@lenne.tech/nest-server 11.7.2 → 11.7.3

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lenne.tech/nest-server",
-  "version": "11.7.2",
+  "version": "11.7.3",
   "description": "Modern, fast, powerful Node.js web framework in TypeScript based on Nest with a GraphQL API and a connection to MongoDB (or other databases).",
   "keywords": [
     "node",

package/src/core/modules/auth/guards/roles.guard.ts

@@ -1,8 +1,12 @@
-import { ExecutionContext, Injectable, UnauthorizedException } from '@nestjs/common';
-import { Reflector } from '@nestjs/core';
+import { ExecutionContext, Injectable, Logger, Optional, UnauthorizedException } from '@nestjs/common';
+import { ModuleRef, Reflector } from '@nestjs/core';
 import { GqlExecutionContext } from '@nestjs/graphql';
+import { getConnectionToken } from '@nestjs/mongoose';
+import { Connection, Types } from 'mongoose';
+import { firstValueFrom, isObservable } from 'rxjs';
 
 import { RoleEnum } from '../../../common/enums/role.enum';
+import { BetterAuthService } from '../../better-auth/better-auth.service';
 import { AuthGuardStrategy } from '../auth-guard-strategy.enum';
 import { ExpiredTokenException } from '../exceptions/expired-token.exception';
 import { InvalidTokenException } from '../exceptions/invalid-token.exception';
@@ -14,16 +18,305 @@ import { AuthGuard } from './auth.guard';
  * The RoleGuard is activated by the Role decorator. It checks whether the current user has at least one of the
  * specified roles or is logged in when the S_USER role is set.
  * If this is not the case, an UnauthorizedException is thrown.
+ *
+ * MULTI-TOKEN SUPPORT:
+ * This guard supports multiple authentication token types:
+ * 1. Legacy JWT tokens (Passport JWT strategy)
+ * 2. BetterAuth JWT tokens (verified via BetterAuth service)
+ * 3. BetterAuth session tokens (verified via database lookup)
+ *
+ * When Passport JWT validation fails, the guard falls back to BetterAuth verification:
+ * - First tries JWT verification if the JWT plugin is enabled
+ * - Then tries session token lookup via MongoDB
+ *
+ * This enables users who sign in via IAM (/iam/sign-in/email) to access all protected endpoints,
+ * regardless of whether they use JWT or session-based authentication.
  */
 @Injectable()
 export class RolesGuard extends AuthGuard(AuthGuardStrategy.JWT) {
+  private readonly logger = new Logger(RolesGuard.name);
+  private betterAuthService: BetterAuthService | null = null;
+  private mongoConnection: Connection | null = null;
+  private servicesResolved = false;
+
   /**
-   * Integrate reflector
+   * Integrate reflector and moduleRef for lazy service resolution
    */
-  constructor(protected readonly reflector: Reflector) {
+  constructor(
+    protected readonly reflector: Reflector,
+    @Optional() private readonly moduleRef?: ModuleRef,
+  ) {
     super();
   }
 
+  /**
+   * Lazily resolve BetterAuth service and MongoDB connection
+   */
+  private resolveServices(): void {
+    if (this.servicesResolved || !this.moduleRef) {
+      return;
+    }
+
+    try {
+      this.betterAuthService = this.moduleRef.get(BetterAuthService, { strict: false });
+    } catch {
+      // BetterAuth not available - that's fine, we'll use Legacy JWT only
+    }
+
+    try {
+      // Get the Mongoose connection to query users directly
+      this.mongoConnection = this.moduleRef.get(getConnectionToken(), { strict: false });
+    } catch {
+      // MongoDB connection not available
+    }
+
+    this.servicesResolved = true;
+  }
+
+  /**
+   * Override canActivate to add BetterAuth JWT fallback
+   *
+   * Flow:
+   * 1. Try Passport JWT authentication (Legacy JWT)
+   * 2. If that fails, try BetterAuth JWT verification
+   * 3. If BetterAuth succeeds, load the user and proceed
+   */
+  override async canActivate(context: ExecutionContext): Promise<boolean> {
+    // Resolve services lazily
+    this.resolveServices();
+
+    // First, try the parent canActivate (Passport JWT)
+    try {
+      const result = super.canActivate(context);
+      return isObservable(result) ? await firstValueFrom(result) : await result;
+    } catch (passportError) {
+      // Passport JWT validation failed - try BetterAuth token fallback (JWT or session)
+      if (!this.betterAuthService?.isEnabled()) {
+        // BetterAuth not available - rethrow original error
+        throw passportError;
+      }
+
+      // Try to verify the token via BetterAuth (JWT or session token)
+      const user = await this.verifyBetterAuthTokenFromContext(context);
+      if (!user) {
+        // BetterAuth verification also failed - rethrow original Passport error
+        throw passportError;
+      }
+
+      // BetterAuth token is valid - set the user on the request
+      const request = this.getRequest(context);
+      if (request) {
+        request.user = user;
+      }
+
+      // Now call handleRequest with the BetterAuth-authenticated user to check roles
+      this.handleRequest(null, user, null, context);
+
+      return true;
+    }
+  }
+
+  /**
+   * Verify BetterAuth token (JWT or session) and load the corresponding user
+   *
+   * This method tries multiple verification strategies:
+   * 1. BetterAuth JWT verification (if JWT plugin is enabled)
+   * 2. BetterAuth session token lookup (database lookup)
+   *
+   * @param context - ExecutionContext to extract request from
+   * @returns User object if verification succeeds, null otherwise
+   */
+  private async verifyBetterAuthTokenFromContext(context: ExecutionContext): Promise<any> {
+    if (!this.betterAuthService || !this.mongoConnection) {
+      return null;
+    }
+
+    try {
+      // Get the raw HTTP request from multiple possible sources
+      let authHeader: string | undefined;
+
+      // Try GraphQL context first
+      try {
+        const gqlContext = GqlExecutionContext.create(context);
+        const ctx = gqlContext.getContext();
+        if (ctx?.req?.headers) {
+          authHeader = ctx.req.headers.authorization || ctx.req.headers.Authorization;
+        }
+      } catch {
+        // GraphQL context not available
+      }
+
+      // Fallback to HTTP context
+      if (!authHeader) {
+        try {
+          const httpRequest = context.switchToHttp().getRequest();
+          if (httpRequest?.headers) {
+            authHeader = httpRequest.headers.authorization || httpRequest.headers.Authorization;
+          }
+        } catch {
+          // HTTP context not available
+        }
+      }
+
+      let token: string | undefined;
+
+      if (authHeader?.startsWith('Bearer ')) {
+        token = authHeader.substring(7);
+      } else if (authHeader?.startsWith('bearer ')) {
+        // Handle lowercase 'bearer' as well
+        token = authHeader.substring(7);
+      }
+
+      if (!token) {
+        return null;
+      }
+
+      // Strategy 1: Try JWT verification (if JWT plugin is enabled)
+      if (this.betterAuthService.isJwtEnabled()) {
+        try {
+          const payload = await this.betterAuthService.verifyJwtToken(token);
+          if (payload?.sub) {
+            const user = await this.loadUserFromPayload(payload);
+            if (user) {
+              return user;
+            }
+          }
+        } catch {
+          // JWT verification failed - try session token next
+        }
+      }
+
+      // Strategy 2: Try session token lookup (database lookup)
+      try {
+        const sessionResult = await this.betterAuthService.getSessionByToken(token);
+        if (sessionResult?.user) {
+          return this.loadUserFromSessionResult(sessionResult.user);
+        }
+      } catch {
+        // Session lookup failed
+      }
+
+      return null;
+    } catch (error) {
+      this.logger.debug(
+        `BetterAuth token fallback failed: ${error instanceof Error ? error.message : 'Unknown error'}`,
+      );
+      return null;
+    }
+  }
+
+  /**
+   * Load user from JWT payload using direct MongoDB query
+   *
+   * @param payload - JWT payload with sub (user ID or iamId)
+   * @returns User object with hasRole method
+   */
+  private async loadUserFromPayload(payload: { [key: string]: any; sub: string }): Promise<any> {
+    if (!this.mongoConnection) {
+      return null;
+    }
+
+    try {
+      const usersCollection = this.mongoConnection.collection('users');
+      let user: any = null;
+
+      // Try to find by MongoDB _id first
+      if (Types.ObjectId.isValid(payload.sub)) {
+        user = await usersCollection.findOne({ _id: new Types.ObjectId(payload.sub) });
+      }
+
+      // If not found, try by iamId
+      if (!user) {
+        user = await usersCollection.findOne({ iamId: payload.sub });
+      }
+
+      if (!user) {
+        return null;
+      }
+
+      // Convert MongoDB document to user-like object with hasRole method
+      const userObject = {
+        ...user,
+        _authenticatedViaBetterAuth: true,
+        // Add hasRole method for role checking
+        hasRole: (roles: string[]): boolean => {
+          if (!user.roles || !Array.isArray(user.roles)) {
+            return false;
+          }
+          return roles.some((role) => user.roles.includes(role));
+        },
+        id: user._id?.toString(),
+      };
+
+      return userObject;
+    } catch (error) {
+      this.logger.debug(
+        `Failed to load user from payload: ${error instanceof Error ? error.message : 'Unknown error'}`,
+      );
+      return null;
+    }
+  }
+
+  /**
+   * Load user from session result (from getSessionByToken)
+   *
+   * @param sessionUser - User object from session lookup
+   * @returns User object with hasRole method
+   */
+  private async loadUserFromSessionResult(sessionUser: any): Promise<any> {
+    if (!this.mongoConnection || !sessionUser) {
+      return null;
+    }
+
+    try {
+      const usersCollection = this.mongoConnection.collection('users');
+
+      // The sessionUser might have id (BetterAuth ID) or email
+      // We need to find the corresponding user in our users collection
+      let user: any = null;
+
+      // Try to find by email (most reliable)
+      if (sessionUser.email) {
+        user = await usersCollection.findOne({ email: sessionUser.email });
+      }
+
+      // If not found by email, try by iamId
+      if (!user && sessionUser.id) {
+        user = await usersCollection.findOne({ iamId: sessionUser.id });
+      }
+
+      // If still not found, try by _id (if the ID looks like a MongoDB ObjectId)
+      if (!user && sessionUser.id && Types.ObjectId.isValid(sessionUser.id)) {
+        user = await usersCollection.findOne({ _id: new Types.ObjectId(sessionUser.id) });
+      }
+
+      if (!user) {
+        return null;
+      }
+
+      // Convert MongoDB document to user-like object with hasRole method
+      const userObject = {
+        ...user,
+        _authenticatedViaBetterAuth: true,
+        // Add hasRole method for role checking
+        hasRole: (roles: string[]): boolean => {
+          if (!user.roles || !Array.isArray(user.roles)) {
+            return false;
+          }
+          return roles.some((role) => user.roles.includes(role));
+        },
+        id: user._id?.toString(),
+      };
+
+      return userObject;
+    } catch (error) {
+      this.logger.debug(
+        `Failed to load user from session: ${error instanceof Error ? error.message : 'Unknown error'}`,
+      );
+      return null;
+    }
+  }
+
   /**
    * Handle request
    */
@@ -42,7 +335,7 @@ export class RolesGuard extends AuthGuard(AuthGuardStrategy.JWT) {
     }
 
     // Check roles
-    if (!roles || !roles.some(value => !!value)) {
+    if (!roles || !roles.some((value) => !!value)) {
       return user;
     }
 

package/src/core/modules/user/core-user.service.ts

@@ -91,6 +91,33 @@ export abstract class CoreUserService<
     return this.process(async () => dbObject, { dbObject, serviceOptions });
   }
 
+  /**
+   * Get user by MongoDB ID or BetterAuth IAM ID
+   *
+   * This method is used by RolesGuard to resolve users from BetterAuth JWT tokens.
+   * The sub claim in BetterAuth JWTs can contain either:
+   * - The MongoDB _id of the user
+   * - The BetterAuth iamId
+   *
+   * @param idOrIamId - MongoDB _id or BetterAuth iamId
+   * @returns User object or null if not found
+   */
+  async getByIdOrIamId(idOrIamId: string): Promise<null | TUser> {
+    try {
+      // First, try to find by MongoDB _id
+      const byId = await this.mainDbModel.findById(idOrIamId).exec();
+      if (byId) {
+        return byId as TUser;
+      }
+    } catch {
+      // Invalid ObjectId format - try iamId instead
+    }
+
+    // Try to find by iamId
+    const byIamId = await this.mainDbModel.findOne({ iamId: idOrIamId }).exec();
+    return byIamId as null | TUser;
+  }
+
   /**
    * Get verified state of user by token
    */