ChaudhariMahesh4701/DMImpact_Multi-Tenant_Task

# DMimpact Multi-Tenant Incident Response Platform Full-stack incident management platform built with Angular and Spring Boot for the DMimpact coding challenge. ## Stack - Frontend: Angular 18 standalone components, route guards, HTTP interceptor, typed API services. - Backend: Spring Boot 3, Java 17, Spring Security, JWT, Spring Data JPA, H2 demo database. - API docs: Swagger/OpenAPI at `http://localhost:8080/swagger-ui.html`. ## Repository Structure . ├── backend │ └── src/main/java/com/dmimpact/incident │ ├── alert # Alert intake and triage │ ├── audit # Immutable tenant-scoped activity history │ ├── auth # Login, JWT creation, current user context │ ├── common # Shared API errors and exceptions │ ├── config # Security, OpenAPI, MVC, seed data │ ├── incident # Incident lifecycle, comments, filters, stats │ ├── tenant # Tenant entity/repository │ └── user # Users, roles, tenant team directory └── frontend └── src/app ├── core # Auth state, guards, interceptor, typed API client └── features # Login, layout, dashboard, incidents ## Local Setup Start the backend: mvn -pl backend spring-boot:run Start the frontend: cd frontend npm install npm start Open `http://localhost:4200`. If your terminal has an old Homebrew Node earlier in `PATH`, use NVM Node first: export PATH="$HOME/.nvm/versions/node/v22.21.0/bin:/usr/bin:/bin:/usr/sbin:/sbin" npm install The project also includes `frontend/.npmrc` with `script-shell=/bin/sh` to avoid npm lifecycle script failures such as `spawn sh ENOENT`. ## Demo Accounts All demo accounts use password `Password123!`. | Tenant | Email | Role | | --- | --- | --- | | `acme` | `admin@acme.test` | Admin | | `acme` | `manager@acme.test` | Manager | | `acme` | `user@acme.test` | User | | `globex` | `admin@globex.test` | Admin | ## Implemented Requirements - JWT authentication with tenant id, tenant slug, user id, email, and role claims. - RBAC for Admin, Manager, and User. - Tenant-scoped backend design for users, incidents, alerts, comments, and audit logs. - Incident creation, update, assignment, status changes, resolution, comments, search, and filters. - Alert intake and triage endpoints. - Audit log capture for login, alert creation, incident creation, assignment, updates, comments, and resolution. - Responsive Angular dashboard with loading, empty, and error states. - REST API validation and consistent error handling. - Swagger/OpenAPI documentation. - Integration test proving cross-tenant incident lookup is blocked. ## Tenant Isolation Design Clients never send a trusted tenant id for protected operations. After login, the backend extracts tenant context from the signed JWT through `SecurityUser`. Services then pass `currentUser.tenantId()` into repository methods such as `findByTenantIdAndId`, `findByTenantIdOrderByNameAsc`, and tenant-filtered JPA specifications. This means an authenticated user from tenant A can know or guess an entity UUID from tenant B and still receive `404`, because lookup predicates always include both `tenant_id` and entity id. ## Database Schema The demo uses H2 with JPA-generated tables: - `tenants` - `users` - `alerts` - `incidents` - `incident_comments` - `audit_logs` Production would use PostgreSQL with the same tenant-id indexing strategy. Important indexes are included on tenant/status, tenant/severity, tenant/created time, tenant/email, and tenant/entity audit lookups. ## Useful API Endpoints - `POST /api/auth/login` - `POST /api/auth/register` - `GET /api/auth/me` - `GET /api/incidents` - `POST /api/incidents` - `GET /api/incidents/{incidentId}` - `PUT /api/incidents/{incidentId}` - `POST /api/incidents/{incidentId}/comments` - `GET /api/incidents/stats` - `GET /api/alerts` - `POST /api/alerts` - `PATCH /api/alerts/{alertId}/status` - `GET /api/audit-logs` - `GET /api/users` ## Verification mvn -q -pl backend test cd frontend npm run build ## Tradeoffs - H2 is used for reviewer convenience; PostgreSQL should be used for deployed environments. - The JWT secret is configured with a demo fallback. Production must set `APP_JWT_SECRET`. - Real-time updates are documented as a scaling path; the MVP uses refresh and REST polling-friendly endpoints. - User management CRUD is intentionally limited to seeded demo users so the core incident workflow stays focused. ## Plain-English User Guide See [PLATFORM_GUIDE.md](PLATFORM_GUIDE.md) for a simple guide on how to sign up, sign in, and use the platform.

标签：域名枚举