@ftisindia/create-app 0.1.2 → 0.1.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/README.md +65 -0
- package/package.json +1 -1
- package/template/README.md +65 -1
- package/template/_package.json +0 -2
- package/template/docs/API_REFERENCE.md +13 -0
- package/template/docs/OAUTH.md +7 -3
- package/template/scripts/gen-module.mjs +2 -0
- package/template/src/app.module.ts +16 -22
- package/template/src/common/dto/error-response.dto.ts +3 -3
- package/template/src/common/dto/membership-response.dto.ts +26 -14
- package/template/src/common/dto/mutation-response.dto.ts +1 -1
- package/template/src/common/dto/pagination-query.dto.ts +37 -0
- package/template/src/common/dto/role-summary.dto.ts +5 -5
- package/template/src/common/dto/user-summary.dto.ts +6 -6
- package/template/src/common/filters/http-exception.filter.ts +9 -19
- package/template/src/common/swagger/api-error-responses.ts +12 -12
- package/template/src/config/app.config.ts +3 -3
- package/template/src/config/auth.config.ts +3 -3
- package/template/src/config/database.config.ts +3 -3
- package/template/src/config/env.validation.ts +58 -40
- package/template/src/config/index.ts +5 -5
- package/template/src/config/rbac.config.ts +3 -3
- package/template/src/database/prisma/prisma-transaction.ts +1 -1
- package/template/src/database/prisma/prisma.module.ts +2 -2
- package/template/src/database/prisma/prisma.service.ts +3 -6
- package/template/src/main.ts +11 -11
- package/template/src/modules/access-control/access-control.module.ts +9 -9
- package/template/src/modules/access-control/application/role-permission-policy.ts +71 -0
- package/template/src/modules/access-control/application/route-registry.validator.ts +34 -63
- package/template/src/modules/access-control/application/services/ability.factory.ts +5 -9
- package/template/src/modules/access-control/application/services/access-control.service.ts +78 -85
- package/template/src/modules/access-control/application/services/permission.guard.ts +16 -21
- package/template/src/modules/access-control/application/services/rbac-cache.service.ts +7 -9
- package/template/src/modules/access-control/dto/access-control-response.dto.ts +32 -20
- package/template/src/modules/access-control/dto/create-role.dto.ts +6 -6
- package/template/src/modules/access-control/dto/update-role-permissions.dto.ts +3 -10
- package/template/src/modules/access-control/dto/update-role.dto.ts +6 -6
- package/template/src/modules/access-control/presentation/access-control.controller.ts +69 -74
- package/template/src/modules/access-control/presentation/permissions.decorator.ts +3 -3
- package/template/src/modules/access-control/presentation/public.decorator.ts +2 -2
- package/template/src/modules/access-control/types/permission-key.ts +19 -19
- package/template/src/modules/access-control/types/route-permission-registry.ts +76 -76
- package/template/src/modules/audit/application/services/audit.service.ts +7 -7
- package/template/src/modules/audit/audit.module.ts +4 -4
- package/template/src/modules/audit/dto/audit-response.dto.ts +18 -18
- package/template/src/modules/audit/dto/list-audit-logs-query.dto.ts +14 -14
- package/template/src/modules/audit/presentation/audit.controller.ts +17 -23
- package/template/src/modules/auth/application/services/auth.service.ts +147 -110
- package/template/src/modules/auth/application/services/password.service.ts +2 -2
- package/template/src/modules/auth/application/services/token.service.ts +20 -21
- package/template/src/modules/auth/auth.module.ts +20 -47
- package/template/src/modules/auth/dto/auth-response.dto.ts +9 -10
- package/template/src/modules/auth/dto/login.dto.ts +4 -4
- package/template/src/modules/auth/dto/logout.dto.ts +1 -1
- package/template/src/modules/auth/dto/oauth-exchange.dto.ts +4 -5
- package/template/src/modules/auth/dto/refresh-token.dto.ts +4 -5
- package/template/src/modules/auth/dto/signup.dto.ts +5 -11
- package/template/src/modules/auth/infrastructure/passport/google-auth.guard.ts +6 -14
- package/template/src/modules/auth/infrastructure/passport/google-oauth-state.store.ts +98 -0
- package/template/src/modules/auth/infrastructure/passport/google.strategy.ts +21 -30
- package/template/src/modules/auth/infrastructure/passport/jwt-auth.guard.ts +3 -3
- package/template/src/modules/auth/infrastructure/passport/jwt.strategy.ts +11 -11
- package/template/src/modules/auth/presentation/auth.controller.ts +45 -45
- package/template/src/modules/auth/presentation/current-user.decorator.ts +3 -5
- package/template/src/modules/auth/presentation/google-oauth-exception.filter.ts +5 -10
- package/template/src/modules/health/dto/health-response.dto.ts +5 -5
- package/template/src/modules/health/health.module.ts +2 -2
- package/template/src/modules/health/presentation/health.controller.ts +13 -13
- package/template/src/modules/invitations/application/services/invitations.service.ts +127 -176
- package/template/src/modules/invitations/dto/accept-invitation.dto.ts +6 -7
- package/template/src/modules/invitations/dto/create-invitation.dto.ts +14 -15
- package/template/src/modules/invitations/dto/invitation-response.dto.ts +37 -29
- package/template/src/modules/invitations/dto/invitation-token.dto.ts +4 -4
- package/template/src/modules/invitations/invitations.module.ts +5 -5
- package/template/src/modules/invitations/presentation/invitations.controller.ts +61 -63
- package/template/src/modules/memberships/application/services/memberships.service.ts +70 -84
- package/template/src/modules/memberships/dto/transfer-owner.dto.ts +4 -4
- package/template/src/modules/memberships/dto/update-billing-contact.dto.ts +2 -2
- package/template/src/modules/memberships/dto/update-membership-owner.dto.ts +2 -2
- package/template/src/modules/memberships/dto/update-membership-role.dto.ts +4 -4
- package/template/src/modules/memberships/dto/update-membership-status.dto.ts +3 -3
- package/template/src/modules/memberships/memberships.module.ts +4 -4
- package/template/src/modules/memberships/presentation/memberships.controller.ts +83 -99
- package/template/src/modules/organisations/application/services/organisations.service.ts +21 -23
- package/template/src/modules/organisations/dto/create-organisation.dto.ts +6 -13
- package/template/src/modules/organisations/dto/organisation-response.dto.ts +14 -14
- package/template/src/modules/organisations/infrastructure/repositories/organisations.repository.ts +4 -7
- package/template/src/modules/organisations/organisations.module.ts +5 -5
- package/template/src/modules/organisations/presentation/organisations.controller.ts +14 -23
- package/template/src/modules/organisations/types/default-organisation-data.ts +3 -9
- package/template/src/modules/request-context/application/services/request-context.service.ts +15 -7
- package/template/src/modules/request-context/presentation/org-scope.guard.ts +4 -9
- package/template/src/modules/request-context/presentation/request-context.interceptor.ts +4 -9
- package/template/src/modules/request-context/presentation/request-context.middleware.ts +7 -8
- package/template/src/modules/request-context/request-context.module.ts +7 -7
- package/template/src/modules/request-context/types/request-context.ts +2 -2
- package/template/src/modules/sample/application/services/sample.service.ts +10 -8
- package/template/src/modules/sample/dto/sample-echo.dto.ts +3 -3
- package/template/src/modules/sample/dto/sample-response.dto.ts +12 -12
- package/template/src/modules/sample/presentation/sample.controller.ts +25 -42
- package/template/src/modules/sample/sample.module.ts +4 -4
- package/template/src/modules/settings/application/services/settings.service.ts +15 -27
- package/template/src/modules/settings/dto/setting-response.dto.ts +9 -9
- package/template/src/modules/settings/dto/update-setting.dto.ts +5 -5
- package/template/src/modules/settings/presentation/settings.controller.ts +29 -35
- package/template/src/modules/settings/settings.module.ts +5 -5
- package/template/src/modules/settings/types/setting-definitions.ts +49 -33
- package/template/test/auth-refresh.spec.ts +90 -0
- package/template/test/role-permission-policy.spec.ts +94 -0
|
@@ -1,30 +1,31 @@
|
|
|
1
|
-
import {
|
|
2
|
-
import { ConfigModule, ConfigService } from
|
|
3
|
-
import { JwtModule } from
|
|
4
|
-
import { PassportModule } from
|
|
5
|
-
import
|
|
6
|
-
import { AuthService } from
|
|
7
|
-
import { PasswordService } from
|
|
8
|
-
import { TokenService } from
|
|
9
|
-
import { GoogleAuthGuard } from
|
|
10
|
-
import { GoogleStrategy } from
|
|
11
|
-
import { JwtAuthGuard } from
|
|
12
|
-
import { JwtStrategy } from
|
|
13
|
-
import { AuthController } from
|
|
14
|
-
import { GoogleOAuthExceptionFilter } from
|
|
1
|
+
import { Module } from '@nestjs/common';
|
|
2
|
+
import { ConfigModule, ConfigService } from '@nestjs/config';
|
|
3
|
+
import { JwtModule } from '@nestjs/jwt';
|
|
4
|
+
import { PassportModule } from '@nestjs/passport';
|
|
5
|
+
import { RequestContextModule } from '../request-context/request-context.module';
|
|
6
|
+
import { AuthService } from './application/services/auth.service';
|
|
7
|
+
import { PasswordService } from './application/services/password.service';
|
|
8
|
+
import { TokenService } from './application/services/token.service';
|
|
9
|
+
import { GoogleAuthGuard } from './infrastructure/passport/google-auth.guard';
|
|
10
|
+
import { GoogleStrategy } from './infrastructure/passport/google.strategy';
|
|
11
|
+
import { JwtAuthGuard } from './infrastructure/passport/jwt-auth.guard';
|
|
12
|
+
import { JwtStrategy } from './infrastructure/passport/jwt.strategy';
|
|
13
|
+
import { AuthController } from './presentation/auth.controller';
|
|
14
|
+
import { GoogleOAuthExceptionFilter } from './presentation/google-oauth-exception.filter';
|
|
15
15
|
|
|
16
16
|
@Module({
|
|
17
17
|
imports: [
|
|
18
18
|
PassportModule,
|
|
19
|
+
RequestContextModule,
|
|
19
20
|
JwtModule.registerAsync({
|
|
20
21
|
imports: [ConfigModule],
|
|
21
22
|
inject: [ConfigService],
|
|
22
23
|
useFactory: (config: ConfigService) => ({
|
|
23
|
-
secret: config.get<string>(
|
|
24
|
+
secret: config.get<string>('auth.jwt.secret') ?? '',
|
|
24
25
|
signOptions: {
|
|
25
|
-
algorithm:
|
|
26
|
-
issuer: config.get<string>(
|
|
27
|
-
audience: config.get<string>(
|
|
26
|
+
algorithm: 'HS256',
|
|
27
|
+
issuer: config.get<string>('auth.jwt.issuer'),
|
|
28
|
+
audience: config.get<string>('auth.jwt.audience'),
|
|
28
29
|
},
|
|
29
30
|
}),
|
|
30
31
|
}),
|
|
@@ -42,32 +43,4 @@ import { GoogleOAuthExceptionFilter } from "./presentation/google-oauth-exceptio
|
|
|
42
43
|
],
|
|
43
44
|
exports: [JwtAuthGuard, PasswordService],
|
|
44
45
|
})
|
|
45
|
-
export class AuthModule
|
|
46
|
-
constructor(private readonly config: ConfigService) {}
|
|
47
|
-
|
|
48
|
-
configure(consumer: MiddlewareConsumer) {
|
|
49
|
-
consumer
|
|
50
|
-
.apply(buildGoogleOAuthSessionMiddleware(this.config))
|
|
51
|
-
.forRoutes("auth/google", "auth/google/callback");
|
|
52
|
-
}
|
|
53
|
-
}
|
|
54
|
-
|
|
55
|
-
function buildGoogleOAuthSessionMiddleware(config: ConfigService) {
|
|
56
|
-
const secret =
|
|
57
|
-
config.get<string>("auth.session.secret") ||
|
|
58
|
-
"google-oauth-disabled-session-secret";
|
|
59
|
-
|
|
60
|
-
return session({
|
|
61
|
-
secret,
|
|
62
|
-
name: "oauth.sid",
|
|
63
|
-
resave: false,
|
|
64
|
-
saveUninitialized: false,
|
|
65
|
-
cookie: {
|
|
66
|
-
httpOnly: true,
|
|
67
|
-
sameSite: "lax",
|
|
68
|
-
secure: config.get<string>("app.nodeEnv") === "production",
|
|
69
|
-
maxAge: 10 * 60 * 1000,
|
|
70
|
-
path: "/auth/google",
|
|
71
|
-
},
|
|
72
|
-
});
|
|
73
|
-
}
|
|
46
|
+
export class AuthModule {}
|
|
@@ -1,25 +1,24 @@
|
|
|
1
|
-
import { ApiProperty } from
|
|
2
|
-
import { ActiveUserSummaryDto } from
|
|
1
|
+
import { ApiProperty } from '@nestjs/swagger';
|
|
2
|
+
import { ActiveUserSummaryDto } from '../../../common/dto/user-summary.dto';
|
|
3
3
|
|
|
4
4
|
export class AuthTokensResponseDto {
|
|
5
5
|
@ApiProperty({
|
|
6
|
-
description:
|
|
7
|
-
example:
|
|
6
|
+
description: 'JWT access token for bearer authentication.',
|
|
7
|
+
example: 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...',
|
|
8
8
|
})
|
|
9
9
|
accessToken!: string;
|
|
10
10
|
|
|
11
11
|
@ApiProperty({
|
|
12
|
-
description:
|
|
13
|
-
|
|
14
|
-
example: "rfr_9b2f4f8d2d9f4d65a1f4",
|
|
12
|
+
description: 'Opaque refresh token. Store it securely and send it only to auth endpoints.',
|
|
13
|
+
example: 'rfr_9b2f4f8d2d9f4d65a1f4',
|
|
15
14
|
})
|
|
16
15
|
refreshToken!: string;
|
|
17
16
|
|
|
18
|
-
@ApiProperty({ example:
|
|
19
|
-
tokenType!:
|
|
17
|
+
@ApiProperty({ example: 'Bearer' })
|
|
18
|
+
tokenType!: 'Bearer';
|
|
20
19
|
|
|
21
20
|
@ApiProperty({
|
|
22
|
-
description:
|
|
21
|
+
description: 'Access token lifetime in seconds.',
|
|
23
22
|
example: 900,
|
|
24
23
|
})
|
|
25
24
|
expiresIn!: number;
|
|
@@ -1,13 +1,13 @@
|
|
|
1
|
-
import { ApiProperty } from
|
|
2
|
-
import { IsEmail, IsString, MaxLength, MinLength } from
|
|
1
|
+
import { ApiProperty } from '@nestjs/swagger';
|
|
2
|
+
import { IsEmail, IsString, MaxLength, MinLength } from 'class-validator';
|
|
3
3
|
|
|
4
4
|
export class LoginDto {
|
|
5
|
-
@ApiProperty({ example:
|
|
5
|
+
@ApiProperty({ example: 'owner@example.com' })
|
|
6
6
|
@IsEmail()
|
|
7
7
|
@MaxLength(320)
|
|
8
8
|
email!: string;
|
|
9
9
|
|
|
10
|
-
@ApiProperty({ example:
|
|
10
|
+
@ApiProperty({ example: 'dev-password-123' })
|
|
11
11
|
@IsString()
|
|
12
12
|
@MinLength(8)
|
|
13
13
|
@MaxLength(128)
|
|
@@ -1,11 +1,10 @@
|
|
|
1
|
-
import { ApiProperty } from
|
|
2
|
-
import { IsString, Length } from
|
|
1
|
+
import { ApiProperty } from '@nestjs/swagger';
|
|
2
|
+
import { IsString, Length } from 'class-validator';
|
|
3
3
|
|
|
4
4
|
export class OAuthExchangeDto {
|
|
5
5
|
@ApiProperty({
|
|
6
|
-
description:
|
|
7
|
-
|
|
8
|
-
example: "DXB2rcx5HcKXy35bA3AzYdVq2e4nGsgYeG3D9M7uAQM",
|
|
6
|
+
description: 'One-time code returned to the frontend by the Google OAuth callback redirect.',
|
|
7
|
+
example: 'DXB2rcx5HcKXy35bA3AzYdVq2e4nGsgYeG3D9M7uAQM',
|
|
9
8
|
minLength: 32,
|
|
10
9
|
maxLength: 256,
|
|
11
10
|
})
|
|
@@ -1,11 +1,10 @@
|
|
|
1
|
-
import { ApiProperty } from
|
|
2
|
-
import { IsString, MinLength } from
|
|
1
|
+
import { ApiProperty } from '@nestjs/swagger';
|
|
2
|
+
import { IsString, MinLength } from 'class-validator';
|
|
3
3
|
|
|
4
4
|
export class RefreshTokenDto {
|
|
5
5
|
@ApiProperty({
|
|
6
|
-
description:
|
|
7
|
-
|
|
8
|
-
example: "rfr_9b2f4f8d2d9f4d65a1f4",
|
|
6
|
+
description: 'Opaque refresh token returned by signup, login, refresh, or OAuth exchange.',
|
|
7
|
+
example: 'rfr_9b2f4f8d2d9f4d65a1f4',
|
|
9
8
|
minLength: 32,
|
|
10
9
|
})
|
|
11
10
|
@IsString()
|
|
@@ -1,25 +1,19 @@
|
|
|
1
|
-
import { ApiProperty, ApiPropertyOptional } from
|
|
2
|
-
import {
|
|
3
|
-
IsEmail,
|
|
4
|
-
IsOptional,
|
|
5
|
-
IsString,
|
|
6
|
-
MaxLength,
|
|
7
|
-
MinLength,
|
|
8
|
-
} from "class-validator";
|
|
1
|
+
import { ApiProperty, ApiPropertyOptional } from '@nestjs/swagger';
|
|
2
|
+
import { IsEmail, IsOptional, IsString, MaxLength, MinLength } from 'class-validator';
|
|
9
3
|
|
|
10
4
|
export class SignupDto {
|
|
11
|
-
@ApiProperty({ example:
|
|
5
|
+
@ApiProperty({ example: 'owner@example.com' })
|
|
12
6
|
@IsEmail()
|
|
13
7
|
@MaxLength(320)
|
|
14
8
|
email!: string;
|
|
15
9
|
|
|
16
|
-
@ApiProperty({ minLength: 8, maxLength: 128, example:
|
|
10
|
+
@ApiProperty({ minLength: 8, maxLength: 128, example: 'dev-password-123' })
|
|
17
11
|
@IsString()
|
|
18
12
|
@MinLength(8)
|
|
19
13
|
@MaxLength(128)
|
|
20
14
|
password!: string;
|
|
21
15
|
|
|
22
|
-
@ApiPropertyOptional({ example:
|
|
16
|
+
@ApiPropertyOptional({ example: 'Starter Owner' })
|
|
23
17
|
@IsOptional()
|
|
24
18
|
@IsString()
|
|
25
19
|
@MaxLength(120)
|
|
@@ -1,25 +1,17 @@
|
|
|
1
|
-
import {
|
|
2
|
-
|
|
3
|
-
|
|
4
|
-
ForbiddenException,
|
|
5
|
-
Injectable,
|
|
6
|
-
} from "@nestjs/common";
|
|
7
|
-
import { ConfigService } from "@nestjs/config";
|
|
8
|
-
import { AuthGuard } from "@nestjs/passport";
|
|
1
|
+
import { CanActivate, ExecutionContext, ForbiddenException, Injectable } from '@nestjs/common';
|
|
2
|
+
import { ConfigService } from '@nestjs/config';
|
|
3
|
+
import { AuthGuard } from '@nestjs/passport';
|
|
9
4
|
|
|
10
5
|
@Injectable()
|
|
11
|
-
export class GoogleAuthGuard
|
|
12
|
-
extends AuthGuard("google")
|
|
13
|
-
implements CanActivate
|
|
14
|
-
{
|
|
6
|
+
export class GoogleAuthGuard extends AuthGuard('google') implements CanActivate {
|
|
15
7
|
constructor(private readonly config: ConfigService) {
|
|
16
8
|
super();
|
|
17
9
|
}
|
|
18
10
|
|
|
19
11
|
canActivate(context: ExecutionContext) {
|
|
20
|
-
const enabled = this.config.get<boolean>(
|
|
12
|
+
const enabled = this.config.get<boolean>('auth.providers.googleEnabled');
|
|
21
13
|
if (!enabled) {
|
|
22
|
-
throw new ForbiddenException(
|
|
14
|
+
throw new ForbiddenException('Google authentication is disabled.');
|
|
23
15
|
}
|
|
24
16
|
|
|
25
17
|
return super.canActivate(context);
|
|
@@ -0,0 +1,98 @@
|
|
|
1
|
+
import { createCipheriv, createDecipheriv, createHash, randomBytes } from 'crypto';
|
|
2
|
+
|
|
3
|
+
const STATE_TTL_MS = 10 * 60 * 1000;
|
|
4
|
+
const IV_BYTES = 12;
|
|
5
|
+
const AUTH_TAG_BYTES = 16;
|
|
6
|
+
|
|
7
|
+
type StatePayload = {
|
|
8
|
+
verifier: string;
|
|
9
|
+
iat: number;
|
|
10
|
+
nonce: string;
|
|
11
|
+
state?: string;
|
|
12
|
+
};
|
|
13
|
+
|
|
14
|
+
type StoreCallback = (error: Error | null, state?: string) => void;
|
|
15
|
+
type VerifyCallback = (error: Error | null, verifier?: false | string, state?: unknown) => void;
|
|
16
|
+
|
|
17
|
+
export class GoogleOAuthStateStore {
|
|
18
|
+
private readonly key: Buffer;
|
|
19
|
+
|
|
20
|
+
constructor(secret: string) {
|
|
21
|
+
this.key = createHash('sha256').update(secret).digest();
|
|
22
|
+
}
|
|
23
|
+
|
|
24
|
+
store(
|
|
25
|
+
_request: unknown,
|
|
26
|
+
verifier: string,
|
|
27
|
+
state: unknown,
|
|
28
|
+
_meta: unknown,
|
|
29
|
+
callback: StoreCallback,
|
|
30
|
+
) {
|
|
31
|
+
try {
|
|
32
|
+
callback(
|
|
33
|
+
null,
|
|
34
|
+
this.encode({
|
|
35
|
+
verifier,
|
|
36
|
+
iat: Date.now(),
|
|
37
|
+
nonce: randomBytes(16).toString('base64url'),
|
|
38
|
+
state: typeof state === 'string' ? state : undefined,
|
|
39
|
+
}),
|
|
40
|
+
);
|
|
41
|
+
} catch (error) {
|
|
42
|
+
callback(error instanceof Error ? error : new Error('Could not store OAuth state.'));
|
|
43
|
+
}
|
|
44
|
+
}
|
|
45
|
+
|
|
46
|
+
verify(_request: unknown, providedState: string, _meta: unknown, callback: VerifyCallback) {
|
|
47
|
+
try {
|
|
48
|
+
const payload = this.decode(providedState);
|
|
49
|
+
if (Date.now() - payload.iat > STATE_TTL_MS) {
|
|
50
|
+
callback(null, false, { message: 'OAuth state expired.' });
|
|
51
|
+
return;
|
|
52
|
+
}
|
|
53
|
+
|
|
54
|
+
callback(null, payload.verifier, payload.state);
|
|
55
|
+
} catch {
|
|
56
|
+
callback(null, false, { message: 'Invalid authorization request state.' });
|
|
57
|
+
}
|
|
58
|
+
}
|
|
59
|
+
|
|
60
|
+
private encode(payload: StatePayload) {
|
|
61
|
+
const iv = randomBytes(IV_BYTES);
|
|
62
|
+
const cipher = createCipheriv('aes-256-gcm', this.key, iv);
|
|
63
|
+
const encrypted = Buffer.concat([
|
|
64
|
+
cipher.update(JSON.stringify(payload), 'utf8'),
|
|
65
|
+
cipher.final(),
|
|
66
|
+
]);
|
|
67
|
+
const tag = cipher.getAuthTag();
|
|
68
|
+
|
|
69
|
+
return Buffer.concat([iv, tag, encrypted]).toString('base64url');
|
|
70
|
+
}
|
|
71
|
+
|
|
72
|
+
private decode(state: string): StatePayload {
|
|
73
|
+
const input = Buffer.from(state, 'base64url');
|
|
74
|
+
if (input.length <= IV_BYTES + AUTH_TAG_BYTES) {
|
|
75
|
+
throw new Error('OAuth state is malformed.');
|
|
76
|
+
}
|
|
77
|
+
|
|
78
|
+
const iv = input.subarray(0, IV_BYTES);
|
|
79
|
+
const tag = input.subarray(IV_BYTES, IV_BYTES + AUTH_TAG_BYTES);
|
|
80
|
+
const encrypted = input.subarray(IV_BYTES + AUTH_TAG_BYTES);
|
|
81
|
+
const decipher = createDecipheriv('aes-256-gcm', this.key, iv);
|
|
82
|
+
decipher.setAuthTag(tag);
|
|
83
|
+
|
|
84
|
+
const decoded = JSON.parse(
|
|
85
|
+
Buffer.concat([decipher.update(encrypted), decipher.final()]).toString('utf8'),
|
|
86
|
+
) as Partial<StatePayload>;
|
|
87
|
+
|
|
88
|
+
if (
|
|
89
|
+
typeof decoded.verifier !== 'string' ||
|
|
90
|
+
typeof decoded.iat !== 'number' ||
|
|
91
|
+
typeof decoded.nonce !== 'string'
|
|
92
|
+
) {
|
|
93
|
+
throw new Error('OAuth state is invalid.');
|
|
94
|
+
}
|
|
95
|
+
|
|
96
|
+
return decoded as StatePayload;
|
|
97
|
+
}
|
|
98
|
+
}
|
|
@@ -1,49 +1,40 @@
|
|
|
1
|
-
import { Injectable, UnauthorizedException } from
|
|
2
|
-
import { ConfigService } from
|
|
3
|
-
import { PassportStrategy } from
|
|
4
|
-
import { Profile, Strategy, VerifyCallback } from
|
|
5
|
-
import { GoogleAuthProfile } from
|
|
1
|
+
import { Injectable, UnauthorizedException } from '@nestjs/common';
|
|
2
|
+
import { ConfigService } from '@nestjs/config';
|
|
3
|
+
import { PassportStrategy } from '@nestjs/passport';
|
|
4
|
+
import { Profile, Strategy, VerifyCallback } from 'passport-google-oauth20';
|
|
5
|
+
import { GoogleAuthProfile } from '../../types/google-auth-profile';
|
|
6
|
+
import { GoogleOAuthStateStore } from './google-oauth-state.store';
|
|
6
7
|
|
|
7
8
|
@Injectable()
|
|
8
|
-
export class GoogleStrategy extends PassportStrategy(Strategy,
|
|
9
|
+
export class GoogleStrategy extends PassportStrategy(Strategy, 'google') {
|
|
9
10
|
constructor(config: ConfigService) {
|
|
10
|
-
const enabled = config.get<boolean>(
|
|
11
|
+
const enabled = config.get<boolean>('auth.providers.googleEnabled');
|
|
12
|
+
const sessionSecret =
|
|
13
|
+
config.get<string>('auth.session.secret') || 'google-oauth-disabled-session-secret';
|
|
11
14
|
|
|
12
15
|
super({
|
|
13
|
-
clientID: enabled
|
|
14
|
-
? (config.get<string>("auth.google.clientId") ?? "")
|
|
15
|
-
: "google-disabled",
|
|
16
|
+
clientID: enabled ? (config.get<string>('auth.google.clientId') ?? '') : 'google-disabled',
|
|
16
17
|
clientSecret: enabled
|
|
17
|
-
? (config.get<string>(
|
|
18
|
-
:
|
|
18
|
+
? (config.get<string>('auth.google.clientSecret') ?? '')
|
|
19
|
+
: 'google-disabled',
|
|
19
20
|
callbackURL:
|
|
20
|
-
config.get<string>(
|
|
21
|
-
|
|
21
|
+
config.get<string>('auth.google.callbackUrl') ??
|
|
22
|
+
'http://localhost:3000/auth/google/callback',
|
|
22
23
|
state: true,
|
|
23
24
|
pkce: true,
|
|
24
|
-
|
|
25
|
-
|
|
25
|
+
store: new GoogleOAuthStateStore(sessionSecret),
|
|
26
|
+
scope: ['email', 'profile'],
|
|
27
|
+
} as never);
|
|
26
28
|
}
|
|
27
29
|
|
|
28
|
-
validate(
|
|
29
|
-
_accessToken: string,
|
|
30
|
-
_refreshToken: string,
|
|
31
|
-
profile: Profile,
|
|
32
|
-
done: VerifyCallback,
|
|
33
|
-
) {
|
|
30
|
+
validate(_accessToken: string, _refreshToken: string, profile: Profile, done: VerifyCallback) {
|
|
34
31
|
const email = profile.emails?.[0]?.value?.trim().toLowerCase();
|
|
35
32
|
if (!email) {
|
|
36
|
-
done(
|
|
37
|
-
new UnauthorizedException(
|
|
38
|
-
"Google account did not provide an email address.",
|
|
39
|
-
),
|
|
40
|
-
);
|
|
33
|
+
done(new UnauthorizedException('Google account did not provide an email address.'));
|
|
41
34
|
return;
|
|
42
35
|
}
|
|
43
36
|
|
|
44
|
-
const profileJson = profile._json as
|
|
45
|
-
| { email_verified?: boolean }
|
|
46
|
-
| undefined;
|
|
37
|
+
const profileJson = profile._json as { email_verified?: boolean } | undefined;
|
|
47
38
|
const result: GoogleAuthProfile = {
|
|
48
39
|
providerUserId: profile.id,
|
|
49
40
|
email,
|
|
@@ -1,5 +1,5 @@
|
|
|
1
|
-
import { Injectable } from
|
|
2
|
-
import { AuthGuard } from
|
|
1
|
+
import { Injectable } from '@nestjs/common';
|
|
2
|
+
import { AuthGuard } from '@nestjs/passport';
|
|
3
3
|
|
|
4
4
|
@Injectable()
|
|
5
|
-
export class JwtAuthGuard extends AuthGuard(
|
|
5
|
+
export class JwtAuthGuard extends AuthGuard('jwt') {}
|
|
@@ -1,10 +1,10 @@
|
|
|
1
|
-
import { Injectable, UnauthorizedException } from
|
|
2
|
-
import { ConfigService } from
|
|
3
|
-
import { PassportStrategy } from
|
|
4
|
-
import { ExtractJwt, Strategy } from
|
|
5
|
-
import { PrismaService } from
|
|
6
|
-
import { AuthenticatedUser } from
|
|
7
|
-
import { JwtPayload } from
|
|
1
|
+
import { Injectable, UnauthorizedException } from '@nestjs/common';
|
|
2
|
+
import { ConfigService } from '@nestjs/config';
|
|
3
|
+
import { PassportStrategy } from '@nestjs/passport';
|
|
4
|
+
import { ExtractJwt, Strategy } from 'passport-jwt';
|
|
5
|
+
import { PrismaService } from '../../../../database/prisma/prisma.service';
|
|
6
|
+
import { AuthenticatedUser } from '../../types/authenticated-user';
|
|
7
|
+
import { JwtPayload } from '../../types/jwt-payload';
|
|
8
8
|
|
|
9
9
|
@Injectable()
|
|
10
10
|
export class JwtStrategy extends PassportStrategy(Strategy) {
|
|
@@ -15,10 +15,10 @@ export class JwtStrategy extends PassportStrategy(Strategy) {
|
|
|
15
15
|
super({
|
|
16
16
|
jwtFromRequest: ExtractJwt.fromAuthHeaderAsBearerToken(),
|
|
17
17
|
ignoreExpiration: false,
|
|
18
|
-
algorithms: [
|
|
19
|
-
issuer: config.get<string>(
|
|
20
|
-
audience: config.get<string>(
|
|
21
|
-
secretOrKey: config.get<string>(
|
|
18
|
+
algorithms: ['HS256'],
|
|
19
|
+
issuer: config.get<string>('auth.jwt.issuer'),
|
|
20
|
+
audience: config.get<string>('auth.jwt.audience'),
|
|
21
|
+
secretOrKey: config.get<string>('auth.jwt.secret') ?? '',
|
|
22
22
|
});
|
|
23
23
|
}
|
|
24
24
|
|
|
@@ -8,7 +8,7 @@ import {
|
|
|
8
8
|
Res,
|
|
9
9
|
UseFilters,
|
|
10
10
|
UseGuards,
|
|
11
|
-
} from
|
|
11
|
+
} from '@nestjs/common';
|
|
12
12
|
import {
|
|
13
13
|
ApiBearerAuth,
|
|
14
14
|
ApiCreatedResponse,
|
|
@@ -16,35 +16,35 @@ import {
|
|
|
16
16
|
ApiOkResponse,
|
|
17
17
|
ApiOperation,
|
|
18
18
|
ApiTags,
|
|
19
|
-
} from
|
|
20
|
-
import { Throttle } from
|
|
21
|
-
import { RevokedResponseDto } from
|
|
22
|
-
import { ActiveUserSummaryDto } from
|
|
23
|
-
import { ApiErrorResponses } from
|
|
24
|
-
import { AuthService } from
|
|
25
|
-
import { AuthTokensResponseDto } from
|
|
26
|
-
import { LoginDto } from
|
|
27
|
-
import { LogoutDto } from
|
|
28
|
-
import { OAuthExchangeDto } from
|
|
29
|
-
import { RefreshTokenDto } from
|
|
30
|
-
import { SignupDto } from
|
|
31
|
-
import { GoogleAuthGuard } from
|
|
32
|
-
import { JwtAuthGuard } from
|
|
33
|
-
import { AuthenticatedUser } from
|
|
34
|
-
import { GoogleAuthProfile } from
|
|
35
|
-
import { CurrentUser } from
|
|
36
|
-
import { GoogleOAuthExceptionFilter } from
|
|
19
|
+
} from '@nestjs/swagger';
|
|
20
|
+
import { Throttle } from '@nestjs/throttler';
|
|
21
|
+
import { RevokedResponseDto } from '../../../common/dto/mutation-response.dto';
|
|
22
|
+
import { ActiveUserSummaryDto } from '../../../common/dto/user-summary.dto';
|
|
23
|
+
import { ApiErrorResponses } from '../../../common/swagger/api-error-responses';
|
|
24
|
+
import { AuthService } from '../application/services/auth.service';
|
|
25
|
+
import { AuthTokensResponseDto } from '../dto/auth-response.dto';
|
|
26
|
+
import { LoginDto } from '../dto/login.dto';
|
|
27
|
+
import { LogoutDto } from '../dto/logout.dto';
|
|
28
|
+
import { OAuthExchangeDto } from '../dto/oauth-exchange.dto';
|
|
29
|
+
import { RefreshTokenDto } from '../dto/refresh-token.dto';
|
|
30
|
+
import { SignupDto } from '../dto/signup.dto';
|
|
31
|
+
import { GoogleAuthGuard } from '../infrastructure/passport/google-auth.guard';
|
|
32
|
+
import { JwtAuthGuard } from '../infrastructure/passport/jwt-auth.guard';
|
|
33
|
+
import { AuthenticatedUser } from '../types/authenticated-user';
|
|
34
|
+
import { GoogleAuthProfile } from '../types/google-auth-profile';
|
|
35
|
+
import { CurrentUser } from './current-user.decorator';
|
|
36
|
+
import { GoogleOAuthExceptionFilter } from './google-oauth-exception.filter';
|
|
37
37
|
|
|
38
|
-
@ApiTags(
|
|
39
|
-
@Controller(
|
|
38
|
+
@ApiTags('Auth')
|
|
39
|
+
@Controller('auth')
|
|
40
40
|
export class AuthController {
|
|
41
41
|
constructor(private readonly authService: AuthService) {}
|
|
42
42
|
|
|
43
|
-
@Post(
|
|
43
|
+
@Post('signup')
|
|
44
44
|
@Throttle({ default: { limit: 5, ttl: 60_000 } })
|
|
45
|
-
@ApiOperation({ summary:
|
|
45
|
+
@ApiOperation({ summary: 'Create an email/password user and issue tokens.' })
|
|
46
46
|
@ApiCreatedResponse({
|
|
47
|
-
description:
|
|
47
|
+
description: 'User created and tokens issued.',
|
|
48
48
|
type: AuthTokensResponseDto,
|
|
49
49
|
})
|
|
50
50
|
@ApiErrorResponses(400, 409, 429)
|
|
@@ -52,12 +52,12 @@ export class AuthController {
|
|
|
52
52
|
return this.authService.signup(dto);
|
|
53
53
|
}
|
|
54
54
|
|
|
55
|
-
@Post(
|
|
55
|
+
@Post('login')
|
|
56
56
|
@HttpCode(200)
|
|
57
57
|
@Throttle({ default: { limit: 5, ttl: 60_000 } })
|
|
58
|
-
@ApiOperation({ summary:
|
|
58
|
+
@ApiOperation({ summary: 'Login with email/password.' })
|
|
59
59
|
@ApiOkResponse({
|
|
60
|
-
description:
|
|
60
|
+
description: 'Login succeeded and tokens were issued.',
|
|
61
61
|
type: AuthTokensResponseDto,
|
|
62
62
|
})
|
|
63
63
|
@ApiErrorResponses(400, 401, 429)
|
|
@@ -65,14 +65,14 @@ export class AuthController {
|
|
|
65
65
|
return this.authService.login(dto);
|
|
66
66
|
}
|
|
67
67
|
|
|
68
|
-
@Post(
|
|
68
|
+
@Post('refresh')
|
|
69
69
|
@HttpCode(200)
|
|
70
70
|
@Throttle({ default: { limit: 10, ttl: 60_000 } })
|
|
71
71
|
@ApiOperation({
|
|
72
|
-
summary:
|
|
72
|
+
summary: 'Rotate a refresh token and issue a new access token.',
|
|
73
73
|
})
|
|
74
74
|
@ApiOkResponse({
|
|
75
|
-
description:
|
|
75
|
+
description: 'Refresh token rotated.',
|
|
76
76
|
type: AuthTokensResponseDto,
|
|
77
77
|
})
|
|
78
78
|
@ApiErrorResponses(400, 401, 429)
|
|
@@ -80,14 +80,14 @@ export class AuthController {
|
|
|
80
80
|
return this.authService.refresh(dto);
|
|
81
81
|
}
|
|
82
82
|
|
|
83
|
-
@Post(
|
|
83
|
+
@Post('oauth/exchange')
|
|
84
84
|
@HttpCode(200)
|
|
85
85
|
@Throttle({ default: { limit: 10, ttl: 60_000 } })
|
|
86
86
|
@ApiOperation({
|
|
87
|
-
summary:
|
|
87
|
+
summary: 'Exchange a Google OAuth one-time code for tokens.',
|
|
88
88
|
})
|
|
89
89
|
@ApiOkResponse({
|
|
90
|
-
description:
|
|
90
|
+
description: 'OAuth exchange succeeded.',
|
|
91
91
|
type: AuthTokensResponseDto,
|
|
92
92
|
})
|
|
93
93
|
@ApiErrorResponses(400, 401, 429)
|
|
@@ -95,11 +95,11 @@ export class AuthController {
|
|
|
95
95
|
return this.authService.exchangeOAuthCode(dto);
|
|
96
96
|
}
|
|
97
97
|
|
|
98
|
-
@Post(
|
|
98
|
+
@Post('logout')
|
|
99
99
|
@HttpCode(200)
|
|
100
|
-
@ApiOperation({ summary:
|
|
100
|
+
@ApiOperation({ summary: 'Revoke a refresh token.' })
|
|
101
101
|
@ApiOkResponse({
|
|
102
|
-
description:
|
|
102
|
+
description: 'Refresh token is revoked or already unusable.',
|
|
103
103
|
type: RevokedResponseDto,
|
|
104
104
|
})
|
|
105
105
|
@ApiErrorResponses(400)
|
|
@@ -107,22 +107,22 @@ export class AuthController {
|
|
|
107
107
|
return this.authService.logout(dto);
|
|
108
108
|
}
|
|
109
109
|
|
|
110
|
-
@Get(
|
|
110
|
+
@Get('google')
|
|
111
111
|
@UseFilters(GoogleOAuthExceptionFilter)
|
|
112
112
|
@UseGuards(GoogleAuthGuard)
|
|
113
|
-
@ApiOperation({ summary:
|
|
114
|
-
@ApiFoundResponse({ description:
|
|
113
|
+
@ApiOperation({ summary: 'Start the Google OAuth login flow.' })
|
|
114
|
+
@ApiFoundResponse({ description: 'Redirects the browser to Google OAuth.' })
|
|
115
115
|
@ApiErrorResponses(403)
|
|
116
116
|
google() {
|
|
117
117
|
return undefined;
|
|
118
118
|
}
|
|
119
119
|
|
|
120
|
-
@Get(
|
|
120
|
+
@Get('google/callback')
|
|
121
121
|
@UseFilters(GoogleOAuthExceptionFilter)
|
|
122
122
|
@UseGuards(GoogleAuthGuard)
|
|
123
|
-
@ApiOperation({ summary:
|
|
123
|
+
@ApiOperation({ summary: 'Handle the Google OAuth callback.' })
|
|
124
124
|
@ApiFoundResponse({
|
|
125
|
-
description:
|
|
125
|
+
description: 'Redirects to the configured frontend success or error URL.',
|
|
126
126
|
})
|
|
127
127
|
@ApiErrorResponses(401, 403)
|
|
128
128
|
async googleCallback(
|
|
@@ -133,12 +133,12 @@ export class AuthController {
|
|
|
133
133
|
response.redirect(302, redirectUrl);
|
|
134
134
|
}
|
|
135
135
|
|
|
136
|
-
@Get(
|
|
136
|
+
@Get('me')
|
|
137
137
|
@UseGuards(JwtAuthGuard)
|
|
138
138
|
@ApiBearerAuth()
|
|
139
|
-
@ApiOperation({ summary:
|
|
139
|
+
@ApiOperation({ summary: 'Return the current JWT identity.' })
|
|
140
140
|
@ApiOkResponse({
|
|
141
|
-
description:
|
|
141
|
+
description: 'Current authenticated user.',
|
|
142
142
|
type: ActiveUserSummaryDto,
|
|
143
143
|
})
|
|
144
144
|
@ApiErrorResponses(401)
|
|
@@ -1,11 +1,9 @@
|
|
|
1
|
-
import { createParamDecorator, ExecutionContext } from
|
|
2
|
-
import { AuthenticatedUser } from
|
|
1
|
+
import { createParamDecorator, ExecutionContext } from '@nestjs/common';
|
|
2
|
+
import { AuthenticatedUser } from '../types/authenticated-user';
|
|
3
3
|
|
|
4
4
|
export const CurrentUser = createParamDecorator(
|
|
5
5
|
(_data: unknown, context: ExecutionContext): AuthenticatedUser => {
|
|
6
|
-
const request = context
|
|
7
|
-
.switchToHttp()
|
|
8
|
-
.getRequest<{ user: AuthenticatedUser }>();
|
|
6
|
+
const request = context.switchToHttp().getRequest<{ user: AuthenticatedUser }>();
|
|
9
7
|
return request.user;
|
|
10
8
|
},
|
|
11
9
|
);
|