cs transaction api

Experience · Backend · Active

cs transaction api

NestJS BFF for CS Transaction Manage, delegating auth/session/role flows to platform-auth-service and subscription status to platform-payments-service while owning onboarding, ledger, transaction, series, investment and agenda APIs.

• NestJS 11
• Prisma 7
• PostgreSQL
• class-validator
• helmet
• cookie-parser

Spec sheet

Repository path

cs-transacion-manage/apps/api

Runtime

NestJS 11 BFF

Default port

3005

Public surface

Same-origin /api on transactions host

Database

transaction-postgres via Prisma 7

Responsibilities

• Expose auth, onboarding, user, relationship, counterparty, transaction, series, pay-yourself-first, investment and agenda endpoints.
• Resolve login and request sessions through platform-auth-service, then maintain product-local user profiles for ledger ownership.
• Resolve AccessContext in the access module and enforce capability guards on sensitive endpoints.
• Persist transaction-management state through Prisma.
• Expose health checks that include database connectivity.
• Keep controllers thin and centralize domain behavior in services.

Interfaces and contract surface

• GET /api/health
• GET /api/auth/bootstrap
• GET /api/auth/me
• POST /api/auth/register
• POST /api/auth/login
• access: role + subscriptionTier + capabilities + isAdmin
• GET /api/transactions
• GET /api/series
• GET /api/investments
• GET /api/agenda

Consumers

• cs transaction web

Dependencies and external touchpoints

• platform-auth-service
• platform-payments-service
• cs transaction shared
• PostgreSQL

Notes

• The local-stack entrypoint runs Prisma db push and generate before Nest watch.
• Denied capabilities return 403 Forbidden; the frontend capability filter is not the security boundary.

Source references

• cs-transacion-manage/apps/api/package.json
• cs-transacion-manage/apps/api/prisma/schema.prisma
• cs-transacion-manage/apps/api/src

Access contract

GET /api/auth/me, login e primo register restituiscono user.role e access con role, subscriptionTier, capabilities e isAdmin.

Il modulo access risolve:

• ruolo, tenantId e subjectId dalla sessione platform-auth-service;
• stato piano da platform-payments-service;
• capability finali applicate dai guard NestJS.

Gli endpoint /users/* richiedono users.manage. GET /api/users/:id/capabilities e PATCH /api/users/:id/capabilities richiedono anche che l'attore risolto dal BFF abbia role=ADMIN; questi endpoint normalizzano i grant membership su platform-auth-service e mantengono il frontend same-origin.

Import/export, sharing, serie, investimenti, simulazione e pay-yourself-first richiedono capability dedicate e restituiscono 403 Forbidden quando il piano o il ruolo non le concede.