@lenne.tech/nest-server 9.1.0 → 9.2.1

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lenne.tech/nest-server",
-  "version": "9.1.0",
+  "version": "9.2.1",
   "description": "Modern, fast, powerful Node.js web framework in TypeScript based on Nest with a GraphQL API and a connection to MongoDB (or other databases).",
   "keywords": [
     "node",
@@ -60,78 +60,83 @@
     "node": ">= 16.13.0"
   },
   "dependencies": {
-    "@apollo/gateway": "2.2.3",
-    "@nestjs/apollo": "10.1.7",
-    "@nestjs/common": "9.2.1",
-    "@nestjs/core": "9.2.1",
-    "@nestjs/graphql": "10.1.7",
-    "@nestjs/jwt": "10.0.1",
+    "@apollo/gateway": "2.3.2",
+    "@nestjs/apollo": "10.2.0",
+    "@nestjs/common": "9.3.9",
+    "@nestjs/core": "9.3.9",
+    "@nestjs/graphql": "10.2.0",
+    "@nestjs/jwt": "10.0.2",
     "@nestjs/mongoose": "9.2.1",
-    "@nestjs/passport": "9.0.0",
-    "@nestjs/platform-express": "9.2.1",
-    "@nestjs/schedule": "2.1.0",
+    "@nestjs/passport": "9.0.3",
+    "@nestjs/platform-express": "9.3.9",
+    "@nestjs/schedule": "2.2.0",
     "apollo-server-core": "3.11.1",
     "apollo-server-express": "3.11.1",
     "bcrypt": "5.1.0",
     "class-transformer": "0.5.1",
     "class-validator": "0.14.0",
+    "compression": "1.7.4",
+    "cookie-parser": "1.4.6",
     "ejs": "3.1.8",
     "graphql": "16.6.0",
+    "graphql-query-complexity": "0.12.0",
     "graphql-subscriptions": "2.0.0",
     "graphql-upload": "15.0.2",
     "js-sha256": "0.9.0",
-    "json-to-graphql-query": "2.2.4",
+    "json-to-graphql-query": "2.2.5",
     "light-my-request": "5.8.0",
     "lodash": "4.17.21",
-    "mongodb": "4.13.0",
-    "mongoose": "6.8.4",
+    "mongodb": "4.14.0",
+    "mongoose": "6.9.1",
     "mongoose-gridfs": "1.3.0",
-    "multer-gridfs-storage": "5.0.2",
     "multer": "1.4.5-lts.1",
-    "node-mailjet": "6.0.1",
-    "nodemailer": "6.9.0",
+    "multer-gridfs-storage": "5.0.2",
+    "node-mailjet": "6.0.2",
+    "nodemailer": "6.9.1",
     "nodemon": "2.0.20",
     "passport": "0.6.0",
     "passport-jwt": "4.0.1",
     "reflect-metadata": "0.1.13",
     "rfdc": "1.3.0",
-    "rimraf": "4.1.1",
+    "rimraf": "4.1.2",
     "rxjs": "7.8.0"
   },
   "devDependencies": {
-    "@nestjs/testing": "9.2.1",
+    "@nestjs/testing": "9.3.9",
+    "@types/compression": "1.7.2",
+    "@types/cookie-parser": "1.4.3",
     "@types/cron": "2.0.0",
     "@types/ejs": "3.1.1",
-    "@types/jest": "29.2.6",
+    "@types/jest": "29.4.0",
     "@types/lodash": "4.14.191",
     "@types/multer": "1.4.7",
-    "@types/node": "18.11.18",
+    "@types/node": "18.13.0",
     "@types/nodemailer": "6.4.7",
     "@types/passport": "1.0.11",
     "@types/supertest": "2.0.12",
-    "@typescript-eslint/eslint-plugin": "5.48.2",
-    "@typescript-eslint/parser": "5.48.2",
+    "@typescript-eslint/eslint-plugin": "5.52.0",
+    "@typescript-eslint/parser": "5.52.0",
     "coffeescript": "2.7.0",
-    "eslint": "8.32.0",
+    "eslint": "8.34.0",
     "eslint-config-prettier": "8.6.0",
     "find-file-up": "2.0.1",
-    "grunt": "1.5.3",
+    "grunt": "1.6.1",
     "grunt-bg-shell": "2.3.3",
     "grunt-contrib-clean": "2.0.1",
     "grunt-contrib-watch": "1.1.0",
     "grunt-sync": "0.8.2",
     "husky": "8.0.3",
-    "jest": "29.3.1",
+    "jest": "29.4.2",
     "npm-watch": "0.11.0",
     "pm2": "5.2.2",
-    "prettier": "2.8.3",
+    "prettier": "2.8.4",
     "pretty-quick": "3.1.3",
     "supertest": "6.3.3",
     "ts-jest": "29.0.5",
     "ts-morph": "17.0.1",
     "ts-node": "10.9.1",
     "tsconfig-paths": "4.1.2",
-    "typescript": "4.9.4",
+    "typescript": "4.9.5",
     "yalc": "1.0.0-pre.53"
   },
   "overrides": {

package/src/config.env.ts

@@ -12,6 +12,8 @@ const config: { [env: string]: IServerOptions } = {
   // ===========================================================================
   local: {
     automaticObjectIdFiltering: true,
+    compression: true,
+    cookies: false,
     cronJobs: {
       sayHello: {
         cronTime: CronExpression.EVERY_10_SECONDS,
@@ -52,16 +54,27 @@ const config: { [env: string]: IServerOptions } = {
         debug: true,
         introspection: true,
       },
+      maxComplexity: 20,
     },
     jwt: {
-      secret: 'SECRET_OR_PRIVATE_KEY_DEV',
+      secret: 'SECRET_OR_PRIVATE_KEY_LOCAL',
+      signInOptions: {
+        expiresIn: '15m',
+      },
+      refresh: {
+        secret: 'SECRET_OR_PRIVATE_KEY_LOCAL_REFRESH',
+        signInOptions: {
+          expiresIn: '7d',
+        },
+      },
     },
     loadLocalConfig: false,
+    logExceptions: true,
     mongoose: {
       collation: {
         locale: 'de',
       },
-      uri: 'mongodb://127.0.0.1/nest-server-dev',
+      uri: 'mongodb://127.0.0.1/nest-server-local',
     },
     port: 3000,
     sha256: true,
@@ -80,6 +93,8 @@ const config: { [env: string]: IServerOptions } = {
   // ===========================================================================
   development: {
     automaticObjectIdFiltering: true,
+    compression: true,
+    cookies: false,
     email: {
       smtp: {
         auth: {
@@ -111,11 +126,22 @@ const config: { [env: string]: IServerOptions } = {
         debug: true,
         introspection: true,
       },
+      maxComplexity: 20,
     },
     jwt: {
       secret: 'SECRET_OR_PRIVATE_KEY_DEV',
+      signInOptions: {
+        expiresIn: '15m',
+      },
+      refresh: {
+        secret: 'SECRET_OR_PRIVATE_KEY_DEV_REFRESH',
+        signInOptions: {
+          expiresIn: '7d',
+        },
+      },
     },
     loadLocalConfig: false,
+    logExceptions: true,
     mongoose: {
       collation: {
         locale: 'de',
@@ -139,6 +165,8 @@ const config: { [env: string]: IServerOptions } = {
   // ===========================================================================
   production: {
     automaticObjectIdFiltering: true,
+    compression: true,
+    cookies: false,
     email: {
       smtp: {
         auth: {
@@ -170,11 +198,22 @@ const config: { [env: string]: IServerOptions } = {
         debug: false,
         introspection: true,
       },
+      maxComplexity: 20,
     },
     jwt: {
       secret: 'SECRET_OR_PRIVATE_KEY_PROD',
+      signInOptions: {
+        expiresIn: '15m',
+      },
+      refresh: {
+        secret: 'SECRET_OR_PRIVATE_KEY_PROD_REFRESH',
+        signInOptions: {
+          expiresIn: '7d',
+        },
+      },
     },
     loadLocalConfig: false,
+    logExceptions: true,
     mongoose: {
       collation: {
         locale: 'de',

package/src/core/common/filters/http-exception-log.filter.ts

@@ -0,0 +1,27 @@
+import { ArgumentsHost, Catch, ContextType, ExceptionFilter, HttpException } from '@nestjs/common';
+import { Response } from 'express';
+
+@Catch(HttpException)
+export class HttpExceptionLogFilter implements ExceptionFilter {
+  /**
+   * Log exception
+   */
+  catch(exception: HttpException, host: ArgumentsHost) {
+    // Log
+    console.debug(exception.stack);
+
+    // GraphQL
+    const type = host.getType() as ContextType | 'graphql';
+    if (type === 'graphql') {
+      return exception;
+    }
+
+    // REST
+    const ctx = host.switchToHttp();
+    const res = ctx.getResponse<Response>();
+    const status = exception.getStatus();
+    res.status(status).json({
+      ...exception,
+    });
+  }
+}

package/src/core/common/interceptors/check-security.interceptor.ts

@@ -0,0 +1,52 @@
+import { Injectable, NestInterceptor, ExecutionContext, CallHandler } from '@nestjs/common';
+import { Observable } from 'rxjs';
+import { map } from 'rxjs/operators';
+import { getContextData } from '../helpers/context.helper';
+import { processDeep } from '../helpers/input.helper';
+
+/**
+ * Verification of all outgoing data via securityCheck
+ */
+@Injectable()
+export class CheckSecurityInterceptor implements NestInterceptor {
+  intercept(context: ExecutionContext, next: CallHandler): Observable<any> {
+    // Get current user
+    const user = getContextData(context)?.currentUser;
+
+    // Set force mode for sign in and sign up
+    let force = false;
+    if (!user) {
+      // Here the name is used and not the class itself, because the concrete class is located in the respective project.
+      // In case of an override it is better to use the concrete class directly (context.getClass() instead of context.getClasss()?.name).
+      if (context.getClass()?.name === 'AuthResolver') {
+        force = true;
+      }
+    }
+
+    // Check response
+    return next.handle().pipe(
+      map((data) => {
+        // Check data
+        if (data && typeof data === 'object' && typeof data.securityCheck === 'function') {
+          return data.securityCheck(user, force);
+        }
+
+        // Check if data is writeable (e.g. objects from direct access to json files via http are not writable)
+        if (data && typeof data === 'object') {
+          const writeable = !Object.keys(data).find((key) => !Object.getOwnPropertyDescriptor(data, key).writable);
+          if (!writeable) {
+            return data;
+          }
+        }
+
+        // Check deep
+        return processDeep(data, (item) => {
+          if (!item || typeof item !== 'object' || typeof item.securityCheck !== 'function') {
+            return item;
+          }
+          return item.securityCheck(user, force);
+        });
+      })
+    );
+  }
+}

package/src/core/common/interfaces/server-options.interface.ts

@@ -1,15 +1,57 @@
 import { ApolloDriverConfig } from '@nestjs/apollo';
 import { GqlModuleAsyncOptions } from '@nestjs/graphql';
 import { JwtModuleOptions } from '@nestjs/jwt';
+import { JwtSignOptions } from '@nestjs/jwt/dist/interfaces';
 import { MongooseModuleOptions } from '@nestjs/mongoose';
 import { ServeStaticOptions } from '@nestjs/platform-express/interfaces/serve-static-options.interface';
 import { CronExpression } from '@nestjs/schedule';
+import compression from 'compression';
 import { CollationOptions } from 'mongodb';
 import * as SMTPTransport from 'nodemailer/lib/smtp-transport';
 import { Falsy } from '../types/falsy.type';
 import { CronJobConfig } from './cron-job-config.interface';
 import { MailjetOptions } from './mailjet-options.interface';
 
+/**
+ * Interface for JWT configuration (main and refresh)
+ */
+export interface IJwt {
+  /**
+   * Private key
+   */
+  privateKey?: string;
+
+  /**
+   * Public key
+   */
+  publicKey?: string;
+
+  /**
+   * Secret to encrypt the JWT
+   */
+  secret?: string;
+
+  /**
+   * JWT Provider
+   * See https://github.com/mikenicholson/passport-jwt/blob/master/README.md#configure-strategy
+   */
+  secretOrKeyProvider?: (
+    request: Record<string, any>,
+    rawJwtToken: string,
+    done: (err: any, secret: string) => any
+  ) => any;
+
+  /**
+   * Alias of secret (for backwards compatibility)
+   */
+  secretOrPrivateKey?: string;
+
+  /**
+   * SignIn Options like expiresIn
+   */
+  signInOptions?: JwtSignOptions;
+}
+
 /**
  * Options for the server
  */
@@ -21,6 +63,18 @@ export interface IServerOptions {
    */
   automaticObjectIdFiltering?: boolean;
 
+  /**
+   * Whether to use the compression middleware package to enable gzip compression.
+   * See: https://docs.nestjs.com/techniques/compression
+   */
+  compression?: boolean | compression.CompressionOptions;
+
+  /**
+   * Whether to use cookies for authentication handling
+   * See: https://docs.nestjs.com/techniques/cookies
+   */
+  cookies?: boolean;
+
   /**
    * Cron jobs configuration object with the name of the cron job function as key
    * and the cron expression or config as value
@@ -105,6 +159,11 @@ export interface IServerOptions {
      */
     enableSubscriptionAuth?: boolean;
 
+    /**
+     * Maximum complexity of GraphQL requests
+     */
+    maxComplexity?: number;
+
     /**
      * Module options (forRootAsync)
      */
@@ -123,36 +182,9 @@ export interface IServerOptions {
    * Configuration of JavaScript Web Token (JWT) module
    */
   jwt?: {
-    /**
-     * Private key
-     */
-    privateKey?: string;
-
-    /**
-     * Public key
-     */
-    publicKey?: string;
-
-    /**
-     * Secret to encrypt the JWT
-     */
-    secret?: string;
-
-    /**
-     * JWT Provider
-     * See https://github.com/mikenicholson/passport-jwt/blob/master/README.md#configure-strategy
-     */
-    secretOrKeyProvider?: (
-      request: Record<string, any>,
-      rawJwtToken: string,
-      done: (err: any, secret: string) => any
-    ) => any;
-
-    /**
-     * Alias of secret (for backwards compatibility)
-     */
-    secretOrPrivateKey?: string;
-  } & JwtModuleOptions;
+    refresh?: IJwt;
+  } & IJwt &
+    JwtModuleOptions;
 
   /**
    * Load local configuration
@@ -162,6 +194,11 @@ export interface IServerOptions {
    */
   loadLocalConfig?: boolean | string;
 
+  /**
+   * Log exceptions (for better debugging)
+   */
+  logExceptions?: boolean;
+
   /**
    * Configuration for Mongoose
    */

package/src/core/common/models/core-model.model.ts

@@ -125,4 +125,11 @@ export abstract class CoreModel {
     };
     return this.map(data, config);
   }
+
+  /**
+   * Verification of the user's rights to access the properties of this object
+   */
+  securityCheck(user: any, force?: boolean): this {
+    return this;
+  }
 }

package/src/core/common/plugins/complexity.plugin.ts

@@ -0,0 +1,31 @@
+import { GraphQLSchemaHost } from '@nestjs/graphql';
+import { Plugin } from '@nestjs/apollo';
+import { ApolloServerPlugin, GraphQLRequestListener } from 'apollo-server-plugin-base';
+import { GraphQLError } from 'graphql';
+import { fieldExtensionsEstimator, getComplexity, simpleEstimator } from 'graphql-query-complexity';
+import { ConfigService } from '../services/config.service';
+
+@Plugin()
+export class ComplexityPlugin implements ApolloServerPlugin {
+  constructor(private gqlSchemaHost: GraphQLSchemaHost, private configService: ConfigService) {}
+
+  async requestDidStart(): Promise<GraphQLRequestListener> {
+    const maxComplexity: number = this.configService.getFastButReadOnly('graphQl.maxComplexity');
+    const { schema } = this.gqlSchemaHost;
+
+    return {
+      async didResolveOperation({ request, document }) {
+        const complexity = getComplexity({
+          schema,
+          operationName: request.operationName,
+          query: document,
+          variables: request.variables,
+          estimators: [fieldExtensionsEstimator(), simpleEstimator({ defaultComplexity: 1 })],
+        });
+        if (maxComplexity !== undefined && complexity > maxComplexity) {
+          throw new GraphQLError(`Query is too complex: ${complexity}. Maximum allowed complexity: ${maxComplexity}`);
+        }
+      },
+    };
+  }
+}

package/src/core/common/plugins/mongoose-id.plugin.js

@@ -1,4 +1,4 @@
-module.exports = function mongooseIdPlugin(schema, options) {
+export function mongooseIdPlugin(schema, options) {
   schema.post(['find', 'findOne', 'save', 'deleteOne'], function (docs) {
     if (!Array.isArray(docs)) {
       docs = [docs];
@@ -10,4 +10,6 @@ module.exports = function mongooseIdPlugin(schema, options) {
       }
     }
   });
-};
+}
+
+module.exports = mongooseIdPlugin;

package/src/core/common/services/config.service.ts

@@ -129,28 +129,28 @@ export class ConfigService {
   /**
    * Get readable and writable deep-cloned property from configuration
    */
-  get(key: string, defaultValue: any = undefined) {
+  get<T = any>(key: string, defaultValue: any = undefined): T {
     return ConfigService.get(key, defaultValue);
   }
 
   /**
    * Get readable and writable deep-cloned property from configuration
    */
-  static get(key: string, defaultValue: any = undefined) {
+  static get<T = any>(key: string, defaultValue: any = undefined): T {
     return clone(_.get(ConfigService._configSubject$.getValue(), key, defaultValue), { circles: false });
   }
 
   /**
    * Get faster but read-ony deep-frozen property from configuration
    */
-  getFastButReadOnly(key: string, defaultValue: any = undefined) {
+  getFastButReadOnly<T = any>(key: string, defaultValue: any = undefined): T {
     return ConfigService.getFastButReadOnly(key, defaultValue);
   }
 
   /**
    * Get faster but read-ony deep-frozen property from configuration
    */
-  static getFastButReadOnly(key: string, defaultValue: any = undefined) {
+  static getFastButReadOnly<T = any>(key: string, defaultValue: any = undefined): T {
     return _.get(ConfigService._frozenConfigSubject$.getValue(), key, defaultValue);
   }
 

package/src/core/common/services/module.service.ts

@@ -109,10 +109,10 @@ export abstract class ModuleService<T extends CoreModel = any> {
     // Note force configuration
     if (config.force) {
       config.checkRights = false;
-      if (typeof config.prepareInput === 'object') {
+      if (config.prepareInput && typeof config.prepareInput === 'object') {
         config.prepareInput.checkRoles = false;
       }
-      if (typeof config.prepareOutput === 'object') {
+      if (config.prepareOutput && typeof config.prepareOutput === 'object') {
         config.prepareOutput.removeSecrets = false;
       }
     }

package/src/core/modules/auth/core-auth.model.ts

@@ -1,5 +1,6 @@
 import { Field, ObjectType } from '@nestjs/graphql';
 import { CoreModel } from '../../common/models/core-model.model';
+import { CoreUserModel } from '../user/core-user.model';
 
 /**
  * CoreAuth model for the response after the sign in
@@ -13,8 +14,20 @@ export class CoreAuthModel extends CoreModel {
   /**
    * JavaScript Web Token (JWT)
    */
-  @Field({ description: 'JavaScript Web Token (JWT)' })
-  token: string = undefined;
+  @Field({ description: 'JavaScript Web Token (JWT)', nullable: true })
+  token?: string = undefined;
+
+  /**
+   * Refresh token
+   */
+  @Field({ description: 'Refresh token', nullable: true })
+  refreshToken?: string = undefined;
+
+  /**
+   * Current user
+   */
+  @Field({ description: 'Current user' })
+  user: CoreUserModel = undefined;
 
   // ===================================================================================================================
   // Methods

package/src/core/modules/auth/core-auth.module.ts

@@ -3,7 +3,8 @@ import { APP_GUARD } from '@nestjs/core';
 import { JwtModule, JwtModuleOptions } from '@nestjs/jwt';
 import { PassportModule } from '@nestjs/passport';
 import { RolesGuard } from './guards/roles.guard';
-import { JwtStrategy } from './jwt.strategy';
+import { JwtRefreshStrategy } from './strategies/jwt-refresh.strategy';
+import { JwtStrategy } from './strategies/jwt.strategy';
 import { CoreAuthUserService } from './services/core-auth-user.service';
 import { CoreAuthService } from './services/core-auth.service';
 import { PubSub } from 'graphql-subscriptions';
@@ -23,6 +24,7 @@ export class CoreAuthModule {
     options: JwtModuleOptions & {
       authService?: Type<CoreAuthService>;
       jwtStrategy?: Type<JwtStrategy>;
+      jwtRefreshStrategy?: Type<JwtRefreshStrategy>;
       imports?: Array<Type<any> | DynamicModule | Promise<DynamicModule> | ForwardReference>;
       providers?: Provider[];
     }
@@ -56,6 +58,10 @@ export class CoreAuthModule {
         provide: JwtStrategy,
         useClass: options.jwtStrategy || JwtStrategy,
       },
+      {
+        provide: JwtRefreshStrategy,
+        useClass: options.jwtRefreshStrategy || JwtRefreshStrategy,
+      },
     ];
     if (Array.isArray(options?.providers)) {
       providers = imports.concat(options.providers);
@@ -66,7 +72,7 @@ export class CoreAuthModule {
       module: CoreAuthModule,
       imports: imports,
       providers: providers,
-      exports: [CoreAuthService, JwtModule, JwtStrategy, PassportModule, UserModule],
+      exports: [CoreAuthService, JwtModule, JwtStrategy, JwtRefreshStrategy, PassportModule, UserModule],
     };
   }
 }