first commit

.dockerignore

@@ -0,0 +1,7 @@
+.DS_Store
+node_modules
+/dist
+
+.env
+.env.*
+!.env.example

.env.example

@@ -0,0 +1,12 @@
+AUTH_REALM_URL=http://192.168.1.200:8080/realms/dev
+AUTH_PUBLIC_KEY=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1/QAH75nWgiRzWCTrGJv8q2A7z0qggC2IQ9Sva/Ok1RxeGE/ED2m4ELbF5B9MtugyXYGMUBXaKhooMpTE3wyR1OwsUlv/GtYSmMuKUnsSEXklsP8nIq8gZkCvISOVdvIC4ng5aZ5nBcp9cQ3eVbz4dfZcbLzcqLIIkxQmFBK0m1eFL5IdNj8Ac7U4eH4ylOckOu174f35NnFH6wDva6Iic3EXapMcE2BnXXCTajk2dmlWAzH13ybQBgHDfrOtulrmn1CzQxe9WUJes4qX5z72N05KsHvtUObaeN6cb+mIeH36GdysqgAdd2hhKkgUFXwtLPzldtrEc7xVyf3OLEg1QIDAQAB
+AUTH_PREFERRED_MODE=online
+
+APP_HOST=0.0.0.0
+APP_PORT=3000
+
+DB_HOST=192.168.1.200
+DB_PORT=3306
+DB_USERNAME=root
+DB_PASSWORD=
+DB_NAME=dev

.github/workflows/release.yaml

@@ -0,0 +1,85 @@
+name: release-test
+run-name: release-test ${{ github.actor }}
+on:
+  push:
+    tags:
+      - "version-[0-9]+.[0-9]+.[0-9]+"
+  workflow_dispatch:
+env:
+  REGISTRY: docker.frappet.com
+  IMAGE_NAME: ehr/bma-ehr-org-service
+  DEPLOY_HOST: 192.168.1.80
+  COMPOSE_PATH: /home/frappet/docker/bma-ehr
+jobs:
+  # act workflow_dispatch -W .github/workflows/release.yaml --input IMAGE_VER=test-v1 -s DOCKER_USER=sorawit -s DOCKER_PASS=P@ssword -s SSH_PASSWORD=P@ssw0rd
+  release-test:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v3
+      # skip Set up QEMU because it fail on act and container
+      # Gen Version try to get version from tag or inut
+      - name: Set output tags
+        id: vars
+        run: echo "tag=${GITHUB_REF#refs/*/}" >> $GITHUB_OUTPUT
+      - name: Gen Version
+        id: gen_ver
+        run: |
+          if [[ $GITHUB_REF == 'refs/tags/'* ]]; then
+            IMAGE_VER=${{ steps.vars.outputs.tag }}
+          else
+            IMAGE_VER=${{ github.event.inputs.IMAGE_VER }}
+          fi
+          if [[ $IMAGE_VER == '' ]]; then
+            IMAGE_VER='test-vBeta'
+          fi
+          echo '::set-output name=image_ver::'$IMAGE_VER
+      - name: Check Version
+        run: |
+          echo $GITHUB_REF
+          echo ${{ steps.gen_ver.outputs.image_ver }}
+
+      - name: Set up Docker Buildx
+        uses: docker/setup-buildx-action@v2
+      - name: Login in to registry
+        uses: docker/login-action@v2
+        with:
+          registry: ${{env.REGISTRY}}
+          username: ${{secrets.DOCKER_USER}}
+          password: ${{secrets.DOCKER_PASS}}
+      - name: Build and push docker image
+        uses: docker/build-push-action@v3
+        with:
+          context: .
+          platforms: linux/amd64
+          push: true
+          tags: ${{env.REGISTRY}}/${{env.IMAGE_NAME}}:${{ steps.gen_ver.outputs.image_ver }},${{env.REGISTRY}}/${{env.IMAGE_NAME}}:latest
+      - name: Remote Deployment
+        uses: appleboy/ssh-action@v0.1.8
+        with:
+          host: ${{env.DEPLOY_HOST}}
+          username: frappet
+          password: ${{ secrets.SSH_PASSWORD }}
+          port: 22
+          script: |
+            cd "${{env.COMPOSE_PATH}}"
+            docker-compose pull
+            docker-compose up -d
+            echo "${{ steps.gen_ver.outputs.image_ver }}"> success
+      - uses: snow-actions/line-notify@v1.1.0
+        if: success()
+        with:
+          access_token: ${{ secrets.TOKEN_LINE }}
+          message: |
+            -Success✅✅✅
+            Image: ${{env.IMAGE_NAME}}
+            Version: ${{ steps.gen_ver.outputs.IMAGE_VER }}
+            By: ${{secrets.DOCKER_USER}}
+      - uses: snow-actions/line-notify@v1.1.0
+        if: failure()
+        with:
+          access_token: ${{ secrets.TOKEN_LINE }}
+          message: |
+            -Failure❌❌❌
+            Image: ${{env.IMAGE_NAME}}
+            Version: ${{ steps.gen_ver.outputs.IMAGE_VER }}
+            By: ${{secrets.DOCKER_USER}}

.gitignore

@@ -0,0 +1,133 @@
+# Logs
+logs
+*.log
+npm-debug.log*
+yarn-debug.log*
+yarn-error.log*
+lerna-debug.log*
+.pnpm-debug.log*
+
+# Diagnostic reports (https://nodejs.org/api/report.html)
+report.[0-9]*.[0-9]*.[0-9]*.[0-9]*.json
+
+# Runtime data
+pids
+*.pid
+*.seed
+*.pid.lock
+
+# Directory for instrumented libs generated by jscoverage/JSCover
+lib-cov
+
+# Coverage directory used by tools like istanbul
+coverage
+*.lcov
+
+# nyc test coverage
+.nyc_output
+
+# Grunt intermediate storage (https://gruntjs.com/creating-plugins#storing-task-files)
+.grunt
+
+# Bower dependency directory (https://bower.io/)
+bower_components
+
+# node-waf configuration
+.lock-wscript
+
+# Compiled binary addons (https://nodejs.org/api/addons.html)
+build/Release
+
+# Dependency directories
+node_modules/
+jspm_packages/
+
+# Snowpack dependency directory (https://snowpack.dev/)
+web_modules/
+
+# TypeScript cache
+*.tsbuildinfo
+
+# Optional npm cache directory
+.npm
+
+# Optional eslint cache
+.eslintcache
+
+# Optional stylelint cache
+.stylelintcache
+
+# Microbundle cache
+.rpt2_cache/
+.rts2_cache_cjs/
+.rts2_cache_es/
+.rts2_cache_umd/
+
+# Optional REPL history
+.node_repl_history
+
+# Output of 'npm pack'
+*.tgz
+
+# Yarn Integrity file
+.yarn-integrity
+
+# dotenv environment variable files
+.env
+.env.development.local
+.env.test.local
+.env.production.local
+.env.local
+
+[Ss]rc/swagger.json
+[Ss]rc/routes.ts
+
+# parcel-bundler cache (https://parceljs.org/)
+.cache
+.parcel-cache
+
+# Next.js build output
+.next
+out
+
+# Nuxt.js build / generate output
+.nuxt
+dist
+
+# Gatsby files
+.cache/
+# Comment in the public line in if your project uses Gatsby and not Next.js
+# https://nextjs.org/blog/next-9-1#public-directory-support
+# public
+
+# vuepress build output
+.vuepress/dist
+
+# vuepress v2.x temp and cache directory
+.temp
+.cache
+
+# Docusaurus cache and generated files
+.docusaurus
+
+# Serverless directories
+.serverless/
+
+# FuseBox cache
+.fusebox/
+
+# DynamoDB Local files
+.dynamodb/
+
+# TernJS port file
+.tern-port
+
+# Stores VSCode versions used for testing VSCode extensions
+.vscode-test
+
+# yarn v2
+.yarn/cache
+.yarn/unplugged
+.yarn/build-state.yml
+.yarn/install-state.gz
+.pnp.*

.prettierignore

@@ -0,0 +1,18 @@
+.DS_Store
+node_modules
+.env
+.env.*
+!.env.example
+
+/dist
+/static
+/src/routes.ts
+/src/swagger.json
+
+# Any log
+*.log
+
+# Ignore files for PNPM, NPM and YARN
+pnpm-lock.yaml
+package-lock.json
+yarn.lock

.prettierrc

@@ -0,0 +1,5 @@
+{
+  "tabWidth": 2,
+  "printWidth": 100,
+  "trailingComma": "all"
+}

Dockerfile

@@ -0,0 +1,35 @@
+FROM node:18-alpine as builder
+
+# Create app directory
+WORKDIR /app
+
+# Install app dependencies
+COPY package*.json ./
+
+RUN npm ci
+
+COPY . .
+
+RUN npm run build
+
+FROM node:18-alpine
+
+ENV NODE_ENV production
+USER node
+
+# Create app directory
+WORKDIR /app
+
+# Install app dependencies
+COPY package*.json ./
+# COPY .env ./
+
+RUN npm ci --production
+
+COPY --from=builder /app/dist ./dist
+
+# COPY entrypoint.sh /usr/local/bin/entrypoint.sh
+# RUN chmod u+x /usr/local/bin/entrypoint.sh
+
+# ENTRYPOINT ["/usr/local/bin/entrypoint.sh"]
+CMD [ "node", "dist/app.js" ]

nodemon.json

@@ -0,0 +1,6 @@
+{
+  "exec": "tsoa spec-and-routes && ts-node src/app.ts",
+  "ext": "ts",
+  "watch": ["src"],
+  "ignore": ["src/routes.ts"]
+}

package.json

@@ -0,0 +1,44 @@
+{
+  "name": "template",
+  "version": "1.0.0",
+  "description": "",
+  "main": "src/app.js",
+  "scripts": {
+    "dev": "nodemon",
+    "check": "tsc --noEmit",
+    "start": "node ./dist/app.js",
+    "format": "prettier --write .",
+    "build": "tsoa spec-and-routes && tsc",
+    "migration:generate": "typeorm-ts-node-commonjs migration:generate -d src/database/data-source.ts",
+    "migration:run": "typeorm-ts-node-commonjs migration:run -d src/database/data-source.ts"
+  },
+  "keywords": [],
+  "author": "",
+  "license": "ISC",
+  "devDependencies": {
+    "@types/cors": "^2.8.17",
+    "@types/express": "^4.17.21",
+    "@types/node": "^20.11.5",
+    "@types/node-cron": "^3.0.11",
+    "@types/swagger-ui-express": "^4.1.6",
+    "nodemon": "^3.0.3",
+    "prettier": "^3.2.2",
+    "ts-node": "^10.9.2",
+    "typescript": "^5.3.3"
+  },
+  "dependencies": {
+    "@tsoa/runtime": "^6.0.0",
+    "cors": "^2.8.5",
+    "dotenv": "^16.3.1",
+    "express": "^4.18.2",
+    "fast-jwt": "^3.3.2",
+    "mysql2": "^3.9.1",
+    "node-cron": "^3.0.3",
+    "promise.any": "^2.0.6",
+    "reflect-metadata": "^0.2.1",
+    "swagger-ui-express": "^5.0.0",
+    "tsoa": "^6.0.1",
+    "typeorm": "^0.3.19",
+    "typeorm-cli": "^1.0.7"
+  }
+}

src/app.ts

@@ -0,0 +1,43 @@
+import "dotenv/config";
+import "reflect-metadata";
+import cors from "cors";
+import express from "express";
+import swaggerUi from "swagger-ui-express";
+import swaggerDocument from "./swagger.json";
+import * as cron from "node-cron";
+import error from "./middlewares/error";
+import { AppDataSource } from "./database/data-source";
+import { RegisterRoutes } from "./routes";
+
+async function main() {
+  await AppDataSource.initialize();
+
+  const app = express();
+
+  app.use(
+    cors({
+      origin: "*",
+    }),
+  );
+  app.use(express.json());
+  app.use(express.urlencoded({ extended: true }));
+  app.use("/", express.static("static"));
+  app.use("/api-docs", swaggerUi.serve, swaggerUi.setup(swaggerDocument));
+
+  RegisterRoutes(app);
+
+  app.use(error);
+  const APP_HOST = process.env.APP_HOST || "0.0.0.0";
+  const APP_PORT = +(process.env.APP_PORT || 3000);
+
+  app.listen(
+    APP_PORT,
+    APP_HOST,
+    () => (
+      console.log(`[APP] Application is running on: http://localhost:${APP_PORT}`),
+      console.log(`[APP] Swagger on: http://localhost:${APP_PORT}/api-docs`)
+    ),
+  );
+}
+
+main();

src/controllers/MyController.ts

@@ -0,0 +1,11 @@
+import { Controller, Get, Post, Put, Delete, Patch, Route, Security, Tags } from "tsoa";
+
+@Route("/hello")
+@Tags("Test")
+@Security("bearerAuth")
+export class AppController extends Controller {
+  @Get()
+  public async GET() {
+    return { message: "Hello Salary" };
+  }
+}

src/database/data-source.ts

@@ -0,0 +1,27 @@
+import "dotenv/config";
+import "reflect-metadata";
+import { DataSource } from "typeorm";
+
+export const AppDataSource = new DataSource({
+  type: "mysql",
+  database: process.env.DB_NAME,
+  host: process.env.DB_HOST,
+  port: +(process.env.DB_PORT || 3306),
+  username: process.env.DB_USERNAME,
+  password: process.env.DB_PASSWORD,
+  connectorPackage: "mysql2",
+  synchronize: false,
+  logging: true,
+  entities:
+    process.env.NODE_ENV !== "production"
+      ? ["src/entities/**/*.ts"]
+      : ["dist/entities/**/*{.ts,.js}"],
+  migrations:
+    process.env.NODE_ENV !== "production"
+      ? ["src/migration/**/*.ts"]
+      : ["dist/migration/**/*{.ts,.js}"],
+  subscribers: [],
+});
+// console.log(AppDataSource);
+
+// export default database;

src/entities/base/Base.ts

@@ -0,0 +1,41 @@
+import {
+    Entity,
+    PrimaryGeneratedColumn,
+    Column,
+    CreateDateColumn,
+    UpdateDateColumn,
+  } from "typeorm";
+  
+  @Entity()
+  export class EntityBase {
+    @PrimaryGeneratedColumn("uuid")
+  id!: string;
+
+  @CreateDateColumn({ comment: "สร้างข้อมูลเมื่อ" })
+  createdAt!: Date;
+
+  @Column({
+    comment: "User Id ที่สร้างข้อมูล",
+    length: 40,
+    default: "00000000-0000-0000-0000-000000000000",
+  })
+  createdUserId!: String;
+
+  @UpdateDateColumn({ comment: "แก้ไขข้อมูลล่าสุดเมื่อ" })
+  lastUpdatedAt!: Date;
+
+  @Column({
+    comment: "User Id ที่แก้ไขข้อมูล",
+    length: 40,
+    default: "00000000-0000-0000-0000-000000000000",
+  })
+  lastUpdateUserId!: String;
+
+  @Column({ comment: "ชื่อ User ที่สร้างข้อมูล", length: 200, default: "string" })
+  createdFullName!: String;
+
+  @Column({ comment: "ชื่อ User ที่แก้ไขข้อมูลล่าสุด", length: 200, default: "string" })
+  lastUpdateFullName!: String;
+
+  }
+  

src/interfaces/http-error.ts

@@ -0,0 +1,19 @@
+import HttpStatus from "./http-status";
+
+class HttpError extends Error {
+  /**
+   * HTTP Status Code
+   */
+  status: HttpStatus;
+  message: string;
+
+  constructor(status: HttpStatus, message: string) {
+    super(message);
+
+    this.name = "HttpError";
+    this.status = status;
+    this.message = message;
+  }
+}
+
+export default HttpError;

src/interfaces/http-status.ts

@@ -0,0 +1,380 @@
+/**
+ * Hypertext Transfer Protocol (HTTP) response status codes.
+ * @see {@link https://en.wikipedia.org/wiki/List_of_HTTP_status_codes}
+ */
+enum HttpStatus {
+  /**
+   * The server has received the request headers and the client should proceed to send the request body
+   * (in the case of a request for which a body needs to be sent; for example, a POST request).
+   * Sending a large request body to a server after a request has been rejected for inappropriate headers would be inefficient.
+   * To have a server check the request's headers, a client must send Expect: 100-continue as a header in its initial request
+   * and receive a 100 Continue status code in response before sending the body. The response 417 Expectation Failed indicates the request should not be continued.
+   */
+  CONTINUE = 100,
+
+  /**
+   * The requester has asked the server to switch protocols and the server has agreed to do so.
+   */
+  SWITCHING_PROTOCOLS = 101,
+
+  /**
+   * A WebDAV request may contain many sub-requests involving file operations, requiring a long time to complete the request.
+   * This code indicates that the server has received and is processing the request, but no response is available yet.
+   * This prevents the client from timing out and assuming the request was lost.
+   */
+  PROCESSING = 102,
+
+  /**
+   * Standard response for successful HTTP requests.
+   * The actual response will depend on the request method used.
+   * In a GET request, the response will contain an entity corresponding to the requested resource.
+   * In a POST request, the response will contain an entity describing or containing the result of the action.
+   */
+  OK = 200,
+
+  /**
+   * The request has been fulfilled, resulting in the creation of a new resource.
+   */
+  CREATED = 201,
+
+  /**
+   * The request has been accepted for processing, but the processing has not been completed.
+   * The request might or might not be eventually acted upon, and may be disallowed when processing occurs.
+   */
+  ACCEPTED = 202,
+
+  /**
+   * SINCE HTTP/1.1
+   * The server is a transforming proxy that received a 200 OK from its origin,
+   * but is returning a modified version of the origin's response.
+   */
+  NON_AUTHORITATIVE_INFORMATION = 203,
+
+  /**
+   * The server successfully processed the request and is not returning any content.
+   */
+  NO_CONTENT = 204,
+
+  /**
+   * The server successfully processed the request, but is not returning any content.
+   * Unlike a 204 response, this response requires that the requester reset the document view.
+   */
+  RESET_CONTENT = 205,
+
+  /**
+   * The server is delivering only part of the resource (byte serving) due to a range header sent by the client.
+   * The range header is used by HTTP clients to enable resuming of interrupted downloads,
+   * or split a download into multiple simultaneous streams.
+   */
+  PARTIAL_CONTENT = 206,
+
+  /**
+   * The message body that follows is an XML message and can contain a number of separate response codes,
+   * depending on how many sub-requests were made.
+   */
+  MULTI_STATUS = 207,
+
+  /**
+   * The members of a DAV binding have already been enumerated in a preceding part of the (multistatus) response,
+   * and are not being included again.
+   */
+  ALREADY_REPORTED = 208,
+
+  /**
+   * The server has fulfilled a request for the resource,
+   * and the response is a representation of the result of one or more instance-manipulations applied to the current instance.
+   */
+  IM_USED = 226,
+
+  /**
+   * Indicates multiple options for the resource from which the client may choose (via agent-driven content negotiation).
+   * For example, this code could be used to present multiple video format options,
+   * to list files with different filename extensions, or to suggest word-sense disambiguation.
+   */
+  MULTIPLE_CHOICES = 300,
+
+  /**
+   * This and all future requests should be directed to the given URI.
+   */
+  MOVED_PERMANENTLY = 301,
+
+  /**
+   * This is an example of industry practice contradicting the standard.
+   * The HTTP/1.0 specification (RFC 1945) required the client to perform a temporary redirect
+   * (the original describing phrase was "Moved Temporarily"), but popular browsers implemented 302
+   * with the functionality of a 303 See Other. Therefore, HTTP/1.1 added status codes 303 and 307
+   * to distinguish between the two behaviours. However, some Web applications and frameworks
+   * use the 302 status code as if it were the 303.
+   */
+  FOUND = 302,
+
+  /**
+   * SINCE HTTP/1.1
+   * The response to the request can be found under another URI using a GET method.
+   * When received in response to a POST (or PUT/DELETE), the client should presume that
+   * the server has received the data and should issue a redirect with a separate GET message.
+   */
+  SEE_OTHER = 303,
+
+  /**
+   * Indicates that the resource has not been modified since the version specified by the request headers If-Modified-Since or If-None-Match.
+   * In such case, there is no need to retransmit the resource since the client still has a previously-downloaded copy.
+   */
+  NOT_MODIFIED = 304,
+
+  /**
+   * SINCE HTTP/1.1
+   * The requested resource is available only through a proxy, the address for which is provided in the response.
+   * Many HTTP clients (such as Mozilla and Internet Explorer) do not correctly handle responses with this status code, primarily for security reasons.
+   */
+  USE_PROXY = 305,
+
+  /**
+   * No longer used. Originally meant "Subsequent requests should use the specified proxy."
+   */
+  SWITCH_PROXY = 306,
+
+  /**
+   * SINCE HTTP/1.1
+   * In this case, the request should be repeated with another URI; however, future requests should still use the original URI.
+   * In contrast to how 302 was historically implemented, the request method is not allowed to be changed when reissuing the original request.
+   * For example, a POST request should be repeated using another POST request.
+   */
+  TEMPORARY_REDIRECT = 307,
+
+  /**
+   * The request and all future requests should be repeated using another URI.
+   * 307 and 308 parallel the behaviors of 302 and 301, but do not allow the HTTP method to change.
+   * So, for example, submitting a form to a permanently redirected resource may continue smoothly.
+   */
+  PERMANENT_REDIRECT = 308,
+
+  /**
+   * The server cannot or will not process the request due to an apparent client error
+   * (e.g., malformed request syntax, too large size, invalid request message framing, or deceptive request routing).
+   */
+  BAD_REQUEST = 400,
+
+  /**
+   * Similar to 403 Forbidden, but specifically for use when authentication is required and has failed or has not yet
+   * been provided. The response must include a WWW-Authenticate header field containing a challenge applicable to the
+   * requested resource. See Basic access authentication and Digest access authentication. 401 semantically means
+   * "unauthenticated",i.e. the user does not have the necessary credentials.
+   */
+  UNAUTHORIZED = 401,
+
+  /**
+   * Reserved for future use. The original intention was that this code might be used as part of some form of digital
+   * cash or micro payment scheme, but that has not happened, and this code is not usually used.
+   * Google Developers API uses this status if a particular developer has exceeded the daily limit on requests.
+   */
+  PAYMENT_REQUIRED = 402,
+
+  /**
+   * The request was valid, but the server is refusing action.
+   * The user might not have the necessary permissions for a resource.
+   */
+  FORBIDDEN = 403,
+
+  /**
+   * The requested resource could not be found but may be available in the future.
+   * Subsequent requests by the client are permissible.
+   */
+  NOT_FOUND = 404,
+
+  /**
+   * A request method is not supported for the requested resource;
+   * for example, a GET request on a form that requires data to be presented via POST, or a PUT request on a read-only resource.
+   */
+  METHOD_NOT_ALLOWED = 405,
+
+  /**
+   * The requested resource is capable of generating only content not acceptable according to the Accept headers sent in the request.
+   */
+  NOT_ACCEPTABLE = 406,
+
+  /**
+   * The client must first authenticate itself with the proxy.
+   */
+  PROXY_AUTHENTICATION_REQUIRED = 407,
+
+  /**
+   * The server timed out waiting for the request.
+   * According to HTTP specifications:
+   * "The client did not produce a request within the time that the server was prepared to wait. The client MAY repeat the request without modifications at any later time."
+   */
+  REQUEST_TIMEOUT = 408,
+
+  /**
+   * Indicates that the request could not be processed because of conflict in the request,
+   * such as an edit conflict between multiple simultaneous updates.
+   */
+  CONFLICT = 409,
+
+  /**
+   * Indicates that the resource requested is no longer available and will not be available again.
+   * This should be used when a resource has been intentionally removed and the resource should be purged.
+   * Upon receiving a 410 status code, the client should not request the resource in the future.
+   * Clients such as search engines should remove the resource from their indices.
+   * Most use cases do not require clients and search engines to purge the resource, and a "404 Not Found" may be used instead.
+   */
+  GONE = 410,
+
+  /**
+   * The request did not specify the length of its content, which is required by the requested resource.
+   */
+  LENGTH_REQUIRED = 411,
+
+  /**
+   * The server does not meet one of the preconditions that the requester put on the request.
+   */
+  PRECONDITION_FAILED = 412,
+
+  /**
+   * The request is larger than the server is willing or able to process. Previously called "Request Entity Too Large".
+   */
+  PAYLOAD_TOO_LARGE = 413,
+
+  /**
+   * The URI provided was too long for the server to process. Often the result of too much data being encoded as a query-string of a GET request,
+   * in which case it should be converted to a POST request.
+   * Called "Request-URI Too Long" previously.
+   */
+  URI_TOO_LONG = 414,
+
+  /**
+   * The request entity has a media type which the server or resource does not support.
+   * For example, the client uploads an image as image/svg+xml, but the server requires that images use a different format.
+   */
+  UNSUPPORTED_MEDIA_TYPE = 415,
+
+  /**
+   * The client has asked for a portion of the file (byte serving), but the server cannot supply that portion.
+   * For example, if the client asked for a part of the file that lies beyond the end of the file.
+   * Called "Requested Range Not Satisfiable" previously.
+   */
+  RANGE_NOT_SATISFIABLE = 416,
+
+  /**
+   * The server cannot meet the requirements of the Expect request-header field.
+   */
+  EXPECTATION_FAILED = 417,
+
+  /**
+   * This code was defined in 1998 as one of the traditional IETF April Fools' jokes, in RFC 2324, Hyper Text Coffee Pot Control Protocol,
+   * and is not expected to be implemented by actual HTTP servers. The RFC specifies this code should be returned by
+   * teapots requested to brew coffee. This HTTP status is used as an Easter egg in some websites, including Google.com.
+   */
+  I_AM_A_TEAPOT = 418,
+
+  /**
+   * The request was directed at a server that is not able to produce a response (for example because a connection reuse).
+   */
+  MISDIRECTED_REQUEST = 421,
+
+  /**
+   * The request was well-formed but was unable to be followed due to semantic errors.
+   */
+  UNPROCESSABLE_ENTITY = 422,
+
+  /**
+   * The resource that is being accessed is locked.
+   */
+  LOCKED = 423,
+
+  /**
+   * The request failed due to failure of a previous request (e.g., a PROPPATCH).
+   */
+  FAILED_DEPENDENCY = 424,
+
+  /**
+   * The client should switch to a different protocol such as TLS/1.0, given in the Upgrade header field.
+   */
+  UPGRADE_REQUIRED = 426,
+
+  /**
+   * The origin server requires the request to be conditional.
+   * Intended to prevent "the 'lost update' problem, where a client
+   * GETs a resource's state, modifies it, and PUTs it back to the server,
+   * when meanwhile a third party has modified the state on the server, leading to a conflict."
+   */
+  PRECONDITION_REQUIRED = 428,
+
+  /**
+   * The user has sent too many requests in a given amount of time. Intended for use with rate-limiting schemes.
+   */
+  TOO_MANY_REQUESTS = 429,
+
+  /**
+   * The server is unwilling to process the request because either an individual header field,
+   * or all the header fields collectively, are too large.
+   */
+  REQUEST_HEADER_FIELDS_TOO_LARGE = 431,
+
+  /**
+   * A server operator has received a legal demand to deny access to a resource or to a set of resources
+   * that includes the requested resource. The code 451 was chosen as a reference to the novel Fahrenheit 451.
+   */
+  UNAVAILABLE_FOR_LEGAL_REASONS = 451,
+
+  /**
+   * A generic error message, given when an unexpected condition was encountered and no more specific message is suitable.
+   */
+  INTERNAL_SERVER_ERROR = 500,
+
+  /**
+   * The server either does not recognize the request method, or it lacks the ability to fulfill the request.
+   * Usually this implies future availability (e.g., a new feature of a web-service API).
+   */
+  NOT_IMPLEMENTED = 501,
+
+  /**
+   * The server was acting as a gateway or proxy and received an invalid response from the upstream server.
+   */
+  BAD_GATEWAY = 502,
+
+  /**
+   * The server is currently unavailable (because it is overloaded or down for maintenance).
+   * Generally, this is a temporary state.
+   */
+  SERVICE_UNAVAILABLE = 503,
+
+  /**
+   * The server was acting as a gateway or proxy and did not receive a timely response from the upstream server.
+   */
+  GATEWAY_TIMEOUT = 504,
+
+  /**
+   * The server does not support the HTTP protocol version used in the request
+   */
+  HTTP_VERSION_NOT_SUPPORTED = 505,
+
+  /**
+   * Transparent content negotiation for the request results in a circular reference.
+   */
+  VARIANT_ALSO_NEGOTIATES = 506,
+
+  /**
+   * The server is unable to store the representation needed to complete the request.
+   */
+  INSUFFICIENT_STORAGE = 507,
+
+  /**
+   * The server detected an infinite loop while processing the request.
+   */
+  LOOP_DETECTED = 508,
+
+  /**
+   * Further extensions to the request are required for the server to fulfill it.
+   */
+  NOT_EXTENDED = 510,
+
+  /**
+   * The client needs to authenticate to gain network access.
+   * Intended for use by intercepting proxies used to control access to the network (e.g., "captive portals" used
+   * to require agreement to Terms of Service before granting full Internet access via a Wi-Fi hotspot).
+   */
+  NETWORK_AUTHENTICATION_REQUIRED = 511,
+}
+
+export default HttpStatus;

src/interfaces/http-success.ts

@@ -0,0 +1,18 @@
+import HttpStatus from "./http-status";
+
+class HttpSuccess {
+  /**
+   * HTTP Status Code
+   */
+  status: HttpStatus;
+  message: string;
+  result?: any;
+
+  constructor(result?: any) {
+    this.status = HttpStatus.OK;
+    this.message = "สำเร็จ";
+    this.result = result;
+  }
+}
+
+export default HttpSuccess;

src/middlewares/auth.ts

@@ -0,0 +1,78 @@
+import * as express from "express";
+import { createDecoder, createVerifier } from "fast-jwt";
+
+import HttpError from "../interfaces/http-error";
+import HttpStatus from "../interfaces/http-status";
+
+if (!process.env.AUTH_PUBLIC_KEY && !process.env.AUTH_REALM_URL) {
+  throw new Error("Require keycloak AUTH_PUBLIC_KEY or AUTH_REALM_URL.");
+}
+if (
+  process.env.AUTH_PUBLIC_KEY &&
+  process.env.AUTH_REALM_URL &&
+  !process.env.AUTH_PREFERRED_MODE
+) {
+  throw new Error(
+    "AUTH_PREFFERRED must be specified if AUTH_PUBLIC_KEY and AUTH_REALM_URL is provided.",
+  );
+}
+
+const jwtVerify = createVerifier({
+  key: async () => {
+    return `-----BEGIN PUBLIC KEY-----\n${process.env.AUTH_PUBLIC_KEY}\n-----END PUBLIC KEY-----`;
+  },
+});
+
+const jwtDecode = createDecoder();
+
+export async function expressAuthentication(
+  request: express.Request,
+  securityName: string,
+  _scopes?: string[],
+) {
+  if (process.env.NODE_ENV !== "production" && process.env.AUTH_BYPASS) {
+    return { preferred_username: "bypassed" };
+  }
+
+  if (securityName !== "bearerAuth") throw new Error("ไม่ทราบวิธีการยืนยันตัวตน");
+
+  const token = request.headers["authorization"]?.includes("Bearer ")
+    ? request.headers["authorization"].split(" ")[1]
+    : request.headers["authorization"];
+
+  if (!token) throw new HttpError(HttpStatus.UNAUTHORIZED, "ไม่พบข้อมูลสำหรับยืนยันตัวตน");
+
+  let payload: Record<string, any> = {};
+
+  switch (process.env.AUTH_PREFERRED_MODE) {
+    case "online":
+      payload = await verifyOnline(token);
+      break;
+    case "offline":
+      payload = await verifyOffline(token);
+      break;
+    default:
+      if (process.env.AUTH_REALM_URL) payload = await verifyOnline(token);
+      if (process.env.AUTH_PUBLIC_KEY) payload = await verifyOffline(token);
+      break;
+  }
+
+  return payload;
+}
+
+async function verifyOffline(token: string) {
+  const payload = await jwtVerify(token).catch((_) => null);
+  if (!payload) throw new HttpError(HttpStatus.UNAUTHORIZED, "ไม่สามารถยืนยันตัวตนได้");
+  return payload;
+}
+
+async function verifyOnline(token: string) {
+  const res = await fetch(`${process.env.AUTH_REALM_URL}/protocol/openid-connect/userinfo`, {
+    headers: { authorization: `Bearer ${token}` },
+  }).catch((e) => console.error(e));
+
+  if (!res) throw new Error("ไม่สามารถเข้าถึงระบบยืนยันตัวตน");
+  if (!res.ok) throw new HttpError(HttpStatus.UNAUTHORIZED, "ไม่สามารถยืนยันตัวตนได้");
+
+  return await jwtDecode(token);
+}

src/middlewares/error.ts

@@ -0,0 +1,30 @@
+import { NextFunction, Request, Response } from "express";
+import HttpError from "../interfaces/http-error";
+import HttpStatus from "../interfaces/http-status";
+import { ValidateError } from "tsoa";
+
+function error(error: Error, _req: Request, res: Response, _next: NextFunction) {
+  if (error instanceof HttpError) {
+    return res.status(error.status).json({
+      status: error.status,
+      message: error.message,
+    });
+  }
+
+  if (error instanceof ValidateError) {
+    return res.status(error.status).json({
+      status: HttpStatus.UNPROCESSABLE_ENTITY,
+      message: "Validation error(s).",
+      detail: error.fields,
+    });
+  }
+
+  console.error("Exception Caught:" + error);
+
+  return res.status(HttpStatus.INTERNAL_SERVER_ERROR).json({
+    status: HttpStatus.INTERNAL_SERVER_ERROR,
+    message: error.message,
+  });
+}
+
+export default error;

src/migration/1707895756226-start.ts

@@ -0,0 +1,14 @@
+import { MigrationInterface, QueryRunner } from "typeorm";
+
+export class Start1707895756226 implements MigrationInterface {
+    name = 'Start1707895756226'
+
+    public async up(queryRunner: QueryRunner): Promise<void> {
+        await queryRunner.query(`CREATE TABLE \`entity_base\` (\`id\` varchar(36) NOT NULL, \`createdAt\` datetime(6) NOT NULL COMMENT 'สร้างข้อมูลเมื่อ' DEFAULT CURRENT_TIMESTAMP(6), \`createdUserId\` varchar(40) NOT NULL COMMENT 'User Id ที่สร้างข้อมูล' DEFAULT '00000000-0000-0000-0000-000000000000', \`lastUpdatedAt\` datetime(6) NOT NULL COMMENT 'แก้ไขข้อมูลล่าสุดเมื่อ' DEFAULT CURRENT_TIMESTAMP(6) ON UPDATE CURRENT_TIMESTAMP(6), \`lastUpdateUserId\` varchar(40) NOT NULL COMMENT 'User Id ที่แก้ไขข้อมูล' DEFAULT '00000000-0000-0000-0000-000000000000', \`createdFullName\` varchar(200) NOT NULL COMMENT 'ชื่อ User ที่สร้างข้อมูล' DEFAULT 'string', \`lastUpdateFullName\` varchar(200) NOT NULL COMMENT 'ชื่อ User ที่แก้ไขข้อมูลล่าสุด' DEFAULT 'string', PRIMARY KEY (\`id\`)) ENGINE=InnoDB`);
+    }
+
+    public async down(queryRunner: QueryRunner): Promise<void> {
+        await queryRunner.query(`DROP TABLE \`entity_base\``);
+    }
+
+}

static/index.html

@@ -0,0 +1,266 @@
+<!--
+  ~ Copyright 2016 Red Hat, Inc. and/or its affiliates
+  ~ and other contributors as indicated by the @author tags.
+  ~
+  ~ Licensed under the Apache License, Version 2.0 (the "License");
+  ~ you may not use this file except in compliance with the License.
+  ~ You may obtain a copy of the License at
+  ~
+  ~ http://www.apache.org/licenses/LICENSE-2.0
+  ~
+  ~ Unless required by applicable law or agreed to in writing, software
+  ~ distributed under the License is distributed on an "AS IS" BASIS,
+  ~ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+  ~ See the License for the specific language governing permissions and
+  ~ limitations under the License.
+  -->
+
+<html>
+  <head>
+    <script src="./keycloak.js"></script>
+  </head>
+  <body>
+    <div>
+      <button onclick="keycloak.login()">Login</button>
+      <button onclick="keycloak.login({ action: 'UPDATE_PASSWORD' })">
+        Update Password
+      </button>
+      <button onclick="keycloak.logout()">Logout</button>
+      <button onclick="keycloak.register()">Register</button>
+      <button onclick="keycloak.accountManagement()">Account</button>
+      <button onclick="refreshToken(9999)">Refresh Token</button>
+      <button onclick="refreshToken(30)">
+        Refresh Token (if <30s validity)
+      </button>
+      <button onclick="loadProfile()">Get Profile</button>
+      <button onclick="updateProfile()">Update profile</button>
+      <button onclick="loadUserInfo()">Get User Info</button>
+      <button onclick="output(keycloak.tokenParsed)">Show Token</button>
+      <button onclick="output(keycloak.refreshTokenParsed)">
+        Show Refresh Token
+      </button>
+      <button onclick="output(keycloak.idTokenParsed)">Show ID Token</button>
+      <button onclick="showExpires()">Show Expires</button>
+      <button onclick="output(keycloak)">Show Details</button>
+      <button onclick="output(keycloak.createLoginUrl())">
+        Show Login URL
+      </button>
+      <button onclick="output(keycloak.createLogoutUrl())">
+        Show Logout URL
+      </button>
+      <button onclick="output(keycloak.createRegisterUrl())">
+        Show Register URL
+      </button>
+      <button onclick="output(keycloak.createAccountUrl())">
+        Show Account URL
+      </button>
+    </div>
+
+    <h2>Result</h2>
+    <pre
+      style="
+        background-color: #ddd;
+        border: 1px solid #ccc;
+        padding: 10px;
+        word-wrap: break-word;
+        white-space: pre-wrap;
+      "
+      id="output"
+    ></pre>
+
+    <h2>Events</h2>
+    <pre
+      style="
+        background-color: #ddd;
+        border: 1px solid #ccc;
+        padding: 10px;
+        word-wrap: break-word;
+        white-space: pre-wrap;
+      "
+      id="events"
+    ></pre>
+
+    <script>
+      function loadProfile() {
+        keycloak
+          .loadUserProfile()
+          .success(function (profile) {
+            output(profile);
+          })
+          .error(function () {
+            output("Failed to load profile");
+          });
+      }
+
+      function updateProfile() {
+        var url = keycloak.createAccountUrl().split("?")[0];
+        var req = new XMLHttpRequest();
+        req.open("POST", url, true);
+        req.setRequestHeader("Accept", "application/json");
+        req.setRequestHeader("Content-Type", "application/json");
+        req.setRequestHeader("Authorization", "bearer " + keycloak.token);
+
+        req.onreadystatechange = function () {
+          if (req.readyState == 4) {
+            if (req.status == 200) {
+              output("Success");
+            } else {
+              output("Failed");
+            }
+          }
+        };
+
+        req.send(
+          '{"email":"myemail@foo.bar","firstName":"test","lastName":"bar"}'
+        );
+      }
+
+      function loadUserInfo() {
+        keycloak
+          .loadUserInfo()
+          .success(function (userInfo) {
+            output(userInfo);
+          })
+          .error(function () {
+            output("Failed to load user info");
+          });
+      }
+
+      function refreshToken(minValidity) {
+        keycloak
+          .updateToken(minValidity)
+          .then(function (refreshed) {
+            if (refreshed) {
+              output(keycloak.tokenParsed);
+            } else {
+              output(
+                "Token not refreshed, valid for " +
+                  Math.round(
+                    keycloak.tokenParsed.exp +
+                      keycloak.timeSkew -
+                      new Date().getTime() / 1000
+                  ) +
+                  " seconds"
+              );
+            }
+          })
+          .catch(function () {
+            output("Failed to refresh token");
+          });
+      }
+
+      function showExpires() {
+        if (!keycloak.tokenParsed) {
+          output("Not authenticated");
+          return;
+        }
+
+        var o =
+          "Token Expires:\t\t" +
+          new Date(
+            (keycloak.tokenParsed.exp + keycloak.timeSkew) * 1000
+          ).toLocaleString() +
+          "\n";
+        o +=
+          "Token Expires in:\t" +
+          Math.round(
+            keycloak.tokenParsed.exp +
+              keycloak.timeSkew -
+              new Date().getTime() / 1000
+          ) +
+          " seconds\n";
+
+        if (keycloak.refreshTokenParsed) {
+          o +=
+            "Refresh Token Expires:\t" +
+            new Date(
+              (keycloak.refreshTokenParsed.exp + keycloak.timeSkew) * 1000
+            ).toLocaleString() +
+            "\n";
+          o +=
+            "Refresh Expires in:\t" +
+            Math.round(
+              keycloak.refreshTokenParsed.exp +
+                keycloak.timeSkew -
+                new Date().getTime() / 1000
+            ) +
+            " seconds";
+        }
+
+        output(o);
+      }
+
+      function output(data) {
+        if (typeof data === "object") {
+          data = JSON.stringify(data, null, "  ");
+        }
+        document.getElementById("output").innerHTML = data;
+      }
+
+      function event(event) {
+        var e = document.getElementById("events").innerHTML;
+        document.getElementById("events").innerHTML =
+          new Date().toLocaleString() + "\t" + event + "\n" + e;
+      }
+
+      var keycloak = Keycloak();
+
+      keycloak.onAuthSuccess = function () {
+        event("Auth Success");
+      };
+
+      keycloak.onAuthError = function (errorData) {
+        event("Auth Error: " + JSON.stringify(errorData));
+      };
+
+      keycloak.onAuthRefreshSuccess = function () {
+        event("Auth Refresh Success");
+      };
+
+      keycloak.onAuthRefreshError = function () {
+        event("Auth Refresh Error");
+      };
+
+      keycloak.onAuthLogout = function () {
+        event("Auth Logout");
+      };
+
+      keycloak.onTokenExpired = function () {
+        event("Access token expired.");
+      };
+
+      keycloak.onActionUpdate = function (status) {
+        switch (status) {
+          case "success":
+            event("Action completed successfully");
+            break;
+          case "cancelled":
+            event("Action cancelled by user");
+            break;
+          case "error":
+            event("Action failed");
+            break;
+        }
+      };
+
+      // Flow can be changed to 'implicit' or 'hybrid', but then client must enable implicit flow in admin console too
+      var initOptions = {
+        responseMode: "fragment",
+        flow: "standard",
+      };
+
+      keycloak
+        .init(initOptions)
+        .then(function (authenticated) {
+          output(
+            "Init Success (" +
+              (authenticated ? "Authenticated" : "Not Authenticated") +
+              ")"
+          );
+        })
+        .catch(function () {
+          output("Init Error");
+        });
+    </script>
+  </body>
+</html>

static/keycloak.json

@@ -0,0 +1,9 @@
+{
+    "realm": "bma-ehr",
+    "auth-server-url": "https://id.frappet.synology.me",
+    "ssl-required": "external",
+    "resource": "bma-ehr",
+    "public-client": true,
+    "client_secret": "tF0huP4MylOSMVZEohwPMI8DDttW66A7",
+    "realm-public-key":"MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvYg0ZJvH6HgNOzyPp7PCvY3bJwD9WdsNn6gZbuvIfqJQZ8iSH1t0p3fgODO/fqwcj9UFeh1bVFOSjuW+JpnPehROqzt81KNl9zLLNXoN4LimReQHaMM3dU7DCbRylgVCouIDvObyjg8G+Cy5lZvFKWym/DPwGVpSdbvDZJ83qxq2dp7GJXS8PhOvA+MB1K009/jW5pBTUwNArLjoFccr+gIYIiOJDg2rYyIF3fDkwyWkuxr6xRt10+BRJytselwy/18kbDuJxVPaapdgTXI6wLzx7HWcDk30n5EvhJEumnIPpRst8gucqNYmB4MH+vsyoxV5WLuO3qmVRzFbtAppRQIDAQAB"
+  }

tsconfig.json

@@ -0,0 +1,18 @@
+{
+  "compilerOptions": {
+    "incremental": true,
+    "outDir": "dist",
+    "lib": ["ESNext", "DOM", "DOM.Iterable"],
+    "target": "ESNext",
+    "module": "NodeNext",
+    "moduleResolution": "NodeNext",
+    "strictPropertyInitialization": false,
+    "strict": true,
+    "esModuleInterop": true,
+    "forceConsistentCasingInFileNames": true,
+    "experimentalDecorators": true,
+    "emitDecoratorMetadata": true,
+    "resolveJsonModule": true,
+    "skipLibCheck": true
+  }
+}

tsoa.json

@@ -0,0 +1,38 @@
+{
+  "entryFile": "src/app.ts",
+  "noImplicitAdditionalProperties": "throw-on-extras",
+  "controllerPathGlobs": ["src/controllers/*Controller.ts"],
+  "spec": {
+    "outputDirectory": "src",
+    "specVersion": 3,
+    "spec": {
+      "info": {
+        "title": "bma-ehr-salary - API",
+        "version": "0.0.1",
+        "description": "ระบบเงินเดือน",
+        "license": {
+          "name": "by Frappet",
+          "url": "https://frappet.com"
+        }
+      },
+      "basePath": "/"
+    },
+    "securityDefinitions": {
+      "bearerAuth": {
+        "type": "apiKey",
+        "name": "Authorization",
+        "description": "Keycloak Bearer Token",
+        "in": "header"
+      }
+    },
+    "tags": [
+        {
+          "name": "Test", "description": "สำหรับทดสอบ" 
+        }
+    ]
+  },
+  "routes": {
+    "routesDir": "src/",
+    "authenticationModule": "src/middlewares/auth.ts"
+  }
+}