@boarteam/boar-pack-users-backend 4.1.2

package/package.json

@@ -0,0 +1,60 @@
+{
+  "name": "@boarteam/boar-pack-users-backend",
+  "version": "4.1.2",
+  "description": "NestJS Users module including permissions system, authentication strategies etc",
+  "main": "src/index",
+  "files": [
+    "src"
+  ],
+  "repository": "git@github.com:boarteam/boar-pack.git",
+  "author": "Andrew Balakirev <balakirev.andrey@gmail.com>",
+  "license": "MIT",
+  "publishConfig": {
+    "registry": "https://registry.npmjs.org/",
+    "access": "public"
+  },
+  "peerDependencies": {
+    "@nestjs/common": "^9.0.0",
+    "@nestjs/config": "^3.0.0",
+    "@nestjs/typeorm": "^10.0.0",
+    "@nestjsx/crud-typeorm": "^5.0.0-alpha.3",
+    "passport-google-oauth20": "^2.0.0",
+    "typeorm": "^0.3.0"
+  },
+  "dependencies": {
+    "@boarteam/boar-pack-common-backend": "^2.1.3",
+    "@casl/ability": "^6.7.0",
+    "@nestjs/common": "^9.0.0",
+    "@nestjs/config": "^3.2.0",
+    "@nestjs/core": "^9.0.0",
+    "@nestjs/jwt": "^10.2.0",
+    "@nestjs/passport": "^10.0.3",
+    "@nestjs/swagger": "^7.3.0",
+    "@nestjs/typeorm": "^10.0.2",
+    "@nestjsx/crud-typeorm": "^5.0.0-alpha.3",
+    "bcrypt": "^5.1.1",
+    "joi": "^17.12.2",
+    "lodash": "^4.17.21",
+    "moment": "^2.30.1",
+    "moment-timezone": "^0.5.45",
+    "nestjs-joi": "^1.10.0",
+    "passport": "^0.7.0",
+    "passport-jwt": "^4.0.1",
+    "passport-local": "^1.0.0",
+    "typeorm": "^0.3.20",
+    "ws": "^8.16.0"
+  },
+  "devDependencies": {
+    "@types/passport-google-oauth20": "^2.0.14",
+    "@types/passport-jwt": "^4.0.1",
+    "@types/passport-local": "^1.0.38",
+    "@types/ws": "^8.5.10",
+    "passport-azure-ad-oauth2": "^0.0.4",
+    "passport-google-oauth20": "^2.0.0"
+  },
+  "scripts": {
+    "yalc:push": "yalc push",
+    "gen-types": "JWT_SECRET=swagger nest start"
+  },
+  "gitHead": "392553082a2f9f0124d05eaa11d0cdb6079766e1"
+}

package/src/auth/auth-manage.controller.ts

@@ -0,0 +1,36 @@
+import { Controller, NotFoundException, Param, Post, Req, Res, } from '@nestjs/common';
+import { AuthService } from './auth.service';
+import { tokenName } from './auth.constants';
+import { ApiTags } from '@nestjs/swagger';
+import type { Request, Response } from 'express';
+import { LocalAuthTokenDto } from "./local-auth.dto";
+import { CheckPolicies, ManageAllPolicy } from "../casl";
+import { UsersService } from "../users";
+
+@ApiTags('Authentication')
+@CheckPolicies(new ManageAllPolicy())
+@Controller('auth-manage')
+export default class AuthManageController {
+  constructor(
+    private readonly authService: AuthService,
+    private readonly usersService: UsersService,
+  ) {}
+
+  @Post('login-as-user/:userId')
+  async loginAsUser(
+    @Req() req: Request,
+    @Res({ passthrough: true }) res: Response,
+    @Param('userId') userId: string,
+  ): Promise<LocalAuthTokenDto> {
+    const user = await this.usersService.findOne({
+      where: { id: userId },
+    });
+    if (!user) {
+      throw new NotFoundException(`User with id ${userId} is not found`);
+    }
+
+    const loginResult = await this.authService.login(user);
+    res.cookie(tokenName, loginResult.accessToken);
+    return loginResult;
+  }
+}

package/src/auth/auth-strategies.constants.ts

@@ -0,0 +1,4 @@
+export const LOCAL_AUTH = 'local';
+export const JWT_AUTH = 'jwt';
+export const GOOGLE_AUTH = 'google';
+export const MS_AUTH = 'azure-ad';

package/src/auth/auth.constants.ts

@@ -0,0 +1 @@
+export const tokenName = 'auth_token';

package/src/auth/auth.controller.ts

@@ -0,0 +1,83 @@
+import { Body, Controller, Get, Post, Req, Res, UnauthorizedException, UseFilters, UseGuards, } from '@nestjs/common';
+import { LocalAuthGuard } from './local-auth.guard';
+import { AuthService } from './auth.service';
+import { tokenName } from './auth.constants';
+import { SkipJWTGuard } from '../jwt-auth/jwt-auth.guard';
+import { SkipPoliciesGuard } from '../casl/policies.guard';
+import { GoogleAuthGuard } from './google-auth.guard';
+import { AuthExceptionFilter } from './google-auth.filter';
+import { ApiExtraModels, ApiTags } from '@nestjs/swagger';
+import type { Request, Response } from 'express';
+import { LocalAuthLoginDto, LocalAuthTokenDto } from "./local-auth.dto";
+import { MSAuthGuard } from "./ms-auth.guard";
+
+@SkipJWTGuard()
+@SkipPoliciesGuard()
+@ApiTags('Authentication')
+@ApiExtraModels(LocalAuthTokenDto)
+@Controller('auth')
+export default class AuthController {
+  constructor(private authService: AuthService) {}
+
+  @UseGuards(LocalAuthGuard)
+  @Post('login')
+  async login(
+    @Req() req: Request,
+    @Res({ passthrough: true }) res: Response,
+    @Body() body: LocalAuthLoginDto,
+  ): Promise<LocalAuthTokenDto> {
+    if (!req.user) {
+      throw new UnauthorizedException(`User is not authorized`);
+    }
+    const loginResult = await this.authService.login(req.user);
+    res.cookie(tokenName, loginResult.accessToken);
+    return loginResult;
+  }
+
+  @UseGuards(GoogleAuthGuard)
+  @Get('google')
+  async loginGoogle() {}
+
+  @UseGuards(GoogleAuthGuard)
+  @UseFilters(AuthExceptionFilter)
+  @Get('google/callback')
+  async loginGoogleCallback(
+    @Req() req: Request,
+    @Res({ passthrough: true }) res: Response,
+  ) {
+    if (!req.user) {
+      throw new UnauthorizedException(`User is not authorized`);
+    }
+
+    const loginResult = await this.authService.login(req.user);
+    res.cookie(tokenName, loginResult.accessToken);
+    res.redirect('/');
+  }
+
+  @UseGuards(MSAuthGuard)
+  @Get('ms')
+  async loginMS() {}
+
+  @UseGuards(MSAuthGuard)
+  @UseFilters(AuthExceptionFilter)
+  @Get('ms/callback')
+  async loginMSCallback(
+    @Req() req: Request,
+    @Res({ passthrough: true }) res: Response,
+  ) {
+    if (!req.user) {
+      throw new UnauthorizedException(`User is not authorized`);
+    }
+
+    const loginResult = await this.authService.login(req.user);
+    res.cookie(tokenName, loginResult.accessToken);
+    res.redirect('/');
+  }
+
+  @Post('logout')
+  async logout(
+    @Res({ passthrough: true }) res: Response,
+  ) {
+    res.cookie(tokenName, '');
+  }
+}

package/src/auth/auth.module.ts

@@ -0,0 +1,98 @@
+import { DynamicModule, Module } from '@nestjs/common';
+import { AuthService } from './auth.service';
+import { UsersModule } from '../users/users.module';
+import { LocalAuthStrategy } from './local-auth.strategy';
+import { PassportModule } from '@nestjs/passport';
+import AuthController from './auth.controller';
+import { ConfigModule } from '@nestjs/config';
+import { GoogleAuthStrategy } from './google-auth.strategy';
+import { GoogleAuthConfigService } from "./google-auth.config";
+import { MSAuthStrategy } from './ms-auth.strategy';
+import { MSAuthConfigService } from "./ms-auth.config";
+import { JwtAuthModule } from "../jwt-auth/jwt-auth.module";
+import { APP_GUARD } from "@nestjs/core";
+import { JwtAuthGuard } from "../jwt-auth/jwt-auth.guard";
+import AuthManageController from "./auth-manage.controller";
+
+@Module({})
+export class AuthModule {
+  static forRoot(config: {
+    googleAuth: boolean,
+    msAuth: boolean,
+    localAuth: boolean,
+    withControllers: boolean,
+    dataSourceName?: string;
+  }): DynamicModule {
+    const dynamicModule: DynamicModule = {
+      module: AuthModule,
+      imports: [
+        ConfigModule,
+        UsersModule.register({
+          withControllers: false,
+          dataSourceName: config.dataSourceName,
+        }),
+        PassportModule,
+        JwtAuthModule.register({
+          dataSourceName: config.dataSourceName,
+        }),
+      ],
+      providers: [
+        AuthService,
+        {
+          provide: APP_GUARD,
+          useClass: JwtAuthGuard,
+        },
+      ],
+      controllers: [],
+      exports: [],
+    };
+
+    if (config.googleAuth) {
+      dynamicModule.providers!.push(GoogleAuthConfigService, GoogleAuthStrategy);
+    }
+
+    if (config.msAuth) {
+      dynamicModule.providers!.push(MSAuthConfigService, MSAuthStrategy);
+    }
+
+    if (config.localAuth) {
+      dynamicModule.providers!.push(LocalAuthStrategy);
+    }
+
+    if (config.withControllers) {
+      dynamicModule.controllers = [
+        AuthController,
+        AuthManageController,
+      ];
+    }
+
+    return dynamicModule;
+  }
+
+  static forFeature(config: {
+    dataSourceName?: string;
+  }): DynamicModule {
+    return {
+      module: AuthModule,
+      imports: [
+        ConfigModule,
+        UsersModule.register({
+          withControllers: false,
+          dataSourceName: config.dataSourceName,
+        }),
+        JwtAuthModule.register({
+          dataSourceName: config.dataSourceName,
+        }),
+      ],
+      providers: [
+        AuthService,
+        {
+          provide: APP_GUARD,
+          useClass: JwtAuthGuard,
+        },
+      ],
+      controllers: [],
+      exports: [],
+    };
+  }
+}

package/src/auth/auth.service.ts

@@ -0,0 +1,55 @@
+import { Injectable, Logger } from '@nestjs/common';
+import { TUser, UsersService } from '../users';
+import { JWTAuthService, TJWTPayload } from '../jwt-auth';
+import bcrypt from 'bcrypt';
+import { LocalAuthTokenDto } from "./local-auth.dto";
+
+declare global {
+  namespace Express {
+    interface User extends TUser {}
+  }
+}
+
+@Injectable()
+export class AuthService {
+  private readonly logger = new Logger(AuthService.name);
+
+  constructor(
+    private usersService: UsersService,
+    private jwtAuthService: JWTAuthService,
+  ) {}
+
+  async validateUser(email: string, pass: string): Promise<TUser | null> {
+    const user = await this.usersService.findByEmail(email);
+    if (!user?.pass) {
+      return null;
+    }
+
+    if (user && (await bcrypt.compare(pass, user.pass))) {
+      const { pass, ...result } = user;
+      return result;
+    }
+    return null;
+  }
+
+  async validateUserByEmail(email?: string): Promise<TUser | null> {
+    if (!email) {
+      this.logger.error('Email is not provided to validateUserByEmail');
+      return null;
+    }
+
+    const user = await this.usersService.findByEmail(email);
+    if (user) {
+      const { pass, ...result } = user;
+      return result;
+    }
+    return null;
+  }
+
+  async login(user: Pick<TUser, 'email' | 'id'>): Promise<LocalAuthTokenDto> {
+    const payload: TJWTPayload = { email: user.email, sub: user.id };
+    return {
+      accessToken: this.jwtAuthService.sign(payload),
+    };
+  }
+}

package/src/auth/google-auth.config.ts

@@ -0,0 +1,38 @@
+import { Injectable } from '@nestjs/common';
+import { ConfigService } from '@nestjs/config';
+
+export type TGoogleAuthConfig = {
+  clientId: string;
+  clientSecret: string;
+  callbackURL: string;
+};
+
+@Injectable()
+export class GoogleAuthConfigService {
+  constructor(private configService: ConfigService) {
+  }
+
+  get config(): TGoogleAuthConfig {
+    const clientId = this.configService.get<string>('GOOGLE_CLIENT_ID');
+    const clientSecret = this.configService.get<string>('GOOGLE_SECRET_ID');
+    const callbackURL = this.configService.get<string>('GOOGLE_CALLBACK_URL');
+
+    if (!clientId) {
+      throw new Error('GOOGLE_CLIENT_ID is not defined');
+    }
+
+    if (!clientSecret) {
+      throw new Error('GOOGLE_SECRET_ID is not defined');
+    }
+
+    if (!callbackURL) {
+      throw new Error('GOOGLE_CALLBACK_URL is not defined');
+    }
+
+    return {
+      clientId,
+      clientSecret,
+      callbackURL,
+    };
+  }
+}

package/src/auth/google-auth.filter.ts

@@ -0,0 +1,15 @@
+import { ArgumentsHost, Catch, ExceptionFilter } from '@nestjs/common';
+import { HttpException } from '@nestjs/common/exceptions/http.exception';
+
+@Catch(HttpException)
+export class AuthExceptionFilter implements ExceptionFilter {
+  catch(exception: HttpException, host: ArgumentsHost) {
+    const ctx = host.switchToHttp();
+    const response = ctx.getResponse();
+    const status = exception.getStatus();
+
+    response
+      .status(status)
+      .redirect('/user/login?error=' + encodeURIComponent(exception.message));
+  }
+}

package/src/auth/google-auth.guard.ts

@@ -0,0 +1,6 @@
+import { Injectable } from '@nestjs/common';
+import { AuthGuard } from '@nestjs/passport';
+import { GOOGLE_AUTH } from './auth-strategies.constants';
+
+@Injectable()
+export class GoogleAuthGuard extends AuthGuard(GOOGLE_AUTH) {}

package/src/auth/google-auth.strategy.ts

@@ -0,0 +1,59 @@
+import { Strategy, VerifyCallback } from 'passport-google-oauth20';
+import { PassportStrategy } from '@nestjs/passport';
+import {
+  Injectable,
+  InternalServerErrorException,
+  Logger,
+  UnauthorizedException,
+} from '@nestjs/common';
+import { AuthService } from './auth.service';
+import { GOOGLE_AUTH } from './auth-strategies.constants';
+import { GoogleAuthConfigService } from "./google-auth.config";
+
+@Injectable()
+export class GoogleAuthStrategy extends PassportStrategy(
+  Strategy,
+  GOOGLE_AUTH,
+) {
+  private readonly logger = new Logger(GoogleAuthStrategy.name);
+
+  constructor(
+    private authService: AuthService,
+    private googleAuthConfigService: GoogleAuthConfigService,
+  ) {
+    const config = googleAuthConfigService.config;
+    super({
+      clientID: config.clientId,
+      clientSecret: config.clientSecret,
+      callbackURL: config.callbackURL,
+      scope: ['email', 'profile'],
+    });
+  }
+
+  async validate(
+    accessToken: string,
+    refreshToken: string,
+    profile: { emails: { value: string; verified: boolean }[] },
+    callback: VerifyCallback,
+  ): Promise<any> {
+    try {
+      const user = await this.authService.validateUserByEmail(
+        profile.emails[0].value,
+      );
+
+      if (!user) {
+        callback(new UnauthorizedException('User is not found'));
+        return;
+      }
+
+      callback(null, user);
+    } catch (e) {
+      this.logger.error(e, e.stack);
+      callback(
+        new InternalServerErrorException(
+          'Impossible to log in user via google',
+        ),
+      );
+    }
+  }
+}

package/src/auth/index.ts

@@ -0,0 +1,15 @@
+export * from './auth.constants';
+export * from './auth.controller';
+export * from './auth.module';
+export * from './auth.service';
+export * from './auth-strategies.constants';
+export * from './google-auth.config';
+export * from './google-auth.filter';
+export * from './google-auth.guard';
+export * from './google-auth.strategy';
+export * from './local-auth.dto';
+export * from './local-auth.guard';
+export * from './local-auth.strategy';
+export * from './ms-auth.config';
+export * from './ms-auth.guard';
+export * from './ms-auth.strategy';

package/src/auth/local-auth.dto.ts

@@ -0,0 +1,8 @@
+export class LocalAuthLoginDto {
+  email: string;
+  password: string;
+}
+
+export class LocalAuthTokenDto {
+  accessToken: string;
+}

package/src/auth/local-auth.guard.ts

@@ -0,0 +1,6 @@
+import { Injectable } from '@nestjs/common';
+import { AuthGuard } from '@nestjs/passport';
+import { LOCAL_AUTH } from './auth-strategies.constants';
+
+@Injectable()
+export class LocalAuthGuard extends AuthGuard(LOCAL_AUTH) {}

package/src/auth/local-auth.strategy.ts

@@ -0,0 +1,21 @@
+import { Strategy } from 'passport-local';
+import { PassportStrategy } from '@nestjs/passport';
+import { Injectable, UnauthorizedException } from '@nestjs/common';
+import { AuthService } from './auth.service';
+import { TUser } from '../users';
+import { LOCAL_AUTH } from './auth-strategies.constants';
+
+@Injectable()
+export class LocalAuthStrategy extends PassportStrategy(Strategy, LOCAL_AUTH) {
+  constructor(private authService: AuthService) {
+    super({ usernameField: 'email' });
+  }
+
+  async validate(email: string, password: string): Promise<TUser> {
+    const user = await this.authService.validateUser(email.trim().toLowerCase(), password);
+    if (!user) {
+      throw new UnauthorizedException();
+    }
+    return user;
+  }
+}

package/src/auth/ms-auth.config.ts

@@ -0,0 +1,45 @@
+import { Injectable } from '@nestjs/common';
+import { ConfigService } from '@nestjs/config';
+
+export type TMSAuthConfig = {
+  clientId: string;
+  tenantId: string;
+  clientSecret: string;
+  callbackURL: string;
+};
+
+@Injectable()
+export class MSAuthConfigService {
+  constructor(private configService: ConfigService) {
+  }
+
+  get config(): TMSAuthConfig {
+    const clientId = this.configService.get<string>('MICROSOFT_CLIENT_ID');
+    const tenantId = this.configService.get<string>('MICROSOFT_TENANT_ID');
+    const clientSecret = this.configService.get<string>('MICROSOFT_SECRET_ID');
+    const callbackURL = this.configService.get<string>('MICROSOFT_CALLBACK_URL');
+
+    if (!clientId) {
+      throw new Error('MICROSOFT_CLIENT_ID is not defined');
+    }
+
+    if (!tenantId) {
+      throw new Error('MICROSOFT_TENANT_ID is not defined');
+    }
+
+    if (!clientSecret) {
+      throw new Error('MICROSOFT_SECRET_ID is not defined');
+    }
+
+    if (!callbackURL) {
+      throw new Error('MICROSOFT_CALLBACK_URL is not defined');
+    }
+
+    return {
+      clientId,
+      tenantId,
+      clientSecret,
+      callbackURL,
+    };
+  }
+}

package/src/auth/ms-auth.guard.ts

@@ -0,0 +1,8 @@
+import { Injectable } from '@nestjs/common';
+import { AuthGuard } from '@nestjs/passport';
+import { MS_AUTH } from './auth-strategies.constants';
+
+@Injectable()
+export class MSAuthGuard extends AuthGuard(MS_AUTH) {
+
+}

package/src/auth/ms-auth.strategy.ts

@@ -0,0 +1,63 @@
+import { PassportStrategy } from '@nestjs/passport';
+import { Injectable, InternalServerErrorException, Logger, UnauthorizedException, } from '@nestjs/common';
+import { AuthService } from './auth.service';
+import { MS_AUTH } from './auth-strategies.constants';
+import { MSAuthConfigService } from "./ms-auth.config";
+import { JWTAuthService } from "../jwt-auth/jwt-auth.service";
+
+// @ts-ignore-next-line There are no types for this package
+import { Strategy, VerifyCallback } from 'passport-azure-ad-oauth2';
+
+@Injectable()
+export class MSAuthStrategy extends PassportStrategy(
+  Strategy,
+  MS_AUTH,
+) {
+  private readonly logger = new Logger(MSAuthStrategy.name);
+
+  constructor(
+    private authService: AuthService,
+    private msAuthConfigService: MSAuthConfigService,
+    private jwtAuthService: JWTAuthService,
+  ) {
+    const config = msAuthConfigService.config;
+    super({
+      clientID: config.clientId,
+      clientSecret: config.clientSecret,
+      callbackURL: config.callbackURL,
+      tenant: config.tenantId,
+    });
+  }
+
+  async validate(
+    accessToken: string,
+    refreshToken: string,
+    profile: any,
+    callback: VerifyCallback,
+  ): Promise<any> {
+    this.logger.debug(`accessToken: ${accessToken}`);
+    this.logger.debug(`refreshToken: ${refreshToken}`);
+    this.logger.debug(`profile: ${JSON.stringify(profile)}`);
+    const token = this.jwtAuthService.decode<{ email?: string, upn?: string }>(accessToken);
+    this.logger.debug(`token: ${JSON.stringify(token)}`);
+    try {
+      const user = await this.authService.validateUserByEmail(
+        token.email || token.upn,
+      );
+
+      if (!user) {
+        callback(new UnauthorizedException('User is not found'));
+        return;
+      }
+
+      callback(null, user);
+    } catch (e) {
+      this.logger.error(e, e.stack);
+      callback(
+        new InternalServerErrorException(
+          'Impossible to log in user via ms',
+        ),
+      );
+    }
+  }
+}

package/src/casl/action.enum.ts

@@ -0,0 +1,7 @@
+export enum Action {
+  Manage = 'manage',
+  Create = 'create',
+  Read = 'read',
+  Update = 'update',
+  Delete = 'delete',
+}