
// Verify sync by fetching attributes from Keycloak after update
const kcAttrsAfter =
await this.keycloakAttributeService.getCurrentKeycloakAttributes(keycloakUserId);
return new HttpSuccess({
message: "Sync ข้อมูลสำเร็จ",
syncedToKeycloak: !!kcAttrsAfter?.profileId,
databaseAttributes: dbAttrs,
keycloakAttributesAfter: kcAttrsAfter,
});
}
/**
* Get current attributes of the logged-in user
*
* @summary Get current profileId and rootDnaId from Keycloak
*/
@Get("my-attributes")
async getMyAttributes(@Request() request: RequestWithUser) {
const keycloakUserId = request.user.sub;
if (!keycloakUserId) {
throw new HttpError(HttpStatus.UNAUTHORIZED, "ไม่พบ Keycloak user ID");
}
const keycloakAttributes =
await this.keycloakAttributeService.getCurrentKeycloakAttributes(keycloakUserId);
const dbAttributes =
await this.keycloakAttributeService.getUserProfileAttributes(keycloakUserId);
return new HttpSuccess({
keycloakAttributes,
databaseAttributes: dbAttributes,
});
}
/**
* Sync attributes for a specific profile (Admin only)
*
* @summary Sync profileId and rootDnaId to Keycloak by profile ID (ADMIN)
*
* @param {string} profileId Profile ID
* @param {string} profileType Profile type (PROFILE or PROFILE_EMPLOYEE)
*/
@Post("sync-profile/:profileId")
async syncByProfileId(
@Path() profileId: string,
@Query() profileType: "PROFILE" | "PROFILE_EMPLOYEE" = "PROFILE",
) {
if (!["PROFILE", "PROFILE_EMPLOYEE"].includes(profileType)) {
throw new HttpError(
HttpStatus.BAD_REQUEST,
"profileType ต้องเป็น PROFILE หรือ PROFILE_EMPLOYEE เท่านั้น",
);
}
const success = await this.keycloakAttributeService.syncOnOrganizationChange(
profileId,
profileType,
);
if (!success) {
throw new HttpError(
HttpStatus.INTERNAL_SERVER_ERROR,
"ไม่สามารถ sync ข้อมูลไปยัง Keycloak ได้ หรือไม่พบข้อมูล profile",
);
}
return new HttpSuccess({ message: "Sync ข้อมูลสำเร็จ" });
}
/**
* Batch sync attributes for multiple profiles (Admin only)
*
* @summary Batch sync profileId and rootDnaId to Keycloak for multiple profiles (ADMIN)
*
* @param {request} request Request body containing profileIds array and profileType
*/
@Post("sync-profiles-batch")
async syncByProfileIds(
@Body() request: { profileIds: string[]; profileType: "PROFILE" | "PROFILE_EMPLOYEE" },
) {
const { profileIds, profileType } = request;
// Validate profileIds
if (!profileIds || profileIds.length === 0) {
throw new HttpError(HttpStatus.BAD_REQUEST, "profileIds ต้องไม่ว่างเปล่า");
}
// Validate profileType
if (!["PROFILE", "PROFILE_EMPLOYEE"].includes(profileType)) {
throw new HttpError(
HttpStatus.BAD_REQUEST,
"profileType ต้องเป็น PROFILE หรือ PROFILE_EMPLOYEE เท่านั้น",
);
}
const result = {
total: profileIds.length,
success: 0,
failed: 0,
details: [] as Array<{ profileId: string; status: "success" | "failed"; error?: string }>,
};
// Process each profileId
for (const profileId of profileIds) {
try {
const success = await this.keycloakAttributeService.syncOnOrganizationChange(
profileId,
profileType,
);
if (success) {
result.success++;
result.details.push({ profileId, status: "success" });
} else {
result.failed++;
result.details.push({
profileId,
status: "failed",
error: "Sync returned false - ไม่พบข้อมูล profile หรือ Keycloak user ID",
});
}
} catch (error: any) {
result.failed++;
result.details.push({ profileId, status: "failed", error: error.message });
}
}
return new HttpSuccess({
message: "Batch sync เสร็จสิ้น",
...result,
});
}
/**
* Batch sync all users (Admin only)
*
* @summary Batch sync all users to Keycloak without limit (ADMIN)
*
* @description Syncs profileId and orgRootDnaId to Keycloak for all users
* that have a keycloak ID. Uses parallel processing for better performance.
*/
@Post("sync-all")
async syncAll() {
const result = await this.keycloakAttributeService.batchSyncUsers();
return new HttpSuccess({
message: "Batch sync เสร็จสิ้น",
total: result.total,
success: result.success,
failed: result.failed,
details: result.details,
});
}
/**
* Ensure Keycloak users exist for all profiles (Admin only)
*
* @summary Create or verify Keycloak users for all profiles in Profile and ProfileEmployee tables (ADMIN)
*
* @description
* This endpoint will:
* - Create new Keycloak users for profiles without a keycloak ID
* - Create new Keycloak users for profiles where the stored keycloak ID doesn't exist in Keycloak
* - Verify existing Keycloak users
* - Skip profiles without a citizenId
*/
@Post("ensure-users")
async ensureAllUsers() {
const result = await this.keycloakAttributeService.batchEnsureKeycloakUsers();
return new HttpSuccess({
message: "Batch ensure Keycloak users เสร็จสิ้น",
...result,
});
}
/**
* Clear orphaned Keycloak users (Admin only)
*
* @summary Delete Keycloak users that are not in the database (ADMIN)
*
* @description
* This endpoint will:
* - Find users in Keycloak that are not referenced in Profile or ProfileEmployee tables
* - Delete those orphaned users from Keycloak
* - Skip protected users (super_admin, admin_issue)
*
* @param {request} request Request body containing skipUsernames array
*/
@Post("clear-orphaned-users")
async clearOrphanedUsers(@Body() request?: { skipUsernames?: string[] }) {
const skipUsernames = request?.skipUsernames || ["super_admin", "admin_issue"];
const result = await this.keycloakAttributeService.clearOrphanedKeycloakUsers(skipUsernames);
return new HttpSuccess({
message: "Clear orphaned Keycloak users เสร็จสิ้น",
...result,
});
}
}

326
src/controllers/ScriptProfileOrgController.ts Normal file
View file

@ -0,0 +1,326 @@
import { Controller, Post, Route, Security, Tags, Request } from "tsoa";
import { AppDataSource } from "../database/data-source";
import HttpSuccess from "../interfaces/http-success";
import HttpStatus from "../interfaces/http-status";
import HttpError from "../interfaces/http-error";
import { RequestWithUser } from "../middlewares/user";
import { MoreThanOrEqual } from "typeorm";
import { PosMaster } from "./../entities/PosMaster";
import axios from "axios";
import { KeycloakSyncController } from "./KeycloakSyncController";
import { EmployeePosMaster } from "./../entities/EmployeePosMaster";
interface OrgUpdatePayload {
profileId: string;
rootDnaId: string | null;
child1DnaId: string | null;
child2DnaId: string | null;
child3DnaId: string | null;
child4DnaId: string | null;
profileType: "PROFILE" | "PROFILE_EMPLOYEE";
}
@Route("api/v1/org/script-profile-org")
@Tags("Keycloak Sync")
@Security("bearerAuth")
export class ScriptProfileOrgController extends Controller {
private posMasterRepo = AppDataSource.getRepository(PosMaster);
private employeePosMasterRepo = AppDataSource.getRepository(EmployeePosMaster);
// Idempotency flag to prevent concurrent runs
private isRunning = false;
// Configurable values
private readonly BATCH_SIZE = parseInt(process.env.CRONJOB_BATCH_SIZE || "100", 10);
private readonly UPDATE_WINDOW_HOURS = parseInt(
process.env.CRONJOB_UPDATE_WINDOW_HOURS || "24",
10,
);
@Post("update-org")
public async cronjobUpdateOrg(@Request() request: RequestWithUser) {
// Idempotency check - prevent concurrent runs
if (this.isRunning) {
console.log("cronjobUpdateOrg: Job already running, skipping this execution");
return new HttpSuccess({
message: "Job already running",
skipped: true,
});
}
this.isRunning = true;
const startTime = Date.now();
try {
const windowStart = new Date(Date.now() - this.UPDATE_WINDOW_HOURS * 60 * 60 * 1000);
console.log("cronjobUpdateOrg: Starting job", {
windowHours: this.UPDATE_WINDOW_HOURS,
windowStart: windowStart.toISOString(),
batchSize: this.BATCH_SIZE,
});
// Query with optimized select - only fetch required fields
const [posMasters, posMasterEmployee] = await Promise.all([
this.posMasterRepo.find({
where: {
lastUpdatedAt: MoreThanOrEqual(windowStart),
orgRevision: {
orgRevisionIsCurrent: true,
},
},
relations: [
"orgRevision",
"orgRoot",
"orgChild1",
"orgChild2",
"orgChild3",
"orgChild4",
"current_holder",
],
select: {
id: true,
current_holderId: true,
lastUpdatedAt: true,
orgRevision: { id: true },
orgRoot: { ancestorDNA: true },
orgChild1: { ancestorDNA: true },
orgChild2: { ancestorDNA: true },
orgChild3: { ancestorDNA: true },
orgChild4: { ancestorDNA: true },
current_holder: { id: true },
},
}),
this.employeePosMasterRepo.find({
where: {
lastUpdatedAt: MoreThanOrEqual(windowStart),
orgRevision: {
orgRevisionIsCurrent: true,
},
},
relations: [
"orgRevision",
"orgRoot",
"orgChild1",
"orgChild2",
"orgChild3",
"orgChild4",
"current_holder",
],
select: {
id: true,
current_holderId: true,
lastUpdatedAt: true,
orgRevision: { id: true },
orgRoot: { ancestorDNA: true },
orgChild1: { ancestorDNA: true },
orgChild2: { ancestorDNA: true },
orgChild3: { ancestorDNA: true },
orgChild4: { ancestorDNA: true },
current_holder: { id: true },
},
}),
]);
console.log("cronjobUpdateOrg: Database query completed", {
posMastersCount: posMasters.length,
employeePosCount: posMasterEmployee.length,
totalRecords: posMasters.length + posMasterEmployee.length,
});
// Build payloads with proper profile type tracking
const payloads = this.buildPayloads(posMasters, posMasterEmployee);
if (payloads.length === 0) {
console.log("cronjobUpdateOrg: No records to process");
return new HttpSuccess({
message: "No records to process",
processed: 0,
});
}
// Update profile's org structure in leave service by calling API
console.log("cronjobUpdateOrg: Calling leave service API", {
payloadCount: payloads.length,
});
await axios.put(`${process.env.API_URL}/leave-beginning/schedule/update-dna`, payloads, {
headers: {
"Content-Type": "application/json",
api_key: process.env.API_KEY,
},
timeout: 30000, // 30 second timeout
});
console.log("cronjobUpdateOrg: Leave service API call successful");
// Group profile IDs by type for proper syncing
const profileIdsByType = this.groupProfileIdsByType(payloads);
// Sync to Keycloak with batching
const keycloakSyncController = new KeycloakSyncController();
const syncResults = {
total: 0,
success: 0,
failed: 0,
byType: {} as Record<string, { total: number; success: number; failed: number }>,
};
// Process each profile type separately
for (const [profileType, profileIds] of Object.entries(profileIdsByType)) {
console.log(`cronjobUpdateOrg: Syncing ${profileType} profiles`, {
count: profileIds.length,
});
const batches = this.chunkArray(profileIds, this.BATCH_SIZE);
const typeResult = { total: profileIds.length, success: 0, failed: 0 };
for (let i = 0; i < batches.length; i++) {
const batch = batches[i];
console.log(
`cronjobUpdateOrg: Processing batch ${i + 1}/${batches.length} for ${profileType}`,
{
batchSize: batch.length,
batchRange: `${i * this.BATCH_SIZE + 1}-${Math.min(
(i + 1) * this.BATCH_SIZE,
profileIds.length,
)}`,
},
);
try {
const batchResult: any = await keycloakSyncController.syncByProfileIds({
profileIds: batch,
profileType: profileType as "PROFILE" | "PROFILE_EMPLOYEE",
});
// Extract result data if available
const resultData = (batchResult as any)?.data || batchResult;
typeResult.success += resultData.success || 0;
typeResult.failed += resultData.failed || 0;
console.log(`cronjobUpdateOrg: Batch ${i + 1}/${batches.length} completed`, {
success: resultData.success || 0,
failed: resultData.failed || 0,
});
} catch (error: any) {
console.error(`cronjobUpdateOrg: Batch ${i + 1}/${batches.length} failed`, {
error: error.message,
batchSize: batch.length,
});
// Count all profiles in failed batch as failed
typeResult.failed += batch.length;
}
}
syncResults.byType[profileType] = typeResult;
syncResults.total += typeResult.total;
syncResults.success += typeResult.success;
syncResults.failed += typeResult.failed;
}
const duration = Date.now() - startTime;
console.log("cronjobUpdateOrg: Job completed", {
duration: `${duration}ms`,
processed: payloads.length,
syncResults,
});
return new HttpSuccess({
message: "Update org completed",
processed: payloads.length,
syncResults,
duration: `${duration}ms`,
});
} catch (error: any) {
const duration = Date.now() - startTime;
console.error("cronjobUpdateOrg: Job failed", {
duration: `${duration}ms`,
error: error.message,
stack: error.stack,
});
throw new HttpError(HttpStatus.INTERNAL_SERVER_ERROR, "Internal server error");
} finally {
this.isRunning = false;
}
}
/**
* Build payloads from PosMaster and EmployeePosMaster records
* Includes proper profile type tracking for accurate Keycloak sync
*/
private buildPayloads(
posMasters: PosMaster[],
posMasterEmployee: EmployeePosMaster[],
): OrgUpdatePayload[] {
const payloads: OrgUpdatePayload[] = [];
// Process PosMaster records (PROFILE type)
for (const posMaster of posMasters) {
if (posMaster.current_holder && posMaster.current_holderId) {
payloads.push({
profileId: posMaster.current_holderId,
rootDnaId: posMaster.orgRoot?.ancestorDNA || null,
child1DnaId: posMaster.orgChild1?.ancestorDNA || null,
child2DnaId: posMaster.orgChild2?.ancestorDNA || null,
child3DnaId: posMaster.orgChild3?.ancestorDNA || null,
child4DnaId: posMaster.orgChild4?.ancestorDNA || null,
profileType: "PROFILE",
});
}
}
// Process EmployeePosMaster records (PROFILE_EMPLOYEE type)
for (const employeePos of posMasterEmployee) {
if (employeePos.current_holder && employeePos.current_holderId) {
payloads.push({
profileId: employeePos.current_holderId,
rootDnaId: employeePos.orgRoot?.ancestorDNA || null,
child1DnaId: employeePos.orgChild1?.ancestorDNA || null,
child2DnaId: employeePos.orgChild2?.ancestorDNA || null,
child3DnaId: employeePos.orgChild3?.ancestorDNA || null,
child4DnaId: employeePos.orgChild4?.ancestorDNA || null,
profileType: "PROFILE_EMPLOYEE",
});
}
}
return payloads;
}
/**
* Group profile IDs by their type for separate Keycloak sync calls
*/
private groupProfileIdsByType(payloads: OrgUpdatePayload[]): Record<string, string[]> {
const grouped: Record<string, string[]> = {
PROFILE: [],
PROFILE_EMPLOYEE: [],
};
for (const payload of payloads) {
grouped[payload.profileType].push(payload.profileId);
}
// Remove empty groups and deduplicate IDs within each group
const result: Record<string, string[]> = {};
for (const [type, ids] of Object.entries(grouped)) {
if (ids.length > 0) {
// Deduplicate while preserving order
result[type] = Array.from(new Set(ids));
}
}
return result;
}
/**
* Split array into chunks of specified size
*/
private chunkArray<T>(array: T[], chunkSize: number): T[][] {
const chunks: T[][] = [];
for (let i = 0; i < array.length; i += chunkSize) {
chunks.push(array.slice(i, i + chunkSize));
}
return chunks;
}
}

139
src/keycloak/index.ts
View file

@ -832,3 +832,142 @@ export async function resetPassword(username: string) {
return false;
}
}
export async function updateUserAttributes(
userId: string,
attributes: Record<string, string[]>,
): Promise<boolean> {
try {
// Get existing user data to preserve other attributes
const existingUser = await getUser(userId);
if (!existingUser) {
console.error(`User ${userId} not found in Keycloak`);
return false;
}
// Merge existing attributes with new attributes
// IMPORTANT: Spread all existing user fields to preserve firstName, lastName, email, etc.
// The Keycloak PUT endpoint performs a full update, so we must include all fields
const updatedAttributes = {
...existingUser,
attributes: {
...(existingUser.attributes || {}),
...attributes,
},
};
console.log(
`[updateUserAttributes] Sending to Keycloak:`,
JSON.stringify(updatedAttributes, null, 2),
);
const res = await fetch(`${KC_URL}/admin/realms/${KC_REALMS}/users/${userId}`, {
headers: {
authorization: `Bearer ${await getToken()}`,
"content-type": "application/json",
},
method: "PUT",
body: JSON.stringify(updatedAttributes),
}).catch((e) => {
console.error(`[updateUserAttributes] Network error:`, e);
return null;
});
if (!res) {
console.error(`[updateUserAttributes] No response from Keycloak`);
return false;
}
if (!res.ok) {
const errorText = await res.text();
console.error(`[updateUserAttributes] Keycloak Error (${res.status}):`, errorText);
return false;
}
console.log(`[updateUserAttributes] Successfully updated attributes for user ${userId}`);
return true;
} catch (error) {
console.error(`[updateUserAttributes] Error updating attributes for user ${userId}:`, error);
return false;
}
}
export async function getAllUsersPaginated(
search: string = "",
batchSize: number = 100,
): Promise<
| Array<{
id: string;
username: string;
firstName?: string;
lastName?: string;
email?: string;
enabled: boolean;
}>
| false
> {
const allUsers: any[] = [];
let first = 0;
let hasMore = true;
while (hasMore) {
const res = await fetch(
`${KC_URL}/admin/realms/${KC_REALMS}/users?first=${first}&max=${batchSize}${search ? `&search=${search}` : ""}`,
{
headers: {
authorization: `Bearer ${await getToken()}`,
"content-type": `application/json`,
},
},
).catch((e) => console.log("Keycloak Error: ", e));
if (!res) return false;
if (!res.ok) {
const errorText = await res.text();
console.error("Keycloak Error Response: ", errorText);
return false;
}
const rawText = await res.text();
try {
const batch = JSON.parse(rawText) as any[];
if (batch.length === 0) {
hasMore = false;
} else {
allUsers.push(...batch);
first += batch.length;
hasMore = batch.length === batchSize;
// Log progress for large datasets
if (allUsers.length % 500 === 0) {
console.log(`[getAllUsersPaginated] Fetched ${allUsers.length} users so far...`);
}
}
} catch (error) {
console.error(`[getAllUsersPaginated] Failed to parse JSON response at offset ${first}:`);
console.error(
`[getAllUsersPaginated] Response preview (first 500 chars):`,
rawText.substring(0, 500),
);
console.error(
`[getAllUsersPaginated] Response preview (last 200 chars):`,
rawText.slice(-200),
);
throw new Error(`Failed to parse Keycloak response as JSON at batch starting at ${first}.`);
}
}
console.log(`[getAllUsersPaginated] Total users fetched: ${allUsers.length}`);
return allUsers.map((v: any) => ({
id: v.id,
username: v.username,
firstName: v.firstName,
lastName: v.lastName,
email: v.email,
enabled: v.enabled === true || v.enabled === "true",
}));
}

10
src/middlewares/auth.ts
View file

@ -75,6 +75,16 @@ export async function expressAuthentication(
request.app.locals.logData.userName = payload.name;
request.app.locals.logData.user = payload.preferred_username;
// เก็บค่า profileId และ orgRootDnaId จาก token (ใช้ค่าว่างถ้าไม่มี)
request.app.locals.logData.profileId = payload.profileId ?? "";
request.app.locals.logData.orgRootDnaId = payload.orgRootDnaId ?? "";
request.app.locals.logData.orgChild1DnaId = payload.orgChild1DnaId ?? "";
request.app.locals.logData.orgChild2DnaId = payload.orgChild2DnaId ?? "";
request.app.locals.logData.orgChild3DnaId = payload.orgChild3DnaId ?? "";
request.app.locals.logData.orgChild4DnaId = payload.orgChild4DnaId ?? "";
request.app.locals.logData.empType = payload.empType ?? "";
request.app.locals.logData.prefix = payload.prefix ?? "";
return payload;
}

8
src/middlewares/user.ts
View file

@ -9,6 +9,14 @@ export type RequestWithUser = Request & {
preferred_username: string;
email: string;
role: string[];
profileId?: string;
prefix?: string;
orgRootDnaId?: string;
orgChild1DnaId?: string;
orgChild2DnaId?: string;
orgChild3DnaId?: string;
orgChild4DnaId?: string;
empType?: string;
};
};

928
src/services/KeycloakAttributeService.ts Normal file
View file

@ -0,0 +1,928 @@
import { AppDataSource } from "../database/data-source";
import { Profile } from "../entities/Profile";
import { ProfileEmployee } from "../entities/ProfileEmployee";
// import { PosMaster } from "../entities/PosMaster";
// import { EmployeePosMaster } from "../entities/EmployeePosMaster";
// import { OrgRoot } from "../entities/OrgRoot";
import {
createUser,
getUser,
getUserByUsername,
updateUserAttributes,
deleteUser,
getRoles,
addUserRoles,
getAllUsersPaginated,
} from "../keycloak";
import { OrgRevision } from "../entities/OrgRevision";
export interface UserProfileAttributes {
profileId: string | null;
orgRootDnaId: string | null;
orgChild1DnaId: string | null;
orgChild2DnaId: string | null;
orgChild3DnaId: string | null;
orgChild4DnaId: string | null;
empType: string | null;
prefix?: string | null;
}
/**
* Keycloak Attribute Service
* Service for syncing profileId and orgRootDnaId to Keycloak user attributes
*/
export class KeycloakAttributeService {
private profileRepo = AppDataSource.getRepository(Profile);
private profileEmployeeRepo = AppDataSource.getRepository(ProfileEmployee);
// private posMasterRepo = AppDataSource.getRepository(PosMaster);
// private employeePosMasterRepo = AppDataSource.getRepository(EmployeePosMaster);
// private orgRootRepo = AppDataSource.getRepository(OrgRoot);
private orgRevisionRepo = AppDataSource.getRepository(OrgRevision);
/**
* Get profile attributes (profileId and orgRootDnaId) from database
* Searches in Profile table first (), then ProfileEmployee ()
*
* @param keycloakUserId - Keycloak user ID
* @returns UserProfileAttributes with profileId and orgRootDnaId
*/
async getUserProfileAttributes(keycloakUserId: string): Promise<UserProfileAttributes> {
// First, try to find in Profile (ข้าราชการ)
const revisionCurrent = await this.orgRevisionRepo.findOne({
where: { orgRevisionIsCurrent: true },
});
const revisionId = revisionCurrent ? revisionCurrent.id : null;
const profileResult = await this.profileRepo
.createQueryBuilder("p")
.leftJoinAndSelect("p.current_holders", "pm")
.leftJoinAndSelect("pm.orgRoot", "orgRoot")
.leftJoinAndSelect("pm.orgChild1", "orgChild1")
.leftJoinAndSelect("pm.orgChild2", "orgChild2")
.leftJoinAndSelect("pm.orgChild3", "orgChild3")
.leftJoinAndSelect("pm.orgChild4", "orgChild4")
.where("p.keycloak = :keycloakUserId", { keycloakUserId })
.andWhere("orgRoot.orgRevisionId = :revisionId", { revisionId })
.getOne();
if (
profileResult &&
profileResult.current_holders &&
profileResult.current_holders.length > 0
) {
const currentPos = profileResult.current_holders[0];
const orgRootDnaId = currentPos.orgRoot?.ancestorDNA || "";
const orgChild1DnaId = currentPos.orgChild1?.ancestorDNA || "";
const orgChild2DnaId = currentPos.orgChild2?.ancestorDNA || "";
const orgChild3DnaId = currentPos.orgChild3?.ancestorDNA || "";
const orgChild4DnaId = currentPos.orgChild4?.ancestorDNA || "";
return {
profileId: profileResult.id,
orgRootDnaId,
orgChild1DnaId,
orgChild2DnaId,
orgChild3DnaId,
orgChild4DnaId,
empType: "OFFICER",
prefix: profileResult.prefix,
};
}
// If not found in Profile, try ProfileEmployee (ลูกจ้าง)
const profileEmployeeResult = await this.profileEmployeeRepo
.createQueryBuilder("pe")
.leftJoinAndSelect("pe.current_holders", "epm")
.leftJoinAndSelect("epm.orgRoot", "org")
.leftJoinAndSelect("epm.orgChild1", "orgChild1")
.leftJoinAndSelect("epm.orgChild2", "orgChild2")
.leftJoinAndSelect("epm.orgChild3", "orgChild3")
.leftJoinAndSelect("epm.orgChild4", "orgChild4")
.where("pe.keycloak = :keycloakUserId", { keycloakUserId })
.getOne();
if (
profileEmployeeResult &&
profileEmployeeResult.current_holders &&
profileEmployeeResult.current_holders.length > 0
) {
const currentPos = profileEmployeeResult.current_holders[0];
const orgRootDnaId = currentPos.orgRoot?.ancestorDNA || "";
const orgChild1DnaId = currentPos.orgChild1?.ancestorDNA || "";
const orgChild2DnaId = currentPos.orgChild2?.ancestorDNA || "";
const orgChild3DnaId = currentPos.orgChild3?.ancestorDNA || "";
const orgChild4DnaId = currentPos.orgChild4?.ancestorDNA || "";
return {
profileId: profileEmployeeResult.id,
orgRootDnaId,
orgChild1DnaId,
orgChild2DnaId,
orgChild3DnaId,
orgChild4DnaId,
empType: profileEmployeeResult.employeeClass,
prefix: profileEmployeeResult.prefix,
};
}
// Return null values if no profile found
return {
profileId: null,
orgRootDnaId: null,
orgChild1DnaId: null,
orgChild2DnaId: null,
orgChild3DnaId: null,
orgChild4DnaId: null,
empType: null,
prefix: null,
};
}
/**
* Get profile attributes by profile ID directly
* Used for syncing specific profiles
*
* @param profileId - Profile ID
* @param profileType - 'PROFILE' for or 'PROFILE_EMPLOYEE' for
* @returns UserProfileAttributes with profileId and orgRootDnaId
*/
async getAttributesByProfileId(
profileId: string,
profileType: "PROFILE" | "PROFILE_EMPLOYEE",
): Promise<UserProfileAttributes> {
const revisionCurrent = await this.orgRevisionRepo.findOne({
where: { orgRevisionIsCurrent: true },
});
const revisionId = revisionCurrent ? revisionCurrent.id : null;
if (profileType === "PROFILE") {
const profileResult = await this.profileRepo
.createQueryBuilder("p")
.leftJoinAndSelect("p.current_holders", "pm")
.leftJoinAndSelect("pm.orgRoot", "orgRoot")
.leftJoinAndSelect("pm.orgChild1", "orgChild1")
.leftJoinAndSelect("pm.orgChild2", "orgChild2")
.leftJoinAndSelect("pm.orgChild3", "orgChild3")
.leftJoinAndSelect("pm.orgChild4", "orgChild4")
.where("p.id = :profileId", { profileId })
.andWhere("orgRoot.orgRevisionId = :revisionId", { revisionId })
.getOne();
if (
profileResult &&
profileResult.current_holders &&
profileResult.current_holders.length > 0
) {
const currentPos = profileResult.current_holders[0];
const orgRootDnaId = currentPos.orgRoot?.ancestorDNA || "";
const orgChild1DnaId = currentPos.orgChild1?.ancestorDNA || "";
const orgChild2DnaId = currentPos.orgChild2?.ancestorDNA || "";
const orgChild3DnaId = currentPos.orgChild3?.ancestorDNA || "";
const orgChild4DnaId = currentPos.orgChild4?.ancestorDNA || "";
return {
profileId: profileResult.id,
orgRootDnaId,
orgChild1DnaId,
orgChild2DnaId,
orgChild3DnaId,
orgChild4DnaId,
empType: "OFFICER",
prefix: profileResult.prefix,
};
}
} else {
const profileEmployeeResult = await this.profileEmployeeRepo
.createQueryBuilder("pe")
.leftJoinAndSelect("pe.current_holders", "epm")
.leftJoinAndSelect("epm.orgRoot", "org")
.leftJoinAndSelect("pm.orgChild1", "orgChild1")
.leftJoinAndSelect("pm.orgChild2", "orgChild2")
.leftJoinAndSelect("pm.orgChild3", "orgChild3")
.leftJoinAndSelect("pm.orgChild4", "orgChild4")
.where("pe.id = :profileId", { profileId })
.getOne();
if (
profileEmployeeResult &&
profileEmployeeResult.current_holders &&
profileEmployeeResult.current_holders.length > 0
) {
const currentPos = profileEmployeeResult.current_holders[0];
const orgRootDnaId = currentPos.orgRoot?.ancestorDNA || "";
const orgChild1DnaId = currentPos.orgChild1?.ancestorDNA || "";
const orgChild2DnaId = currentPos.orgChild2?.ancestorDNA || "";
const orgChild3DnaId = currentPos.orgChild3?.ancestorDNA || "";
const orgChild4DnaId = currentPos.orgChild4?.ancestorDNA || "";
return {
profileId: profileEmployeeResult.id,
orgRootDnaId,
orgChild1DnaId,
orgChild2DnaId,
orgChild3DnaId,
orgChild4DnaId,
empType: profileEmployeeResult.employeeClass,
prefix: profileEmployeeResult.prefix,
};
}
}
return {
profileId: null,
orgRootDnaId: null,
orgChild1DnaId: null,
orgChild2DnaId: null,
orgChild3DnaId: null,
orgChild4DnaId: null,
empType: null,
prefix: null,
};
}
/**
* Sync user attributes to Keycloak
*
* @param keycloakUserId - Keycloak user ID
* @returns true if sync successful, false otherwise
*/
async syncUserAttributes(keycloakUserId: string): Promise<boolean> {
try {
const attributes = await this.getUserProfileAttributes(keycloakUserId);
if (!attributes.profileId) {
console.log(`No profile found for Keycloak user ${keycloakUserId}`);
return false;
}
// Prepare attributes for Keycloak (must be arrays)
const keycloakAttributes: Record<string, string[]> = {
profileId: [attributes.profileId],
orgRootDnaId: [attributes.orgRootDnaId || ""],
orgChild1DnaId: [attributes.orgChild1DnaId || ""],
orgChild2DnaId: [attributes.orgChild2DnaId || ""],
orgChild3DnaId: [attributes.orgChild3DnaId || ""],
orgChild4DnaId: [attributes.orgChild4DnaId || ""],
empType: [attributes.empType || ""],
prefix: [attributes.prefix || ""],
};
const success = await updateUserAttributes(keycloakUserId, keycloakAttributes);
if (success) {
console.log(`Synced attributes for Keycloak user ${keycloakUserId}:`, attributes);
}
return success;
} catch (error) {
console.error(`Error syncing attributes for Keycloak user ${keycloakUserId}:`, error);
return false;
}
}
/**
* Sync attributes when organization changes
* This is called when a user moves to a different organization
*
* @param profileId - Profile ID
* @param profileType - 'PROFILE' for or 'PROFILE_EMPLOYEE' for
* @returns true if sync successful, false otherwise
*/
async syncOnOrganizationChange(
profileId: string,
profileType: "PROFILE" | "PROFILE_EMPLOYEE",
): Promise<boolean> {
try {
// Get the keycloak userId from the profile
let keycloakUserId: string | null = null;
if (profileType === "PROFILE") {
const profile = await this.profileRepo.findOne({ where: { id: profileId } });
keycloakUserId = profile?.keycloak || "";
} else {
const profileEmployee = await this.profileEmployeeRepo.findOne({
where: { id: profileId },
});
keycloakUserId = profileEmployee?.keycloak || "";
}
if (!keycloakUserId) {
console.log(`No Keycloak user ID found for profile ${profileId}`);
return false;
}
return await this.syncUserAttributes(keycloakUserId);
} catch (error) {
console.error(`Error syncing organization change for profile ${profileId}:`, error);
return false;
}
}
/**
* Batch sync multiple users with unlimited count and parallel processing
* Useful for initial sync or periodic updates
*
* @param options - Optional configuration (limit for testing, concurrency for parallel processing)
* @returns Object with success count and details
*/
async batchSyncUsers(options?: {
limit?: number;
concurrency?: number;
}): Promise<{ total: number; success: number; failed: number; details: any[] }> {
const limit = options?.limit;
const concurrency = options?.concurrency ?? 5;
const result = {
total: 0,
success: 0,
failed: 0,
details: [] as any[],
};
try {
// Build query for profiles with keycloak IDs (ข้าราชการ)
const profileQuery = this.profileRepo
.createQueryBuilder("p")
.where("p.keycloak IS NOT NULL")
.andWhere("p.keycloak != :empty", { empty: "" });
// Build query for profileEmployees with keycloak IDs (ลูกจ้าง)
const profileEmployeeQuery = this.profileEmployeeRepo
.createQueryBuilder("pe")
.where("pe.keycloak IS NOT NULL")
.andWhere("pe.keycloak != :empty", { empty: "" });
// Apply limit if specified (for testing purposes)
if (limit !== undefined) {
profileQuery.take(limit);
profileEmployeeQuery.take(limit);
}
// Get profiles from both tables
const [profiles, profileEmployees] = await Promise.all([
profileQuery.getMany(),
profileEmployeeQuery.getMany(),
]);
const allProfiles = [
...profiles.map((p) => ({ profile: p, type: "PROFILE" as const })),
...profileEmployees.map((p) => ({ profile: p, type: "PROFILE_EMPLOYEE" as const })),
];
result.total = allProfiles.length;
// Process in parallel with concurrency limit
const processedResults = await this.processInParallel(
allProfiles,
concurrency,
async ({ profile, type }, _index) => {
const keycloakUserId = profile.keycloak;
try {
const success = await this.syncOnOrganizationChange(profile.id, type);
if (success) {
result.success++;
return {
profileId: profile.id,
keycloakUserId,
status: "success",
};
} else {
result.failed++;
return {
profileId: profile.id,
keycloakUserId,
status: "failed",
error: "Sync returned false",
};
}
} catch (error: any) {
result.failed++;
return {
profileId: profile.id,
keycloakUserId,
status: "error",
error: error.message,
};
}
},
);
// Separate results from errors
for (const resultItem of processedResults) {
if ("error" in resultItem) {
result.failed++;
result.details.push({
profileId: "unknown",
keycloakUserId: "unknown",
status: "error",
error: JSON.stringify(resultItem.error),
});
} else {
result.details.push(resultItem);
}
}
console.log(
`Batch sync completed: total=${result.total}, success=${result.success}, failed=${result.failed}`,
);
} catch (error) {
console.error("Error in batch sync:", error);
}
return result;
}
/**
* Get current Keycloak attributes for a user
*
* @param keycloakUserId - Keycloak user ID
* @returns Current attributes from Keycloak
*/
async getCurrentKeycloakAttributes(
keycloakUserId: string,
): Promise<UserProfileAttributes | null> {
try {
const user = await getUser(keycloakUserId);
if (!user || !user.attributes) {
return null;
}
return {
profileId: user.attributes.profileId?.[0] || "",
orgRootDnaId: user.attributes.orgRootDnaId?.[0] || "",
orgChild1DnaId: user.attributes.orgChild1DnaId?.[0] || "",
orgChild2DnaId: user.attributes.orgChild2DnaId?.[0] || "",
orgChild3DnaId: user.attributes.orgChild3DnaId?.[0] || "",
orgChild4DnaId: user.attributes.orgChild4DnaId?.[0] || "",
empType: user.attributes.empType?.[0] || "",
prefix: user.attributes.prefix?.[0] || "",
};
} catch (error) {
console.error(`Error getting Keycloak attributes for user ${keycloakUserId}:`, error);
return null;
}
}
/**
* Ensure Keycloak user exists for a profile
* Creates user if keycloak field is empty OR if stored keycloak ID doesn't exist in Keycloak
*
* @param profileId - Profile ID
* @param profileType - 'PROFILE' or 'PROFILE_EMPLOYEE'
* @returns Object with status and details
*/
async ensureKeycloakUser(
profileId: string,
profileType: "PROFILE" | "PROFILE_EMPLOYEE",
): Promise<{
success: boolean;
action: "created" | "verified" | "skipped" | "error";
keycloakUserId?: string;
error?: string;
}> {
try {
// Get profile from database
let profile: Profile | ProfileEmployee | null = null;
if (profileType === "PROFILE") {
profile = await this.profileRepo.findOne({ where: { id: profileId } });
} else {
profile = await this.profileEmployeeRepo.findOne({ where: { id: profileId } });
}
if (!profile) {
return {
success: false,
action: "error",
error: `Profile ${profileId} not found in database`,
};
}
// Check if citizenId exists
if (!profile.citizenId) {
return {
success: false,
action: "skipped",
error: "No citizenId found",
};
}
// Case 1: keycloak field is empty -> create new user
if (!profile.keycloak || profile.keycloak.trim() === "") {
const result = await this.createKeycloakUserFromProfile(profile, profileType);
return result;
}
// Case 2: keycloak field is not empty -> verify user exists in Keycloak
const existingUser = await getUser(profile.keycloak);
if (!existingUser) {
// User doesn't exist in Keycloak, create new one
console.log(
`Keycloak user ${profile.keycloak} not found in Keycloak, creating new user for profile ${profileId}`,
);
const result = await this.createKeycloakUserFromProfile(profile, profileType);
return result;
}
// User exists in Keycloak, verified
return {
success: true,
action: "verified",
keycloakUserId: profile.keycloak,
};
} catch (error: any) {
console.error(`Error ensuring Keycloak user for profile ${profileId}:`, error);
return {
success: false,
action: "error",
error: error.message || "Unknown error",
};
}
}
/**
* Create Keycloak user from profile data
*
* @param profile - Profile or ProfileEmployee entity
* @param profileType - 'PROFILE' or 'PROFILE_EMPLOYEE'
* @returns Object with status and details
*/
private async createKeycloakUserFromProfile(
profile: Profile | ProfileEmployee,
profileType: "PROFILE" | "PROFILE_EMPLOYEE",
): Promise<{
success: boolean;
action: "created" | "verified" | "skipped" | "error";
keycloakUserId?: string;
error?: string;
}> {
try {
// Check if user already exists by username (citizenId)
const existingUserByUsername = await getUserByUsername(profile.citizenId);
if (Array.isArray(existingUserByUsername) && existingUserByUsername.length > 0) {
// User already exists with this username, update the keycloak field
const existingUserId = existingUserByUsername[0].id;
console.log(
`User with citizenId ${profile.citizenId} already exists in Keycloak with ID ${existingUserId}`,
);
// Update the keycloak field in database
if (profileType === "PROFILE") {
await this.profileRepo.update(profile.id, { keycloak: existingUserId });
} else {
await this.profileEmployeeRepo.update(profile.id, { keycloak: existingUserId });
}
// Assign default USER role to existing user
const userRole = await getRoles("USER");
if (userRole && typeof userRole === "object" && "id" in userRole && "name" in userRole) {
const roleAssigned = await addUserRoles(existingUserId, [
{ id: String(userRole.id), name: String(userRole.name) },
]);
if (roleAssigned) {
console.log(`Assigned USER role to existing user ${existingUserId}`);
} else {
console.warn(`Failed to assign USER role to existing user ${existingUserId}`);
}
} else {
console.warn(`USER role not found in Keycloak`);
}
return {
success: true,
action: "verified",
keycloakUserId: existingUserId,
};
}
// Create new user in Keycloak
const createResult = await createUser(profile.citizenId, "P@ssw0rd", {
firstName: profile.firstName || "",
lastName: profile.lastName || "",
email: profile.email || undefined,
enabled: true,
});
if (!createResult || typeof createResult !== "string") {
return {
success: false,
action: "error",
error: "Failed to create user in Keycloak",
};
}
const keycloakUserId = createResult;
// Update the keycloak field in database
if (profileType === "PROFILE") {
await this.profileRepo.update(profile.id, { keycloak: keycloakUserId });
} else {
await this.profileEmployeeRepo.update(profile.id, { keycloak: keycloakUserId });
}
// Assign default USER role
const userRole = await getRoles("USER");
if (userRole && typeof userRole === "object" && "id" in userRole && "name" in userRole) {
const roleAssigned = await addUserRoles(keycloakUserId, [
{ id: String(userRole.id), name: String(userRole.name) },
]);
if (roleAssigned) {
console.log(`Assigned USER role to user ${keycloakUserId}`);
} else {
console.warn(`Failed to assign USER role to user ${keycloakUserId}`);
}
} else {
console.warn(`USER role not found in Keycloak`);
}
console.log(
`Created Keycloak user for profile ${profile.id} (citizenId: ${profile.citizenId}) with ID ${keycloakUserId}`,
);
return {
success: true,
action: "created",
keycloakUserId,
};
} catch (error: any) {
console.error(`Error creating Keycloak user for profile ${profile.id}:`, error);
return {
success: false,
action: "error",
error: error.message || "Unknown error",
};
}
}
/**
* Process items in parallel with concurrency limit
*/
private async processInParallel<T, R>(
items: T[],
concurrencyLimit: number,
processor: (item: T, index: number) => Promise<R>,
): Promise<Array<R | { error: any }>> {
const results: Array<R | { error: any }> = [];
// Process items in batches
for (let i = 0; i < items.length; i += concurrencyLimit) {
const batch = items.slice(i, i + concurrencyLimit);
// Process batch in parallel with error handling
const batchResults = await Promise.all(
batch.map(async (item, batchIndex) => {
try {
return await processor(item, i + batchIndex);
} catch (error) {
return { error };
}
}),
);
results.push(...batchResults);
// Log progress after each batch
const completed = Math.min(i + concurrencyLimit, items.length);
console.log(`Progress: ${completed}/${items.length}`);
}
return results;
}
/**
* Batch ensure Keycloak users for all profiles
* Processes all rows in Profile and ProfileEmployee tables
*
* @returns Object with total, success, failed counts and details
*/
async batchEnsureKeycloakUsers(): Promise<{
total: number;
created: number;
verified: number;
skipped: number;
failed: number;
details: Array<{
profileId: string;
profileType: string;
action: string;
keycloakUserId?: string;
error?: string;
}>;
}> {
const result = {
total: 0,
created: 0,
verified: 0,
skipped: 0,
failed: 0,
details: [] as Array<{
profileId: string;
profileType: string;
action: string;
keycloakUserId?: string;
error?: string;
}>,
};
try {
// Get all profiles from Profile table (ข้าราชการ)
const profiles = await this.profileRepo.find({ where: { isLeave: false } }); // Only active profiles
// Get all profiles from ProfileEmployee table (ลูกจ้าง)
const profileEmployees = await this.profileEmployeeRepo.find({ where: { isLeave: false } }); // Only active profiles
const allProfiles = [
...profiles.map((p) => ({ profile: p, type: "PROFILE" as const })),
...profileEmployees.map((p) => ({ profile: p, type: "PROFILE_EMPLOYEE" as const })),
];
result.total = allProfiles.length;
// Process in parallel with concurrency limit
const CONCURRENCY_LIMIT = 5; // Adjust based on environment
const processedResults = await this.processInParallel(
allProfiles,
CONCURRENCY_LIMIT,
async ({ profile, type }) => {
const ensureResult = await this.ensureKeycloakUser(profile.id, type);
// Update counters
switch (ensureResult.action) {
case "created":
result.created++;
break;
case "verified":
result.verified++;
break;
case "skipped":
result.skipped++;
break;
case "error":
result.failed++;
break;
}
return {
profileId: profile.id,
profileType: type,
action: ensureResult.action,
keycloakUserId: ensureResult.keycloakUserId,
error: ensureResult.error,
};
},
);
// Separate results from errors
for (const resultItem of processedResults) {
if ("error" in resultItem) {
result.failed++;
result.details.push({
profileId: "unknown",
profileType: "unknown",
action: "error",
error: JSON.stringify(resultItem.error),
});
} else {
result.details.push(resultItem);
}
}
console.log(
`Batch ensure Keycloak users completed: total=${result.total}, created=${result.created}, verified=${result.verified}, skipped=${result.skipped}, failed=${result.failed}`,
);
} catch (error) {
console.error("Error in batch ensure Keycloak users:", error);
}
return result;
}
/**
* Clear orphaned Keycloak users
* Deletes users in Keycloak that are not referenced in Profile or ProfileEmployee tables
*
* @param skipUsernames - Array of usernames to skip (e.g., ['super_admin'])
* @returns Object with counts and details
*/
async clearOrphanedKeycloakUsers(skipUsernames: string[] = []): Promise<{
totalInKeycloak: number;
totalInDatabase: number;
orphanedCount: number;
deleted: number;
skipped: number;
failed: number;
details: Array<{
keycloakUserId: string;
username: string;
action: "deleted" | "skipped" | "error";
error?: string;
}>;
}> {
const result = {
totalInKeycloak: 0,
totalInDatabase: 0,
orphanedCount: 0,
deleted: 0,
skipped: 0,
failed: 0,
details: [] as Array<{
keycloakUserId: string;
username: string;
action: "deleted" | "skipped" | "error";
error?: string;
}>,
};
try {
// Get all keycloak IDs from database (Profile + ProfileEmployee)
const profiles = await this.profileRepo
.createQueryBuilder("p")
.where("p.keycloak IS NOT NULL")
.andWhere("p.keycloak != :empty", { empty: "" })
.getMany();
const profileEmployees = await this.profileEmployeeRepo
.createQueryBuilder("pe")
.where("pe.keycloak IS NOT NULL")
.andWhere("pe.keycloak != :empty", { empty: "" })
.getMany();
// Create a Set of all keycloak IDs in database for O(1) lookup
const databaseKeycloakIds = new Set<string>();
for (const p of profiles) {
if (p.keycloak) databaseKeycloakIds.add(p.keycloak);
}
for (const pe of profileEmployees) {
if (pe.keycloak) databaseKeycloakIds.add(pe.keycloak);
}
result.totalInDatabase = databaseKeycloakIds.size;
// Get all users from Keycloak with pagination to avoid response size limits
const keycloakUsers = await getAllUsersPaginated();
if (!keycloakUsers || typeof keycloakUsers !== "object") {
throw new Error("Failed to get users from Keycloak");
}
result.totalInKeycloak = keycloakUsers.length;
// Find orphaned users (in Keycloak but not in database)
const orphanedUsers = keycloakUsers.filter((user: any) => !databaseKeycloakIds.has(user.id));
result.orphanedCount = orphanedUsers.length;
// Delete orphaned users (skip protected ones)
for (const user of orphanedUsers) {
const username = user.username;
const userId = user.id;
// Check if user should be skipped
if (skipUsernames.includes(username)) {
result.skipped++;
result.details.push({
keycloakUserId: userId,
username,
action: "skipped",
});
continue;
}
// Delete user from Keycloak
try {
const deleteSuccess = await deleteUser(userId);
if (deleteSuccess) {
result.deleted++;
result.details.push({
keycloakUserId: userId,
username,
action: "deleted",
});
} else {
result.failed++;
result.details.push({
keycloakUserId: userId,
username,
action: "error",
error: "Failed to delete user from Keycloak",
});
}
} catch (error: any) {
result.failed++;
result.details.push({
keycloakUserId: userId,
username,
action: "error",
error: error.message || "Unknown error",
});
}
}
console.log(
`Clear orphaned Keycloak users completed: totalInKeycloak=${result.totalInKeycloak}, totalInDatabase=${result.totalInDatabase}, orphaned=${result.orphanedCount}, deleted=${result.deleted}, skipped=${result.skipped}, failed=${result.failed}`,
);
} catch (error) {
console.error("Error in clear orphaned Keycloak users:", error);
throw error;
}
return result;
}
}