@lenne.tech/nest-server 9.1.0 → 9.2.0

package/src/core/modules/auth/core-auth.resolver.ts

@@ -1,6 +1,14 @@
-import { Args, Info, Query, Resolver } from '@nestjs/graphql';
+import { UseGuards } from '@nestjs/common';
+import { Args, Context, Info, Mutation, Resolver } from '@nestjs/graphql';
+import { Response as ResponseType } from 'express';
 import { GraphQLResolveInfo } from 'graphql';
+import { GraphQLUser } from '../../common/decorators/graphql-user.decorator';
+import { ConfigService } from '../../common/services/config.service';
 import { CoreAuthModel } from './core-auth.model';
+import { AuthGuard } from './guards/auth.guard';
+import { CoreAuthSignInInput } from './inputs/core-auth-sign-in.input';
+import { CoreAuthSignUpInput } from './inputs/core-auth-sign-up.input';
+import { ICoreAuthUser } from './interfaces/core-auth-user.interface';
 import { CoreAuthService } from './services/core-auth.service';
 
 /**
@@ -11,21 +19,96 @@ export class CoreAuthResolver {
   /**
    * Import services
    */
-  constructor(protected readonly authService: CoreAuthService) {}
+  constructor(protected readonly authService: CoreAuthService, protected readonly configService: ConfigService) {}
 
   // ===========================================================================
-  // Queries
+  // Mutations
   // ===========================================================================
 
   /**
-   * Get user via ID
+   * Sign in user via email and password (on specific device)
    */
-  @Query((returns) => CoreAuthModel, { description: 'Get JWT token' })
+  @Mutation((returns) => CoreAuthModel, {
+    description: 'Sign in user via email and password and get JWT tokens (for specific device)',
+  })
   async signIn(
-    @Args('email') email: string,
-    @Args('password') password: string,
-    @Info() info: GraphQLResolveInfo
-  ): Promise<Partial<CoreAuthModel>> {
-    return await this.authService.signIn(email, password, { fieldSelection: { info, select: 'signIn' } });
+    @Info() info: GraphQLResolveInfo,
+    @Context() ctx: { res: ResponseType },
+    @Args('input') input: CoreAuthSignInInput
+  ): Promise<CoreAuthModel> {
+    const result = await this.authService.signIn(input, { fieldSelection: { info, select: 'signIn' } });
+    return this.processCookies(ctx, result);
+  }
+
+  /**
+   * Logout user (from specific device)
+   */
+  @Mutation((returns) => CoreAuthModel, { description: 'Logout user (from specific device)' })
+  async logout(
+    @GraphQLUser() currentUser: ICoreAuthUser,
+    @Context() ctx: { res: ResponseType },
+    @Args('deviceId', { nullable: true }) deviceId?: string
+  ): Promise<boolean> {
+    const result = await this.authService.logout({ currentUser, deviceId });
+    return this.processCookies(ctx, result);
+  }
+
+  /**
+   * Refresh token (for specific device)
+   */
+  @UseGuards(AuthGuard('jwt-refresh'))
+  @Mutation((returns) => CoreAuthModel, { description: 'Refresh tokens (for specific device)' })
+  async refreshToken(
+    @GraphQLUser() user: ICoreAuthUser,
+    @Context() ctx: { res: ResponseType },
+    @Args('deviceId', { nullable: true }) deviceId?: string
+  ): Promise<CoreAuthModel> {
+    const result = await this.authService.refreshTokens(user, deviceId);
+    return this.processCookies(ctx, result);
+  }
+
+  /**
+   * Register a new user account (on specific device)
+   */
+  @Mutation((returns) => CoreAuthModel, { description: 'Register a new user account (on specific device)' })
+  async signUp(
+    @Info() info: GraphQLResolveInfo,
+    @Context() ctx: { res: ResponseType },
+    @Args('input') input: CoreAuthSignUpInput
+  ): Promise<CoreAuthModel> {
+    const result = await this.authService.signUp(input, { fieldSelection: { info, select: 'signUp' } });
+    return this.processCookies(ctx, result);
+  }
+
+  // ===================================================================================================================
+  // Helper
+  // ===================================================================================================================
+
+  /**
+   * Process cookies
+   */
+  protected processCookies(ctx: { res: ResponseType }, result: any) {
+    // Check if cookie handling is activated
+    if (this.configService.getFastButReadOnly('cookies')) {
+      // Set cookies
+      if (typeof result !== 'object') {
+        ctx.res.cookie('token', '', { httpOnly: true });
+        ctx.res.cookie('refreshToken', '', { httpOnly: true });
+        return result;
+      }
+      ctx.res.cookie('token', result?.token || '', { httpOnly: true });
+      ctx.res.cookie('refreshToken', result?.refreshToken || '', { httpOnly: true });
+
+      // Remove tokens from result
+      if (result.token) {
+        delete result.token;
+      }
+      if (result.refreshToken) {
+        delete result.refreshToken;
+      }
+    }
+
+    // Return prepared result
+    return result;
   }
 }

package/src/core/modules/auth/guards/auth.guard.ts

@@ -1,4 +1,5 @@
 import { CanActivate, ExecutionContext, Logger, mixin, Optional, UnauthorizedException } from '@nestjs/common';
+import { GqlExecutionContext } from '@nestjs/graphql';
 import { AuthModuleOptions, Type } from '@nestjs/passport';
 import { defaultOptions } from '@nestjs/passport/dist/options';
 import { memoize } from '@nestjs/passport/dist/utils/memoize.util';
@@ -65,10 +66,7 @@ function createAuthGuard(type?: string): Type<CanActivate> {
 
       const options = { ...defaultOptions, ...this.options };
       const response = context?.switchToHttp()?.getResponse();
-      let request = this.getRequest(context);
-      if (!request) {
-        request = context?.switchToHttp()?.getRequest();
-      }
+      const request = this.getRequest(context);
       const passportFn = createPassportContext(request, response);
       const user = await passportFn(type || this.options.defaultStrategy, options, (err, currentUser, info) =>
         this.handleRequest(err, currentUser, info, context)
@@ -81,6 +79,15 @@ function createAuthGuard(type?: string): Type<CanActivate> {
      * Prepare request
      */
     getRequest<T = any>(context: ExecutionContext): T {
+      // Try to get request GraphQL context
+      try {
+        const ctx = GqlExecutionContext.create(context)?.getContext();
+        if (ctx?.req) {
+          return ctx.req;
+        }
+      } catch (e) {}
+
+      // Else return HTTP request
       return context && context.switchToHttp() ? context.switchToHttp().getRequest() : null;
     }
 
@@ -110,4 +117,4 @@ function createAuthGuard(type?: string): Type<CanActivate> {
 /**
  * Export AuthGuard
  */
-export const AuthGuard: (type?: string) => Type<IAuthGuard> = memoize(createAuthGuard);
+export const AuthGuard: (type?: string | string[]) => Type<IAuthGuard> = memoize(createAuthGuard);

package/src/core/modules/auth/guards/refresh-token.guard.ts

@@ -0,0 +1,5 @@
+import { Injectable } from '@nestjs/common';
+import { AuthGuard } from './auth.guard';
+
+@Injectable()
+export class RefreshTokenGuard extends AuthGuard('jwt-refresh') {}

package/src/core/modules/auth/guards/roles.guard.ts

@@ -1,4 +1,4 @@
-import { ExecutionContext, Inject, Injectable, UnauthorizedException } from '@nestjs/common';
+import { ExecutionContext, Injectable, UnauthorizedException } from '@nestjs/common';
 import { Reflector } from '@nestjs/core';
 import { GqlExecutionContext } from '@nestjs/graphql';
 import { RoleEnum } from '../../../common/enums/role.enum';

package/src/core/modules/auth/inputs/core-auth-sign-in.input.ts

@@ -10,6 +10,9 @@ export class CoreAuthSignInInput extends CoreInput {
   // Properties
   // ===================================================================================================================
 
+  @Field({ description: 'Device ID', nullable: true })
+  deviceId?: string = undefined;
+
   @Field({ description: 'Email', nullable: false })
   email: string = undefined;
 

package/src/core/modules/auth/inputs/core-auth-sign-up.input.ts

@@ -10,6 +10,9 @@ export class CoreAuthSignUpInput extends CoreInput {
   // Properties
   // ===================================================================================================================
 
+  @Field({ description: 'Device ID', nullable: true })
+  deviceId?: string = undefined;
+
   @Field({ description: 'Email', nullable: false })
   email: string = undefined;
 

package/src/core/modules/auth/interfaces/core-auth-user.interface.ts

@@ -2,6 +2,11 @@
  * Interface for user used in authorization module
  */
 export interface ICoreAuthUser {
+  /**
+   * ID of the user
+   */
+  id: string;
+
   /**
    * Email of the user
    */
@@ -11,4 +16,14 @@ export interface ICoreAuthUser {
    * Password of the user
    */
   password: string;
+
+  /**
+   * Refresh token
+   */
+  refreshToken?: string;
+
+  /**
+   * Refresh tokens for different devices
+   */
+  refreshTokens?: Record<string, string>;
 }

package/src/core/modules/auth/interfaces/jwt-payload.interface.ts

@@ -2,5 +2,5 @@
  * Interface for jwt payload
  */
 export interface JwtPayload {
-  email: string;
+  id: string;
 }

package/src/core/modules/auth/services/core-auth-user.service.ts

@@ -5,6 +5,16 @@ import { ICoreAuthUser } from '../interfaces/core-auth-user.interface';
  * Abstract class for user service in authorization module
  */
 export abstract class CoreAuthUserService {
+  /**
+   * Create user
+   */
+  abstract create(input: any, serviceOptions?: ServiceOptions): Promise<ICoreAuthUser>;
+
+  /**
+   * Get user via ID
+   */
+  abstract get(id: string, serviceOptions?: ServiceOptions): Promise<ICoreAuthUser>;
+
   /**
    * Get user via email
    */
@@ -14,4 +24,9 @@ export abstract class CoreAuthUserService {
    * Prepare output
    */
   abstract prepareOutput(output: any, options?: ServiceOptions): Promise<ICoreAuthUser>;
+
+  /**
+   * Update user
+   */
+  abstract update(id: string, input: any, serviceOptions?: ServiceOptions): Promise<ICoreAuthUser>;
 }

package/src/core/modules/auth/services/core-auth.service.ts

@@ -2,7 +2,13 @@ import { Injectable, UnauthorizedException } from '@nestjs/common';
 import { JwtService } from '@nestjs/jwt';
 import * as bcrypt from 'bcrypt';
 import { sha256 } from 'js-sha256';
+import { getStringIds } from '../../../common/helpers/db.helper';
+import { prepareServiceOptions } from '../../../common/helpers/service.helper';
 import { ServiceOptions } from '../../../common/interfaces/service-options.interface';
+import { ConfigService } from '../../../common/services/config.service';
+import { CoreAuthModel } from '../core-auth.model';
+import { CoreAuthSignInInput } from '../inputs/core-auth-sign-in.input';
+import { CoreAuthSignUpInput } from '../inputs/core-auth-sign-up.input';
 import { ICoreAuthUser } from '../interfaces/core-auth-user.interface';
 import { JwtPayload } from '../interfaces/jwt-payload.interface';
 import { CoreAuthUserService } from './core-auth-user.service';
@@ -12,18 +18,82 @@ import { CoreAuthUserService } from './core-auth-user.service';
  */
 @Injectable()
 export class CoreAuthService {
-  constructor(protected readonly userService: CoreAuthUserService, protected readonly jwtService: JwtService) {}
+  /**
+   * Integrate services
+   */
+  constructor(
+    protected readonly userService: CoreAuthUserService,
+    protected readonly jwtService: JwtService,
+    protected readonly configService: ConfigService
+  ) {}
+
+  /**
+   * Decode JWT
+   */
+  decodeJwt(token: string): JwtPayload {
+    return this.jwtService.decode(token) as JwtPayload;
+  }
+
+  /**
+   * Logout user (from device)
+   */
+  async logout(serviceOptions: ServiceOptions & { deviceId?: string }): Promise<boolean> {
+    const user = serviceOptions.currentUser;
+    if (!serviceOptions.currentUser) {
+      throw new UnauthorizedException();
+    }
+    const deviceId = serviceOptions.deviceId;
+    if (deviceId) {
+      if (!user.refreshTokens[deviceId]) {
+        return false;
+      }
+      delete user.refreshTokens[deviceId];
+      await this.userService.update(user.id, { refreshTokens: user.refreshTokens }, serviceOptions);
+      return true;
+    }
+    user.refreshToken = null;
+    user.refreshTokens = {};
+    await this.userService.update(
+      user.id,
+      {
+        refreshToken: user.refreshToken,
+        refreshTokens: user.refreshTokens,
+      },
+      serviceOptions
+    );
+    return true;
+  }
+
+  /**
+   * Refresh tokens
+   */
+  async refreshTokens(user: ICoreAuthUser, deviceId?: string) {
+    // Create new tokens
+    const tokens = await this.getTokens(user.id);
+    await this.updateRefreshToken(user, tokens.refreshToken, { deviceId });
+
+    // Return
+    return CoreAuthModel.map({
+      ...tokens,
+      user: await this.userService.prepareOutput(user),
+    });
+  }
 
   /**
    * User sign in via email
    */
-  async signIn(
-    email: string,
-    password: string,
-    serviceOptions?: ServiceOptions
-  ): Promise<{ token: string; user: ICoreAuthUser }> {
-    serviceOptions = serviceOptions || {};
-    serviceOptions.prepareOutput = null;
+  async signIn(input: CoreAuthSignInInput, serviceOptions?: ServiceOptions): Promise<CoreAuthModel> {
+    // Prepare service options
+    const serviceOptionsForUserService = prepareServiceOptions(serviceOptions, {
+      // We need password, so we can't use prepare output handling and have to deactivate it
+      prepareOutput: null,
+
+      // Select user field for automatic populate handling via user service
+      subFieldSelection: 'user',
+    });
+
+    // Inputs
+    const { email, password, deviceId } = input;
 
     // Get user
     const user = await this.userService.getViaEmail(email, serviceOptions);
@@ -34,25 +104,153 @@ export class CoreAuthService {
       throw new UnauthorizedException();
     }
 
-    // Return JWT
-    const payload: JwtPayload = { email: user.email };
-    return {
-      token: this.jwtService.sign(payload),
-      user: await this.userService.prepareOutput(user),
-    };
+    // Set device ID
+    serviceOptionsForUserService.deviceId = input.deviceId;
+
+    // Return tokens and user
+    return this.getResult(user, serviceOptions);
+  }
+
+  /**
+   * Register a new user account
+   */
+  async signUp(input: CoreAuthSignUpInput, serviceOptions?: ServiceOptions): Promise<CoreAuthModel> {
+    // Prepare service options
+    const serviceOptionsForUserService = prepareServiceOptions(serviceOptions, {
+      // Select user field for automatic populate handling via user service
+      subFieldSelection: 'user',
+    });
+
+    // Get and check user
+    const user = await this.userService.create(input, serviceOptionsForUserService);
+    if (!user) {
+      throw Error('Email Address already in use');
+    }
+
+    // Set device ID
+    serviceOptionsForUserService.deviceId = input.deviceId;
+
+    // Return tokens and user
+    return this.getResult(user, serviceOptionsForUserService);
   }
 
   /**
    * Validate user
    */
   async validateUser(payload: JwtPayload): Promise<any> {
-    return await this.userService.getViaEmail(payload.email);
+    // Get user
+    const user = await this.userService.get(payload.id);
+
+    // Check if user exists and is logged in
+    if (!user?.refreshToken) {
+      return null;
+    }
+
+    // Return user
+    return user;
   }
 
+  // ===================================================================================================================
+  // Helper
+  // ===================================================================================================================
+
   /**
-   * Decode JWT
+   * Rest result with user and tokens
    */
-  decodeJwt(token: string): JwtPayload {
-    return this.jwtService.decode(token) as JwtPayload;
+  protected async getResult(user: ICoreAuthUser, serviceOptions: ServiceOptions & { deviceId?: string }) {
+    // Create new tokens
+    const tokens = await this.getTokens(user.id);
+
+    // Set refresh token
+    await this.updateRefreshToken(user, tokens.refreshToken, serviceOptions);
+
+    // Return tokens and user
+    return CoreAuthModel.map({
+      ...tokens,
+      user: await this.userService.prepareOutput(user),
+    });
+  }
+
+  /**
+   * Get secret from JWT or refresh config
+   */
+  protected getSecretFromConfig(refresh?: boolean) {
+    let path = 'jwt';
+    if (refresh) {
+      path += '.refresh';
+    }
+    return (
+      this.configService.getFastButReadOnly(path + '.signInOptions.secret') ||
+      this.configService.getFastButReadOnly(path + '.signInOptions.secretOrPrivateKey') ||
+      this.configService.getFastButReadOnly(path + '.secret') ||
+      this.configService.getFastButReadOnly(path + '.secretOrPrivateKey')
+    );
+  }
+
+  /**
+   * Get JWT and refresh token
+   */
+  protected async getTokens(userId: string) {
+    const [token, refreshToken] = await Promise.all([
+      this.jwtService.signAsync(
+        { id: userId },
+        {
+          secret: this.getSecretFromConfig(false),
+          ...this.configService.getFastButReadOnly('jwt.signInOptions', {}),
+        }
+      ),
+      this.jwtService.signAsync(
+        { id: userId },
+        {
+          secret: this.getSecretFromConfig(true),
+          ...this.configService.getFastButReadOnly('jwt.refresh.signInOptions', {}),
+        }
+      ),
+    ]);
+    return {
+      token,
+      refreshToken,
+    };
+  }
+
+  /**
+   * Update refresh token(s)
+   */
+  protected async updateRefreshToken(
+    user: ICoreAuthUser,
+    refreshToken: string,
+    serviceOptions: ServiceOptions & { deviceId?: string } = {}
+  ) {
+    const hashedRefreshToken = await bcrypt.hash(refreshToken, 10);
+    const deviceId = serviceOptions?.deviceId;
+    if (deviceId) {
+      if (!user.refreshTokens) {
+        user.refreshTokens = {};
+      }
+      user.refreshTokens[deviceId] = hashedRefreshToken;
+
+      // Refresh token must be set even if only a specific device is logged in, because of the check in the validateUser method
+      if (!user.refreshToken) {
+        user.refreshToken = hashedRefreshToken;
+      }
+
+      return await this.userService.update(
+        getStringIds(user),
+        { refreshTokens: user.refreshTokens, refreshToken: user.refreshToken },
+        {
+          ...serviceOptions,
+          force: true,
+        }
+      );
+    }
+    user.refreshToken = hashedRefreshToken;
+    return await this.userService.update(
+      getStringIds(user),
+      { refreshToken: hashedRefreshToken },
+      {
+        ...serviceOptions,
+        force: true,
+      }
+    );
   }
 }

package/src/core/modules/auth/strategies/jwt-refresh.strategy.ts

@@ -0,0 +1,56 @@
+import { ForbiddenException, Injectable, UnauthorizedException } from '@nestjs/common';
+import { PassportStrategy } from '@nestjs/passport';
+import * as bcrypt from 'bcrypt';
+import { Request as RequestType, Request } from 'express';
+import { ExtractJwt, Strategy } from 'passport-jwt';
+import { ConfigService } from '../../../common/services/config.service';
+import { CoreAuthService } from '../services/core-auth.service';
+
+@Injectable()
+export class JwtRefreshStrategy extends PassportStrategy(Strategy, 'jwt-refresh') {
+  constructor(protected readonly authService: CoreAuthService, protected readonly configService: ConfigService) {
+    super({
+      jwtFromRequest: ExtractJwt.fromExtractors([
+        JwtRefreshStrategy.extractJWTFromCookie,
+        ExtractJwt.fromAuthHeaderAsBearerToken(),
+      ]),
+      privateKey: configService.get('jwt.refresh.privateKey'),
+      publicKey: configService.get('jwt.refresh.publicKey'),
+      secret: configService.get('jwt.refresh.secret') || configService.get('jwt.refresh.secretOrPrivateKey'),
+      secretOrKey: configService.get('jwt.refresh.secretOrPrivateKey') || configService.get('jwt.refresh.secret'),
+      secretOrKeyProvider: configService.get('jwt.refresh.secretOrKeyProvider'),
+      passReqToCallback: true,
+    });
+  }
+
+  /**
+   * Extract JWT from cookie
+   */
+  private static extractJWTFromCookie(req: RequestType): string | null {
+    return req?.cookies?.refreshToken || null;
+  }
+
+  /**
+   * Validate user via JWT payload
+   */
+  async validate(req: Request, payload: any) {
+    // Check user
+    const user = await this.authService.validateUser(payload);
+    if (!user) {
+      throw new UnauthorizedException();
+    }
+
+    // Check refresh token
+    const refreshToken = req
+      .get('Authorization')
+      .replace(/bearer/i, '')
+      .trim();
+    const refreshTokenMatches = await bcrypt.compare(refreshToken, user.refreshToken);
+    if (!refreshTokenMatches) {
+      throw new ForbiddenException('Access Denied');
+    }
+
+    // Return user
+    return user;
+  }
+}

package/src/core/modules/auth/{jwt.strategy.ts → strategies/jwt.strategy.ts}

@@ -1,21 +1,25 @@
 import { Injectable, UnauthorizedException } from '@nestjs/common';
 import { PassportStrategy } from '@nestjs/passport';
 import { ExtractJwt, Strategy } from 'passport-jwt';
-import { ConfigService } from '../../common/services/config.service';
-import { JwtPayload } from './interfaces/jwt-payload.interface';
-import { CoreAuthService } from './services/core-auth.service';
+import { ConfigService } from '../../../common/services/config.service';
+import { JwtPayload } from '../interfaces/jwt-payload.interface';
+import { CoreAuthService } from '../services/core-auth.service';
+import { Request as RequestType } from 'express';
 
 /**
  * Use JWT strategy for passport
  */
 @Injectable()
-export class JwtStrategy extends PassportStrategy(Strategy) {
+export class JwtStrategy extends PassportStrategy(Strategy, 'jwt') {
   /**
    * Init JWT strategy
    */
   constructor(protected readonly authService: CoreAuthService, protected readonly configService: ConfigService) {
     super({
-      jwtFromRequest: ExtractJwt.fromAuthHeaderAsBearerToken(),
+      jwtFromRequest: ExtractJwt.fromExtractors([
+        JwtStrategy.extractJWTFromCookie,
+        ExtractJwt.fromAuthHeaderAsBearerToken(),
+      ]),
       privateKey: configService.get('jwt.privateKey'),
       publicKey: configService.get('jwt.publicKey'),
       secret: configService.get('jwt.secret') || configService.get('jwt.secretOrPrivateKey'),
@@ -24,6 +28,13 @@ export class JwtStrategy extends PassportStrategy(Strategy) {
     });
   }
 
+  /**
+   * Extract JWT from cookie
+   */
+  private static extractJWTFromCookie(req: RequestType): string | null {
+    return req?.cookies?.token || null;
+  }
+
   /**
    * Validate user via JWT payload
    */

package/src/core/modules/user/core-user.model.ts

@@ -1,5 +1,5 @@
 import { Field, ObjectType } from '@nestjs/graphql';
-import { Prop, Schema as MongooseSchema } from '@nestjs/mongoose';
+import { Prop, raw, Schema as MongooseSchema } from '@nestjs/mongoose';
 import { IsEmail, IsOptional } from 'class-validator';
 import { Document } from 'mongoose';
 import { User } from '../../../server/modules/user/user.model';
@@ -70,6 +70,22 @@ export abstract class CoreUserModel extends CorePersistenceModel {
   @Prop()
   passwordResetToken: string = undefined;
 
+  /**
+   * Hashed refresh JWT
+   */
+  @IsOptional()
+  @Prop()
+  refreshToken: string = undefined;
+
+  /**
+   * Refresh tokens for devices
+   * key: deviceID
+   * value: hashed JWT
+   */
+  @IsOptional()
+  @Prop(raw({}))
+  refreshTokens: Record<string, string> = undefined;
+
   /**
    * Verification token of the user
    */