@hed-hog/core 0.0.4

package/src/oauth/oauth.service.ts

@@ -0,0 +1,364 @@
+import { PrismaService, user_account_provider_enum } from '@hed-hog/api-prisma';
+import {
+  BadRequestException,
+  ConflictException,
+  forwardRef,
+  Inject,
+  Injectable,
+  NotFoundException,
+  OnModuleInit,
+} from '@nestjs/common';
+import { AuthService } from '../auth/auth.service';
+import { FileService } from '../file/file.service';
+import { MailService as MailManagerService } from '../mail/mail.service';
+import { SecurityService } from '../security/security.service';
+import { SettingService } from '../setting/setting.service';
+import { TokenService } from '../token/token.service';
+import { UserService } from '../user/user.service';
+import { OAuthProvider } from './interfaces/OAuthProvider';
+import { FacebookProvider } from './providers/facebook.provider';
+import { GithubProvider } from './providers/github.provider';
+import { GoogleProvider } from './providers/google.provider';
+import { MicrosoftProvider } from './providers/microsoft.provider';
+
+type HandleCallbackProps = {
+  locale: string;
+  ipAddress: string; 
+  userAgent: string;
+  res: Response;
+  provider: user_account_provider_enum;
+  code?: string;
+  type: 'login' | 'register' | 'connect' | 'disconnect';
+  userId?: number;
+  email?: string;
+};
+
+@Injectable()
+export class OAuthService implements OnModuleInit {
+  private providers: Map<string, OAuthProvider> = new Map();
+  public settings: Record<string, any> = {};
+
+  constructor(
+    google: GoogleProvider,
+    facebook: FacebookProvider,
+    microsoft: MicrosoftProvider,
+    github: GithubProvider,
+    @Inject(forwardRef(() => AuthService))
+    private readonly auth: AuthService,
+    private readonly file: FileService,
+    private readonly mail: MailManagerService,
+    private readonly security: SecurityService,
+    private readonly prisma: PrismaService,
+    private readonly token: TokenService,
+    private readonly setting: SettingService,
+    @Inject(forwardRef(() => UserService))
+    private readonly user: UserService,
+  ) {
+    this.providers.set(google.getProviderType(), google);
+    this.providers.set(facebook.getProviderType(), facebook);
+    this.providers.set(microsoft.getProviderType(), microsoft);
+    this.providers.set(github.getProviderType(), github);
+  }
+
+  async onModuleInit() {
+    this.settings = await this.setting.getSettingValues([
+      'oauth-mfa',
+      'google_scopes',
+      'facebook_scopes',
+      'github_scopes',
+      'microsoft_scopes',
+    ]);
+  }
+
+  getAuthUrl(provider: user_account_provider_enum, callbackPath: string) {
+    return this.getProvider(provider).getAuthUrl(callbackPath);
+  }
+
+  async handleCallback({
+    res,
+    locale,
+    ipAddress,
+    userAgent,
+    provider,
+    code,
+    type,
+    userId,
+    email,
+  }: HandleCallbackProps) {
+    let profile;
+
+    if (type !== 'disconnect') {
+      profile = await this.getProvider(provider).getProfile(code, type);
+    }
+
+    switch (type) {
+      case 'login':
+        return this.handleLogin(res, locale, ipAddress, userAgent, provider, profile);
+      case 'register':
+        return this.handleRegister(res, locale, ipAddress, userAgent, provider, profile);
+      case 'connect':
+        return this.handleConnect(res, locale, ipAddress, userAgent, provider, profile, userId);
+      case 'disconnect':
+        return this.handleDisconnect(res, locale, ipAddress, userAgent, provider, email);
+    }
+  }
+
+  private getProvider(provider: user_account_provider_enum) {
+    const prov = this.providers.get(provider.toUpperCase());
+    if (!prov)
+      throw new BadRequestException(`Provider ${provider} não suportado`);
+    return prov;
+  }
+
+  private getProviderScopes(provider: user_account_provider_enum): string {
+    const settingKey = `${provider.toLowerCase()}_scopes`;
+    return this.settings[settingKey].join(',') || '';
+  }
+
+  private async handleLogin(res: Response, locale: string, ipAddress: string, userAgent: string, provider: user_account_provider_enum, profile: any) {
+    const userAccount = await this.prisma.user_account.findFirst({
+      where: {
+        provider: provider.toLowerCase() as user_account_provider_enum,
+        email: profile.email,
+      },
+      include: {
+        user: true,
+      },
+    });
+
+    if (!userAccount) {
+      const userIdentifier = await this.prisma.user_identifier.findFirst({
+        where: {
+          type: 'email',
+          value: profile.email,
+        },
+        include: { user: true },
+      });
+
+      if (userIdentifier) {
+        return this.handleConnect(res, locale, ipAddress, userAgent, provider, profile, userIdentifier.user_id);
+      } else {
+        return this.handleRegister(res, locale, ipAddress, userAgent, provider, profile);
+      }
+    } else {
+      if (profile.oauth_tokens?.refresh_token) {
+        const encryptedRefreshToken = this.security.encrypt(profile.oauth_tokens.refresh_token);
+        const scopes = this.getProviderScopes(provider);
+        await this.prisma.user_account.update({
+          where: { id: userAccount.id },
+          data: {
+            refresh_token: Buffer.from(encryptedRefreshToken),
+            token_expires_at: profile.oauth_tokens.expires_in
+              ? new Date(Date.now() + profile.oauth_tokens.expires_in * 1000)
+              : null,
+            scopes,
+          },
+        });
+      }
+
+      const { accessToken, refreshToken, session } = await this.auth.getAuthenticationPayload(
+        locale,
+        userAccount.user_id,
+        ipAddress,
+        userAgent
+      );
+
+      await this.token.setRefreshTokenCookie(locale, res, refreshToken, session.expires_at);
+      return { accessToken };
+    }
+  }
+
+  private async handleRegister(res: Response, locale: string, ipAddress: string, userAgent: string, provider: user_account_provider_enum, profile: any) {
+    const existingUser = await this.prisma.user_identifier.findFirst({
+      where: {
+        type: 'email',
+        value: profile.email,
+      },
+    });
+
+    if (existingUser) {
+      throw new ConflictException(
+        'Este email já está sendo usado. Entre em sua conta e utilize a opção "Conectar".',
+      );
+    }
+
+    const encryptedRefreshToken = this.security.encrypt(profile.oauth_tokens.refresh_token) 
+    const scopes = this.getProviderScopes(provider);
+    const user = await this.prisma.user.create({
+      data: {
+        name: profile.name,
+        user_identifier: {
+          create: {
+            type: 'email',
+            value: profile.email,
+            verified_at: new Date(),
+          },
+        },
+        user_account: {
+          create: {
+            provider: provider.toLowerCase() as user_account_provider_enum,
+            provider_user_id: profile.id,
+            email: profile.email,
+            refresh_token: Buffer.from(encryptedRefreshToken),
+            token_expires_at: profile.oauth_tokens?.expires_in
+              ? new Date(Date.now() + profile.oauth_tokens.expires_in * 1000)
+              : null,
+            scopes,
+          },
+        },
+      },
+    });
+
+    await this.mail.sendTemplatedMail(locale, {
+      email: profile.email,
+      slug: 'register',
+      variables: { name: profile.name },
+    });
+
+    const pictureURL = profile.picture?.data?.url || profile.picture;
+    if (pictureURL) {
+      const photoId = await this.downloadAndSaveProfilePicture(
+        pictureURL,
+        user.id,
+        profile.oauth_tokens?.access_token,
+      );
+
+      await this.prisma.user.update({
+        where: { id: user.id },
+        data: { photo_id: photoId },
+      });
+    }
+
+    await this.user.registerUserActivity(user.id, 'oauth-register');
+    const { accessToken, refreshToken, session } = await this.auth.getAuthenticationPayload(
+      locale,
+      user.id,
+      ipAddress,
+      userAgent
+    );
+    await this.token.setRefreshTokenCookie(locale, res, refreshToken, session.expires_at);
+    return { accessToken };
+  }
+
+  private async handleConnect(
+    res: Response, 
+    locale: string, 
+    ipAddress: string, 
+    userAgent: string,
+    provider: user_account_provider_enum,
+    profile: any,
+    userId: number,
+  ) {
+    const existingAccount = await this.prisma.user_account.findFirst({
+      where: {
+        user_id: userId,
+        provider: provider.toLowerCase() as user_account_provider_enum,
+      },
+    });
+
+    if (existingAccount) {
+      throw new BadRequestException(`Usuário já conectado com o ${provider}.`);
+    }
+
+    const encryptedRefreshToken = this.security.encrypt(profile.oauth_tokens.refresh_token) 
+    const scopes = this.getProviderScopes(provider);
+    await this.prisma.user_account.create({
+      data: {
+        user_id: userId,
+        provider: provider.toLowerCase() as user_account_provider_enum,
+        provider_user_id: profile.id,
+        email: profile.email,
+        refresh_token: Buffer.from(encryptedRefreshToken),
+        token_expires_at: profile.oauth_tokens?.expires_in
+          ? new Date(Date.now() + profile.oauth_tokens.expires_in * 1000)
+          : null,
+        scopes,
+      },
+    });
+
+    const user = await this.prisma.user.findUnique({ where: { id: userId } });
+    const updateData: any = {};
+    const pictureURL = profile.picture?.data?.url || profile.picture;
+    if (pictureURL) {
+      const photoId = await this.downloadAndSaveProfilePicture(
+        pictureURL,
+        userId,
+        profile.oauth_tokens?.access_token,
+      );
+      if (photoId) {
+        updateData.photo_id = photoId;
+      }
+    }
+
+    if (profile.name && profile.name.length > (user.name?.length || 0)) {
+      updateData.name = profile.name;
+    }
+
+    if (Object.keys(updateData).length > 0) {
+      await this.prisma.user.update({
+        where: { id: userId },
+        data: updateData,
+      });
+    }
+
+    await this.user.registerUserActivity(userId, 'oauth-connect');
+    const { accessToken, refreshToken, session } = await this.auth.getAuthenticationPayload(locale, user.id, ipAddress, userAgent);
+    await this.token.setRefreshTokenCookie(locale, res, refreshToken, session.expires_at);
+    return { accessToken };
+  }
+
+  private async handleDisconnect(res: Response, locale: string, ipAddress: string, userAgent: string, provider: user_account_provider_enum, email: string) {
+    const userAccount = await this.prisma.user_account.findFirst({
+      where: {
+        email,
+        provider: provider.toLowerCase() as user_account_provider_enum,
+      },
+      include: { user: true }
+    });
+
+    if (!userAccount) {
+      throw new NotFoundException(`Usuário não conectado ao ${provider}.`);
+    }
+
+    await this.prisma.user_account.delete({
+      where: { id: userAccount.id },
+    });
+
+    await this.user.registerUserActivity(userAccount.user.id, 'oauth-disconnect');
+    const { accessToken, refreshToken, session } = await this.auth.getAuthenticationPayload(locale, userAccount.user.id, ipAddress, userAgent);
+    await this.token.setRefreshTokenCookie(locale, res, refreshToken, session.expires_at);
+    return { accessToken };
+  }
+
+  private async downloadAndSaveProfilePicture(
+    url: string,
+    userId: number,
+    accessToken?: string,
+  ) {
+    if (!url) return null;
+
+    const headers: any = {};
+    if (accessToken) {
+      headers['Authorization'] = `Bearer ${accessToken}`;
+    }
+
+    const response = await fetch(url, { headers });
+    
+    if (!response.ok) {
+      console.warn(`Failed to download profile picture from ${url}: ${response.statusText}`);
+      return null;
+    }
+
+    const buffer = Buffer.from(await response.arrayBuffer());
+
+    const file = {
+      originalname: `profile_${userId}.jpg`,
+      mimetype: response.headers.get('content-type') || 'image/jpeg',
+      buffer,
+      size: buffer.length,
+    } as any;
+
+    const savedFile = await this.file.upload('profile-pictures', file);
+    return savedFile.id;
+  }
+}

package/src/oauth/providers/abstract.provider.ts

@@ -0,0 +1,50 @@
+import { HttpService } from '@nestjs/axios';
+import { lastValueFrom } from 'rxjs';
+import { OAuthProvider } from '../interfaces/OAuthProvider';
+
+export abstract class BaseOAuthProvider implements OAuthProvider {
+  constructor(protected readonly http: HttpService) {}
+
+  abstract getAuthUrl(callbackPath: string): string;
+  abstract getProfile(code: string, type?: string): Promise<any>;
+  abstract getProviderType(): string;
+
+  protected async fetchToken({
+    code,
+    url,
+    clientId,
+    clientSecret,
+    redirectUri,
+  }: {
+    code: string;
+    url: string;
+    clientId: string;
+    clientSecret: string;
+    redirectUri: string;
+  }) {
+    const body = new URLSearchParams({
+      client_id: clientId,
+      client_secret: clientSecret,
+      redirect_uri: redirectUri,
+      grant_type: 'authorization_code',
+      code,
+    }).toString();
+
+    const response = await lastValueFrom(
+      this.http.post(url, body, {
+        headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+      }),
+    );
+
+    return response.data;
+  }
+
+  protected async fetchProfile(accessToken: string, url: string) {
+    const response = await lastValueFrom(
+      this.http.get(url, {
+        headers: { Authorization: `Bearer ${accessToken}` },
+      }),
+    );
+    return response.data;
+  }
+}

package/src/oauth/providers/facebook.provider.ts

@@ -0,0 +1,69 @@
+import { HttpService } from '@nestjs/axios';
+import { forwardRef, Inject, Injectable, OnModuleInit } from '@nestjs/common';
+import { SettingService } from '../../setting/setting.service';
+import { BaseOAuthProvider } from './abstract.provider';
+
+@Injectable()
+export class FacebookProvider
+  extends BaseOAuthProvider
+  implements OnModuleInit {
+  public settings: Record<string, any> = {};
+
+  constructor(
+    http: HttpService,
+    @Inject(forwardRef(() => SettingService))
+    private readonly setting: SettingService,
+  ) {
+    super(http);
+  }
+
+  async onModuleInit() {
+    this.settings = await this.setting.getSettingValues([
+      'facebook_client_id',
+      'facebook_client_secret',
+      'facebook_scopes',
+      'url',
+    ]);
+  }
+
+  getProviderType() {
+    return 'FACEBOOK';
+  }
+
+  getAuthUrl(callbackPath: string): string {
+    const redirectURI = new URL(callbackPath, this.settings['url']).toString();
+
+    const params = new URLSearchParams({
+      client_id: this.settings['facebook_client_id'],
+      redirect_uri: redirectURI,
+      response_type: 'code',
+      scope: (this.settings['facebook_scopes'] ?? ['email']).join(','),
+      auth_type: 'rerequest',
+    });
+
+    return `https://www.facebook.com/v17.0/dialog/oauth?${params}`;
+  }
+
+  async getProfile(code: string, type: string): Promise<any> {
+    const token = await this.fetchToken({
+      code,
+      url: 'https://graph.facebook.com/v17.0/oauth/access_token',
+      clientId: this.settings['facebook_client_id'],
+      clientSecret: this.settings['facebook_client_secret'],
+      redirectUri: `${this.settings['url']}/oauth/facebook/callback/${type}`,
+    });
+    const profile = await this.fetchProfile(
+      token.access_token,
+      'https://graph.facebook.com/me?fields=id,name,email,gender,birthday,picture',
+    );
+    return {
+      ...profile,
+      oauth_tokens: {
+        access_token: token.access_token,
+        refresh_token: token.refresh_token,
+        expires_in: token.expires_in,
+        token_type: token.token_type,
+      },
+    };
+  }
+}

package/src/oauth/providers/github.provider.ts

@@ -0,0 +1,113 @@
+import { HttpService } from '@nestjs/axios';
+import { forwardRef, Inject, Injectable, OnModuleInit } from '@nestjs/common';
+import { SettingService } from '../../setting/setting.service';
+import { BaseOAuthProvider } from './abstract.provider';
+
+@Injectable()
+export class GithubProvider
+  extends BaseOAuthProvider
+  implements OnModuleInit {
+  public settings: Record<string, any> = {};
+
+  constructor(
+    http: HttpService,
+    @Inject(forwardRef(() => SettingService))
+    private readonly setting: SettingService,
+  ) {
+    super(http);
+  }
+
+  async onModuleInit() {
+    this.settings = await this.setting.getSettingValues([
+      'github_client_id',
+      'github_client_secret',
+      'github_scopes',
+      'api-url',
+    ]);
+  }
+
+  getProviderType() {
+    return 'GITHUB';
+  }
+
+  getAuthUrl(callbackPath: string): string {
+    const fixedCallbackPath = '/oauth/github/callback';
+    const redirectURI = new URL(fixedCallbackPath, this.settings['api-url']).toString();
+    const scopes = this.settings['github_scopes'];
+    const type = callbackPath.split('/').pop() || 'login';
+    const params = new URLSearchParams({
+      client_id: this.settings['github_client_id'],
+      redirect_uri: redirectURI,
+      scope: scopes.join(' '),
+      allow_signup: 'true',
+      state: type,
+    });
+
+    return `https://github.com/login/oauth/authorize?${params.toString()}`;
+  }
+
+  async getProfile(code: string) {
+    const fixedCallbackPath = '/oauth/github/callback';
+    const redirectURI = new URL(fixedCallbackPath, this.settings['api-url'].replace(":3200", ":3100")).toString();
+    const tokenResponse = await this.http.axiosRef.post(
+      'https://github.com/login/oauth/access_token',
+      {
+        client_id: this.settings['github_client_id'],
+        client_secret: this.settings['github_client_secret'],
+        code,
+        redirect_uri: redirectURI,
+      },
+      {
+        headers: {
+          Accept: 'application/json',
+        },
+      },
+    );
+
+    const { access_token, error, error_description } = tokenResponse.data;
+    if (error || !access_token) {
+      throw new Error(
+        `GitHub OAuth error: ${error_description || error || 'No access token received'}`,
+      );
+    }
+
+    const profileResponse = await this.http.axiosRef.get(
+      'https://api.github.com/user',
+      {
+        headers: {
+          Authorization: `Bearer ${access_token}`,
+        },
+      },
+    );
+
+    const profile = profileResponse.data;
+    let email = profile.email;
+    if (!email) {
+      const emailResponse = await this.http.axiosRef.get(
+        'https://api.github.com/user/emails',
+        {
+          headers: {
+            Authorization: `Bearer ${access_token}`,
+          },
+        },
+      );
+      const primaryEmail = emailResponse.data.find(
+        (e: any) => e.primary && e.verified,
+      );
+      email = primaryEmail?.email || null;
+    }
+
+    return {
+      id: profile.id.toString(),
+      email,
+      name: profile.name || profile.login,
+      picture: profile.avatar_url,
+      oauth_tokens: {
+        access_token: access_token,
+        refresh_token: access_token,
+        expires_in: null,
+        token_type: 'bearer',
+      },
+    };
+  }
+}

package/src/oauth/providers/google.provider.ts

@@ -0,0 +1,108 @@
+import { HttpService } from '@nestjs/axios';
+import { forwardRef, Inject, Injectable, OnModuleInit } from '@nestjs/common';
+import { SettingService } from '../../setting/setting.service';
+import { BaseOAuthProvider } from './abstract.provider';
+
+@Injectable()
+export class GoogleProvider extends BaseOAuthProvider implements OnModuleInit {
+  public settings: Record<string, any> = {};
+
+  constructor(
+    http: HttpService,
+    @Inject(forwardRef(() => SettingService))
+    private readonly setting: SettingService,
+  ) {
+    super(http);
+  }
+
+  async onModuleInit() {
+    this.settings = await this.setting.getSettingValues([
+      'google_client_id',
+      'google_client_secret',
+      'google_scopes',
+      'url',
+    ]);
+  }
+
+  getProviderType() {
+    return 'GOOGLE';
+  }
+
+  getAuthUrl(callbackPath: string): string {
+    const redirectURI = new URL(callbackPath, this.settings['url']).toString();
+
+    const params = new URLSearchParams({
+      client_id: this.settings['google_client_id'],
+      redirect_uri: redirectURI,
+      response_type: 'code',
+      scope: (this.settings['google_scopes'] ?? []).join(' '),
+      access_type: 'offline',
+      prompt: 'consent',
+    });
+
+    return `https://accounts.google.com/o/oauth2/v2/auth?${params}`;
+  }
+
+  async getProfile(code: string, type: string) {
+    const token = await this.fetchToken({
+      code,
+      url: 'https://oauth2.googleapis.com/token',
+      clientId: this.settings['google_client_id'],
+      clientSecret: this.settings['google_client_secret'],
+      redirectUri: `${this.settings['url']}/callback/google/${type}`,
+    });
+
+    const basicProfile = await this.fetchProfile(
+      token.access_token,
+      'https://www.googleapis.com/oauth2/v2/userinfo',
+    );
+
+    const peopleProfile = await this.getGoogleProfileFromAccessToken(
+      token.access_token,
+    );
+    
+    return {
+      ...basicProfile,
+      gender: peopleProfile.gender,
+      birthday: peopleProfile.birthday,
+      oauth_tokens: {
+        access_token: token.access_token,
+        refresh_token: token.refresh_token,
+        expires_in: token.expires_in,
+        token_type: token.token_type,
+      },
+    };
+  }
+
+  private async getGoogleProfileFromAccessToken(accessToken: string) {
+    const url =
+      'https://people.googleapis.com/v1/people/me?personFields=genders,birthdays';
+
+    const res = await fetch(url, {
+      headers: {
+        Authorization: `Bearer ${accessToken}`,
+      },
+    });
+
+    if (!res.ok) {
+      throw new Error(`Google People API error: ${res.statusText}`);
+    }
+
+    const data: any = await res.json();
+
+    const gender =
+      data.genders?.find((g: any) => g.metadata?.primary)?.value ??
+      data.genders?.[0]?.value ??
+      null;
+
+    const b =
+      data.birthdays?.find((x: any) => x.metadata?.primary) ??
+      data.birthdays?.[0];
+
+    const date = b?.date
+      ? { day: b.date.day, month: b.date.month, year: b.date.year ?? null }
+      : null;
+
+    return { gender, birthday: date, raw: data };
+  }
+}