@boarteam/boar-pack-users-backend 4.1.2

package/src/jwt-auth/jwt-auth.srtategy.ts

@@ -0,0 +1,54 @@
+import { ExtractJwt, Strategy } from 'passport-jwt';
+import { PassportStrategy } from '@nestjs/passport';
+import { Injectable, UnauthorizedException } from '@nestjs/common';
+import { JWTAuthConfigService } from './jwt-auth.config';
+import { Request } from 'express';
+import { JWT_AUTH, tokenName } from '../auth';
+import { UsersService } from '../users';
+
+export type TJWTPayload = {
+  email: string;
+  sub: string;
+};
+
+@Injectable()
+export class JwtAuthStrategy extends PassportStrategy(Strategy, JWT_AUTH) {
+  constructor(
+    private usersService: UsersService,
+    private jwtAuthConfigService: JWTAuthConfigService,
+  ) {
+    super({
+      jwtFromRequest: ExtractJwt.fromExtractors([
+        (req: Request) => {
+          const cookies = req.headers.cookie?.split('; ');
+          if (!cookies) {
+            return null;
+          }
+
+          const cookie = cookies.find(c => c.startsWith(`${tokenName}=`));
+          if (!cookie) {
+            return null;
+          }
+
+          return cookie.split('=')[1];
+        },
+      ]),
+      ignoreExpiration: false,
+      secretOrKey: jwtAuthConfigService.config.jwtSecret,
+    });
+  }
+
+  async validate(payload: TJWTPayload) {
+    const userId = payload.sub;
+    const user = await this.usersService.findOne({
+      select: ['id', 'email', 'role', 'permissions'],
+      where: { id: userId },
+    });
+
+    if (!user) {
+      throw new UnauthorizedException();
+    }
+
+    return user;
+  }
+}

package/src/users/bcrypt.service.ts

@@ -0,0 +1,20 @@
+import { Injectable } from "@nestjs/common";
+import { TUsersConfig, UsersConfigService } from "./users.config";
+import bcrypt from "bcrypt";
+
+@Injectable()
+export class BcryptService {
+  private config: TUsersConfig;
+
+  constructor(
+    private usersConfig: UsersConfigService,
+  ) {
+    this.config = this.usersConfig.config;
+  }
+
+  hashPassword(password: string): Promise<string> {
+    return bcrypt.hash(password, this.config.saltRounds);
+  }
+}
+
+export default BcryptService;

package/src/users/dto/permission.dto.ts

@@ -0,0 +1,5 @@
+import { Permission } from "../entities/permissions";
+
+export class PermissionDto {
+  permissions: Permission[];
+}

package/src/users/dto/user-create.dto.ts

@@ -0,0 +1,37 @@
+import Joi from "joi";
+import { JoiSchema } from 'nestjs-joi';
+import { Roles } from '../entities/user.entity';
+import { Permission, Permissions } from "../entities/permissions";
+
+export class UserCreateDto {
+  @JoiSchema(Joi.string().required())
+  name: string;
+
+  @JoiSchema(Joi.string().trim().lowercase().email().required())
+  email: string;
+
+  @JoiSchema(
+    Joi.string()
+      .optional()
+      .valid(...Object.values(Roles)),
+  )
+  role?: Roles;
+
+  @JoiSchema(Joi.string().optional().allow(null))
+  pass?: string | null;
+
+  @JoiSchema(
+    Joi.array().items(
+      Joi.string()
+    ).optional().default([]).custom((value: string[], helpers) => {
+      value.forEach((permission) => {
+        if (!Permissions.isValidPermission(permission as Permission)) {
+          helpers.error('any.invalid');
+        }
+      });
+
+      return value;
+    })
+  )
+  permissions?: Permission[];
+}

package/src/users/dto/user-update.dto.ts

@@ -0,0 +1,37 @@
+import Joi from "joi";
+import { JoiSchema } from 'nestjs-joi';
+import { Roles } from '../entities/user.entity';
+import { Permission, Permissions } from "../entities/permissions";
+
+export class UserUpdateDto {
+  @JoiSchema(Joi.string().optional())
+  name?: string;
+
+  @JoiSchema(Joi.string().trim().lowercase().email().optional())
+  email?: string;
+
+  @JoiSchema(
+    Joi.string()
+      .optional()
+      .valid(...Object.values(Roles)),
+  )
+  role?: Roles;
+
+  @JoiSchema(Joi.string().optional().allow(null))
+  pass?: string | null;
+
+  @JoiSchema(
+    Joi.array().items(
+      Joi.string()
+    ).optional().custom((value: string[], helpers) => {
+      value.forEach((permission) => {
+        if (!Permissions.isValidPermission(permission as Permission)) {
+          helpers.error('any.invalid');
+        }
+      });
+
+      return value;
+    })
+  )
+  permissions?: Permission[];
+}

package/src/users/entities/permissions.ts

@@ -0,0 +1,23 @@
+import { VIEW_USERS } from "../users.constants";
+
+export interface IPermissions {
+  VIEW_USERS: typeof VIEW_USERS;
+}
+
+export type Permission = string; // todo: fix and use IPermissions[keyof IPermissions];
+
+export class Permissions {
+  private static values: Set<Permission> = new Set;
+
+  public static isValidPermission(permission: string): boolean {
+    return this.values.has(permission as Permission);
+  }
+
+  public static addPermission(permission: Permission): void {
+    this.values.add(permission);
+  }
+
+  public static toArray(): Permission[] {
+    return Array.from(this.values);
+  }
+}

package/src/users/entities/user.entity.ts

@@ -0,0 +1,53 @@
+import { Column, CreateDateColumn, Entity, PrimaryGeneratedColumn, Unique, UpdateDateColumn, } from 'typeorm';
+import { SubjectRawRule } from '@casl/ability';
+import { PackRule } from '@casl/ability/extra';
+import { Action, AppAbility, TSubjectsNames } from '../../casl';
+import { Permission } from './permissions';
+
+export enum Roles {
+  ADMIN = 'admin',
+  USER = 'user',
+}
+
+export const EMAIL_UNIQUE_CONSTRAINT = 'UQ_users_email';
+
+export type TUser = Omit<User, 'pass'> & {
+  ability?: AppAbility;
+};
+
+@Entity('users')
+@Unique(EMAIL_UNIQUE_CONSTRAINT, ['email'])
+export class User {
+  @PrimaryGeneratedColumn('uuid')
+  id: string;
+
+  @Column()
+  name: string;
+
+  @Column()
+  email: string;
+
+  @Column({
+    enum: Roles,
+    default: Roles.USER,
+  })
+  role: Roles;
+
+  @Column({ type: 'varchar', nullable: true })
+  pass: string | null;
+
+  @Column({
+    type: 'varchar',
+    array: true,
+    default: [],
+  })
+  permissions: Permission[];
+
+  @CreateDateColumn({ name: 'created_at' })
+  createdAt: Date;
+
+  @UpdateDateColumn({ name: 'updated_at' })
+  updatedAt: Date;
+
+  policies: PackRule<SubjectRawRule<Action, TSubjectsNames, unknown>>[];
+}

package/src/users/hash-password.interceptor.ts

@@ -0,0 +1,22 @@
+import { CallHandler, ExecutionContext, Injectable, NestInterceptor } from '@nestjs/common';
+import BcryptService from "./bcrypt.service";
+
+@Injectable()
+export class HashPasswordInterceptor implements NestInterceptor {
+  constructor(
+    private bcryptService: BcryptService,
+  ) {}
+
+  async intercept(
+    context: ExecutionContext,
+    next: CallHandler,
+  ) {
+    const request = context.switchToHttp().getRequest();
+
+    if (request.body?.pass) {
+      request.body.pass = await this.bcryptService.hashPassword(request.body.pass);
+    }
+
+    return next.handle();
+  }
+}

package/src/users/index.ts

@@ -0,0 +1,15 @@
+export * from './dto/permission.dto';
+export * from './dto/user-create.dto';
+export * from './dto/user-update.dto';
+export * from './entities/permissions';
+export * from './entities/user.entity';
+export * from './policies/view-users.policy';
+export * from './bcrypt.service';
+export * from './hash-password.interceptor';
+export * from './me.controller';
+export * from './users.config';
+export * from './users.constants';
+export * from './users.controller';
+export * from './users.module';
+export * from './users.service';
+export * from './users-editing.guard';

package/src/users/me.controller.ts

@@ -0,0 +1,57 @@
+import { Crud, CrudAuth, CrudController, type CrudRequest, Override, ParsedRequest, } from '@nestjsx/crud';
+import { TUser, User } from './entities/user.entity';
+import { Controller, Req } from '@nestjs/common';
+import type { Request } from 'express';
+import { UsersService } from './users.service';
+import { CaslAbilityFactory } from '../casl/casl-ability.factory';
+import { SkipPoliciesGuard } from '../casl/policies.guard';
+import { ApiTags } from '@nestjs/swagger';
+
+@Crud({
+  model: {
+    type: User,
+  },
+  routes: {
+    only: ['getOneBase'],
+  },
+  params: {
+    id: {
+      primary: true,
+      disabled: true,
+    },
+  },
+  query: {
+    exclude: ['pass'],
+  },
+})
+@CrudAuth({
+  property: 'user',
+  filter: (user: TUser) => ({
+    id: user.id,
+  }),
+})
+@SkipPoliciesGuard()
+@ApiTags('Users')
+@Controller('me')
+export class MeController implements CrudController<User> {
+  constructor(
+    public service: UsersService,
+    private caslAbilityFactory: CaslAbilityFactory,
+  ) {}
+
+  get base(): CrudController<User> {
+    return this;
+  }
+
+  @Override()
+  async getOne(
+    @ParsedRequest() req: CrudRequest,
+    @Req() originReq: Request,
+  ): Promise<User> {
+    const user = await this.base.getOneBase!(req);
+    const ability = await this.caslAbilityFactory.createForUser(user);
+    user.policies = this.caslAbilityFactory.packAbility(ability);
+
+    return user;
+  }
+}

package/src/users/policies/view-users.policy.ts

@@ -0,0 +1,10 @@
+import { IPolicyHandler } from "../../casl/policies.guard";
+import { AppAbility } from "../../casl/casl-ability.factory";
+import { Action } from "../../casl/action.enum";
+import { User } from "../entities/user.entity";
+
+export class ViewUsersPolicy implements IPolicyHandler {
+  handle(ability: AppAbility) {
+    return ability.can(Action.Read, User);
+  }
+}

package/src/users/users-editing.guard.ts

@@ -0,0 +1,60 @@
+import {
+  CanActivate,
+  ExecutionContext,
+  ForbiddenException,
+  Injectable,
+  InternalServerErrorException,
+  Logger,
+} from '@nestjs/common';
+import { Request } from 'express';
+import { getAction } from "@nestjsx/crud";
+import { isEqual } from 'lodash';
+
+@Injectable()
+export class UsersEditingGuard implements CanActivate {
+  private readonly logger = new Logger(UsersEditingGuard.name);
+
+  async canActivate(context: ExecutionContext): Promise<boolean> {
+    const request = context.switchToHttp().getRequest<Request>();
+    const user = request.user;
+
+    if (!user) {
+      this.logger.warn(`User not found in users editing guard`);
+      throw new InternalServerErrorException(`User not found in users editing guard`);
+    }
+
+    const editingUserId = request.params['id'];
+    switch (getAction(context.getHandler())) {
+      case 'Update-One':
+        if (editingUserId === user.id) {
+          const newRole = request.body['role'];
+          if (newRole !== user.role && newRole !== undefined) {
+            this.logger.warn(`User can't change his role`);
+            throw new ForbiddenException(`User can't change his role`);
+          }
+
+          const newEmail = request.body['email'];
+          if (newEmail !== user.email && newEmail !== undefined) {
+            this.logger.warn(`User can't change his email`);
+            throw new ForbiddenException(`User can't change his email`);
+          }
+
+          const newPermissions = request.body['permissions'];
+          if (!isEqual(newPermissions, user.permissions) && newPermissions !== undefined) {
+            this.logger.warn(`User can't change his permissions`);
+            throw new ForbiddenException(`User can't change his permissions`);
+          }
+        }
+        break;
+
+      case 'Delete-One':
+        if (editingUserId === user.id) {
+          this.logger.warn(`User can't delete himself`);
+          throw new ForbiddenException(`User can't delete himself`);
+        }
+        break;
+    }
+
+    return true;
+  }
+}

package/src/users/users.config.ts

@@ -0,0 +1,24 @@
+import { Injectable } from '@nestjs/common';
+import { ConfigService } from '@nestjs/config';
+
+export type TUsersConfig = {
+  saltRounds: number;
+};
+
+@Injectable()
+export class UsersConfigService {
+  constructor(private configService: ConfigService) {
+  }
+
+  get config(): TUsersConfig {
+    const saltRounds = Number.parseInt(this.configService.get<string>('BCRYPT_SALT_ROUNDS', ''), 10);
+
+    if (!Number.isInteger(saltRounds)) {
+      throw new Error('BCRYPT_SALT_ROUNDS is not defined, set it as integer');
+    }
+
+    return {
+      saltRounds,
+    };
+  }
+}

package/src/users/users.constants.ts

@@ -0,0 +1 @@
+export const VIEW_USERS = 'view_users';

package/src/users/users.controller.ts

@@ -0,0 +1,73 @@
+import { Controller, UseFilters, UseGuards } from '@nestjs/common';
+import { UsersService } from './users.service';
+import { Crud } from '@nestjsx/crud';
+import { User } from './entities/user.entity';
+import { CheckPolicies, ManageAllPolicy } from '../casl';
+import { UserCreateDto } from './dto/user-create.dto';
+import { ApiExtraModels, ApiTags } from '@nestjs/swagger';
+import { UserUpdateDto } from "./dto/user-update.dto";
+import { HashPasswordInterceptor } from "./hash-password.interceptor";
+import { PermissionDto } from "./dto/permission.dto";
+import { UsersEditingGuard } from "./users-editing.guard";
+import { ViewUsersPolicy } from "./policies/view-users.policy";
+import { Tools } from "@boarteam/boar-pack-common-backend";
+
+@Crud({
+  model: {
+    type: User,
+  },
+  params: {
+    id: {
+      field: 'id',
+      type: 'uuid',
+      primary: true,
+    },
+  },
+  query: {
+    alwaysPaginate: true,
+    exclude: ['pass'],
+  },
+  routes: {
+    only: ['getManyBase', 'getOneBase', 'createOneBase', 'updateOneBase', 'deleteOneBase'],
+    getManyBase: {
+      decorators: [
+        CheckPolicies(new ViewUsersPolicy()),
+      ],
+    },
+    getOneBase: {
+      decorators: [
+        CheckPolicies(new ViewUsersPolicy()),
+      ],
+    },
+    createOneBase: {
+      interceptors: [
+        HashPasswordInterceptor,
+      ],
+    },
+    updateOneBase: {
+      interceptors: [
+        HashPasswordInterceptor,
+      ],
+      decorators: [
+        UseGuards(UsersEditingGuard),
+      ]
+    },
+    deleteOneBase: {
+      decorators: [
+        UseGuards(UsersEditingGuard),
+      ]
+    }
+  },
+  dto: {
+    create: UserCreateDto,
+    update: UserUpdateDto,
+  },
+})
+@CheckPolicies(new ManageAllPolicy())
+@UseFilters(Tools.TypeOrmExceptionFilter)
+@ApiTags('Users')
+@ApiExtraModels(PermissionDto)
+@Controller('users')
+export class UsersController {
+  constructor(private readonly service: UsersService) {}
+}

package/src/users/users.module.ts

@@ -0,0 +1,75 @@
+import { DynamicModule, Logger, Module, OnModuleInit } from '@nestjs/common';
+import { UsersService } from './users.service';
+import { UsersController } from './users.controller';
+import { getDataSourceToken, TypeOrmModule } from '@nestjs/typeorm';
+import { EMAIL_UNIQUE_CONSTRAINT, Roles, User } from './entities/user.entity';
+import { MeController } from './me.controller';
+import { Action, CaslAbilityFactory, CaslModule } from '../casl';
+import { UsersConfigService } from "./users.config";
+import BcryptService from "./bcrypt.service";
+import { ConfigModule } from "@nestjs/config";
+import { Tools } from "@boarteam/boar-pack-common-backend";
+import { VIEW_USERS } from "./users.constants";
+import { DataSource } from "typeorm";
+
+@Module({})
+export class UsersModule implements OnModuleInit {
+  static register(config: {
+    withControllers?: boolean;
+    dataSourceName?: string;
+  } = { withControllers: true }): DynamicModule {
+    const dynamicModule: DynamicModule = {
+      module: UsersModule,
+      imports: [
+        ConfigModule,
+        TypeOrmModule.forFeature([User], config.dataSourceName),
+        CaslModule.forFeature(),
+      ],
+      providers: [
+        {
+          provide: UsersService,
+          inject: [getDataSourceToken(config.dataSourceName)],
+          useFactory: (dataSource: DataSource) => {
+            return new UsersService(dataSource.getRepository(User));
+          }
+        },
+        UsersConfigService,
+        BcryptService,
+      ],
+      exports: [UsersService, BcryptService],
+    };
+
+    if (config.withControllers) {
+      dynamicModule.controllers = [UsersController, MeController];
+    }
+
+    return dynamicModule;
+  }
+
+  private readonly logger = new Logger(UsersModule.name);
+
+  constructor(
+    private readonly usersService: UsersService,
+    private readonly bcryptService: BcryptService,
+  ) {
+    Tools.TypeOrmExceptionFilter.setUniqueConstraintMessage(EMAIL_UNIQUE_CONSTRAINT, 'User with this email already exists');
+    CaslAbilityFactory.addPermissionToAction({
+      permission: VIEW_USERS,
+      action: Action.Read,
+      subject: User,
+    })
+  }
+
+  async onModuleInit() {
+    const usersCount = await this.usersService.count();
+    if (!usersCount) {
+      this.logger.log('Creating default admin user');
+      await this.usersService.create({
+        name: 'Admin',
+        email: 'admin@admirals.com',
+        role: Roles.ADMIN,
+        pass: await this.bcryptService.hashPassword('pass'),
+      });
+    }
+  }
+}

package/src/users/users.service.ts

@@ -0,0 +1,23 @@
+import { Injectable } from '@nestjs/common';
+import { TypeOrmCrudService } from '@nestjsx/crud-typeorm';
+import { User } from './entities/user.entity';
+import { Repository } from 'typeorm';
+
+@Injectable()
+export class UsersService extends TypeOrmCrudService<User> {
+  constructor(
+    readonly repo: Repository<User>,
+  ) {
+    super(repo);
+  }
+
+  findByEmail(email: string): Promise<User | null> {
+    return this.repo.findOne({ where: { email: email.toLowerCase() } });
+  }
+
+  async create(data: Partial<User>): Promise<User> {
+    const user = this.repo.create(data);
+    await this.repo.save(user);
+    return user;
+  }
+}

package/src/ws-auth/index.ts

@@ -0,0 +1,3 @@
+export * from './ws-auth.guard';
+export * from './ws-auth.module';
+export * from './ws-auth.gateway';

package/src/ws-auth/ws-auth.d2

@@ -0,0 +1,14 @@
+shape: sequence_diagram
+
+client: Client
+server: Server
+
+client -> server: Connect
+server -> wsAuthService: Handle Connection (Sync)
+wsAuthService -> usersService: Check user from DB (Async)
+client -> server: Subscribe
+server.WS Auth Guard
+usersService -> wsAuthService: OK
+wsAuthService -> server: OK
+server -> client: message 1
+server -> client: message 2

package/src/ws-auth/ws-auth.gateway.ts

@@ -0,0 +1,25 @@
+import { Logger } from '@nestjs/common';
+import { WebSocket } from "ws";
+import { IncomingMessage } from "http";
+import { OnGatewayConnection, OnGatewayDisconnect, WebSocketGateway } from "@nestjs/websockets";
+import { AuthSocket, WsAuthService } from "./ws-auth.service";
+
+@WebSocketGateway({
+  path: '/ws',
+})
+export class WsAuthGateway implements OnGatewayConnection, OnGatewayDisconnect {
+  private logger = new Logger(WsAuthGateway.name);
+
+  constructor(
+    private readonly wsAuthService: WsAuthService,
+  ) {}
+
+  public handleConnection(socket: AuthSocket, req: IncomingMessage) {
+    this.logger.debug(`Client connected`);
+    this.wsAuthService.handleConnection(socket, req);
+  }
+
+  public handleDisconnect(client: WebSocket) {
+    this.wsAuthService.handleDisconnect(client);
+  }
+}

package/src/ws-auth/ws-auth.guard.ts

@@ -0,0 +1,28 @@
+import {CanActivate, ExecutionContext, Injectable, Logger, UnauthorizedException} from '@nestjs/common';
+import { WebSocket } from "ws";
+import { WsAuthService } from "./ws-auth.service";
+import {
+  WsErrorCodes
+} from "@boarteam/boar-pack-common-backend/src/modules/websockets/websockets.clients";
+
+@Injectable()
+export class WsAuthGuard implements CanActivate {
+  private readonly logger = new Logger(WsAuthGuard.name);
+
+  constructor(
+    private readonly wsAuthService: WsAuthService,
+  ) {}
+
+  async canActivate(context: ExecutionContext): Promise<boolean> {
+    const client = context.switchToWs().getClient<WebSocket>();
+    const user = await this.wsAuthService.finishInitialization(client);
+
+    if (!user) {
+      this.logger.warn(`Unauthorized connection by websocket`);
+      client.close(WsErrorCodes.Unauthorized, 'You have been logged out, please login again');
+      return false;
+    }
+
+    return !!user;
+  }
+}