@lenne.tech/nest-server 9.2.1 → 9.2.2

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@lenne.tech/nest-server",
-  "version": "9.2.1",
+  "version": "9.2.2",
   "description": "Modern, fast, powerful Node.js web framework in TypeScript based on Nest with a GraphQL API and a connection to MongoDB (or other databases).",
   "keywords": [
     "node",

package/src/config.env.ts

@@ -62,6 +62,7 @@ const config: { [env: string]: IServerOptions } = {
         expiresIn: '15m',
       },
       refresh: {
+        renewal: true,
         secret: 'SECRET_OR_PRIVATE_KEY_LOCAL_REFRESH',
         signInOptions: {
           expiresIn: '7d',
@@ -134,6 +135,7 @@ const config: { [env: string]: IServerOptions } = {
         expiresIn: '15m',
       },
       refresh: {
+        renewal: true,
         secret: 'SECRET_OR_PRIVATE_KEY_DEV_REFRESH',
         signInOptions: {
           expiresIn: '7d',
@@ -206,6 +208,7 @@ const config: { [env: string]: IServerOptions } = {
         expiresIn: '15m',
       },
       refresh: {
+        renewal: true,
         secret: 'SECRET_OR_PRIVATE_KEY_PROD_REFRESH',
         signInOptions: {
           expiresIn: '7d',

package/src/core/common/helpers/context.helper.ts

@@ -1,5 +1,6 @@
 import { ExecutionContext } from '@nestjs/common';
 import { GqlExecutionContext } from '@nestjs/graphql';
+import { Request as RequestType } from 'express';
 
 /**
  * Helper for context processing
@@ -10,7 +11,11 @@ export default class Context {
    * Get data from Context
    * @deprecated use getContextData function
    */
-  public static getData(context: ExecutionContext): { currentUser: { [key: string]: any }; args: any } {
+  public static getData(context: ExecutionContext): {
+    args: any;
+    currentUser: { [key: string]: any };
+    request: RequestType;
+  } {
     return getContextData(context);
   }
 }
@@ -18,26 +23,36 @@ export default class Context {
 /**
  * Get data from Context
  */
-export function getContextData(context: ExecutionContext): { currentUser: { [key: string]: any }; args: any } {
+export function getContextData(context: ExecutionContext): {
+  args: any;
+  currentUser: { [key: string]: any };
+  request: RequestType;
+} {
   // Check context
   if (!context) {
-    return { currentUser: null, args: null };
+    return { currentUser: null, args: null, request: null };
   }
 
   // Init data
   let user: { [key: string]: any };
+  let rawContext: any = null;
   let ctx: any = null;
+  let request: any;
   try {
-    ctx = GqlExecutionContext.create(context)?.getContext();
+    rawContext = GqlExecutionContext.create(context);
+    ctx = rawContext?.getContext();
+    request = ctx.req;
   } catch (e) {
     // console.info(e);
   }
 
   let args: any;
-  try {
-    args = GqlExecutionContext.create(context)?.getArgs();
-  } catch (e) {
-    // console.info(e);
+  if (rawContext) {
+    try {
+      args = rawContext.getArgs();
+    } catch (e) {
+      // console.info(e);
+    }
   }
 
   // Get data
@@ -45,7 +60,7 @@ export function getContextData(context: ExecutionContext): { currentUser: { [key
     // User from GraphQL context
     user = ctx?.user || ctx?.req?.user;
   } else {
-    const request = context?.switchToHttp ? context.switchToHttp()?.getRequest() : null;
+    request = context?.switchToHttp ? context.switchToHttp()?.getRequest() : null;
     if (request) {
       args = request.body;
 
@@ -55,5 +70,5 @@ export function getContextData(context: ExecutionContext): { currentUser: { [key
   }
 
   // Return data
-  return { currentUser: user, args };
+  return { args, currentUser: user, request };
 }

package/src/core/common/interfaces/server-options.interface.ts

@@ -182,7 +182,17 @@ export interface IServerOptions {
    * Configuration of JavaScript Web Token (JWT) module
    */
   jwt?: {
-    refresh?: IJwt;
+    /**
+     * Configuration for refresh Token (JWT)
+     */
+    refresh?: {
+      /**
+       * Whether renewal of the refresh token is permitted
+       * If falsy (default): during refresh only a new token, the refresh token retains its original term
+       * If true: during refresh not only a new token but also a new refresh token is created
+       */
+      renewal?: boolean;
+    } & IJwt;
   } & IJwt &
     JwtModuleOptions;
 

package/src/core/common/pipes/check-input.pipe.ts

@@ -25,9 +25,9 @@ export class CheckInputPipe implements PipeTransform {
     const metatype = metadata?.metatype;
 
     // Get user
-    const { user }: any = getContextData(this.context);
+    const { currentUser }: any = getContextData(this.context);
 
     // Check and return
-    return check(value, user, { metatype });
+    return check(value, currentUser, { metatype });
   }
 }

package/src/core/modules/auth/core-auth.module.ts

@@ -30,7 +30,11 @@ export class CoreAuthModule {
     }
   ): DynamicModule {
     // Process imports
-    let imports: any[] = [UserModule, PassportModule.register({ defaultStrategy: 'jwt' }), JwtModule.register(options)];
+    let imports: any[] = [
+      UserModule,
+      PassportModule.register({ defaultStrategy: ['jwt', 'jwt-refresh'] }),
+      JwtModule.register(options),
+    ];
     if (Array.isArray(options?.imports)) {
       imports = imports.concat(options.imports);
     }

package/src/core/modules/auth/core-auth.resolver.ts

@@ -10,6 +10,7 @@ import { CoreAuthSignInInput } from './inputs/core-auth-sign-in.input';
 import { CoreAuthSignUpInput } from './inputs/core-auth-sign-up.input';
 import { ICoreAuthUser } from './interfaces/core-auth-user.interface';
 import { CoreAuthService } from './services/core-auth.service';
+import { Tokens } from './tokens.decorator';
 
 /**
  * Authentication resolver for the sign in
@@ -25,31 +26,18 @@ export class CoreAuthResolver {
   // Mutations
   // ===========================================================================
 
-  /**
-   * Sign in user via email and password (on specific device)
-   */
-  @Mutation((returns) => CoreAuthModel, {
-    description: 'Sign in user via email and password and get JWT tokens (for specific device)',
-  })
-  async signIn(
-    @Info() info: GraphQLResolveInfo,
-    @Context() ctx: { res: ResponseType },
-    @Args('input') input: CoreAuthSignInInput
-  ): Promise<CoreAuthModel> {
-    const result = await this.authService.signIn(input, { fieldSelection: { info, select: 'signIn' } });
-    return this.processCookies(ctx, result);
-  }
-
   /**
    * Logout user (from specific device)
    */
+  @UseGuards(AuthGuard('jwt'))
   @Mutation((returns) => CoreAuthModel, { description: 'Logout user (from specific device)' })
   async logout(
     @GraphQLUser() currentUser: ICoreAuthUser,
     @Context() ctx: { res: ResponseType },
-    @Args('deviceId', { nullable: true }) deviceId?: string
+    @Tokens('token') token: string,
+    @Args('allDevices', { nullable: true }) allDevices?: boolean
   ): Promise<boolean> {
-    const result = await this.authService.logout({ currentUser, deviceId });
+    const result = await this.authService.logout(token, { currentUser, allDevices });
     return this.processCookies(ctx, result);
   }
 
@@ -60,10 +48,25 @@ export class CoreAuthResolver {
   @Mutation((returns) => CoreAuthModel, { description: 'Refresh tokens (for specific device)' })
   async refreshToken(
     @GraphQLUser() user: ICoreAuthUser,
+    @Tokens('refreshToken') refreshToken: string,
+    @Context() ctx: { res: ResponseType }
+  ): Promise<CoreAuthModel> {
+    const result = await this.authService.refreshTokens(user, refreshToken);
+    return this.processCookies(ctx, result);
+  }
+
+  /**
+   * Sign in user via email and password (on specific device)
+   */
+  @Mutation((returns) => CoreAuthModel, {
+    description: 'Sign in user via email and password and get JWT tokens (for specific device)',
+  })
+  async signIn(
+    @Info() info: GraphQLResolveInfo,
     @Context() ctx: { res: ResponseType },
-    @Args('deviceId', { nullable: true }) deviceId?: string
+    @Args('input') input: CoreAuthSignInInput
   ): Promise<CoreAuthModel> {
-    const result = await this.authService.refreshTokens(user, deviceId);
+    const result = await this.authService.signIn(input, { fieldSelection: { info, select: 'signIn' } });
     return this.processCookies(ctx, result);
   }
 

package/src/core/modules/auth/guards/auth.guard.ts

@@ -3,6 +3,7 @@ import { GqlExecutionContext } from '@nestjs/graphql';
 import { AuthModuleOptions, Type } from '@nestjs/passport';
 import { defaultOptions } from '@nestjs/passport/dist/options';
 import { memoize } from '@nestjs/passport/dist/utils/memoize.util';
+import * as jwt from 'jsonwebtoken';
 import * as passport from 'passport';
 
 /**
@@ -103,8 +104,14 @@ function createAuthGuard(type?: string): Type<CanActivate> {
      * Process request
      */
     handleRequest(err, user, info, context): TUser {
-      if (err || !user) {
-        throw err || new UnauthorizedException();
+      if (err) {
+        if (err instanceof jwt.JsonWebTokenError) {
+          throw new UnauthorizedException('Invalid token');
+        }
+        throw err;
+      }
+      if (!user) {
+        throw new UnauthorizedException('Invalid token');
       }
       return user;
     }

package/src/core/modules/auth/inputs/core-auth-sign-in.input.ts

@@ -10,9 +10,12 @@ export class CoreAuthSignInInput extends CoreInput {
   // Properties
   // ===================================================================================================================
 
-  @Field({ description: 'Device ID', nullable: true })
+  @Field({ description: 'Device ID (is created automatically if it is not set)', nullable: true })
   deviceId?: string = undefined;
 
+  @Field({ description: 'Device description', nullable: true })
+  deviceDescription?: string = undefined;
+
   @Field({ description: 'Email', nullable: false })
   email: string = undefined;
 

package/src/core/modules/auth/inputs/core-auth-sign-up.input.ts

@@ -1,21 +1,8 @@
-import { Field, InputType } from '@nestjs/graphql';
-import { CoreInput } from '../../../common/inputs/core-input.input';
+import { InputType } from '@nestjs/graphql';
+import { CoreAuthSignInInput } from './core-auth-sign-in.input';
 
 /**
  * SignUp input
  */
 @InputType({ description: 'Sign-up input' })
-export class CoreAuthSignUpInput extends CoreInput {
-  // ===================================================================================================================
-  // Properties
-  // ===================================================================================================================
-
-  @Field({ description: 'Device ID', nullable: true })
-  deviceId?: string = undefined;
-
-  @Field({ description: 'Email', nullable: false })
-  email: string = undefined;
-
-  @Field({ description: 'Password', nullable: false })
-  password: string = undefined;
-}
+export class CoreAuthSignUpInput extends CoreAuthSignInInput {}

package/src/core/modules/auth/interfaces/core-auth-user.interface.ts

@@ -1,3 +1,5 @@
+import { CoreTokenData } from './core-token-data.interface';
+
 /**
  * Interface for user used in authorization module
  */
@@ -17,13 +19,8 @@ export interface ICoreAuthUser {
    */
   password: string;
 
-  /**
-   * Refresh token
-   */
-  refreshToken?: string;
-
   /**
    * Refresh tokens for different devices
    */
-  refreshTokens?: Record<string, string>;
+  refreshTokens?: Record<string, CoreTokenData>;
 }

package/src/core/modules/auth/interfaces/core-token-data.interface.ts

@@ -0,0 +1,19 @@
+/**
+ * Data of the token
+ */
+export interface CoreTokenData {
+  /**
+   * ID of the device from which the token was generated
+   */
+  deviceId?: string;
+
+  /**
+   * Description of the device from which the token was generated
+   */
+  deviceDescription?: string;
+
+  /**
+   * Token ID to make sure that there is only one RefreshToken for each device
+   */
+  tokenId: string;
+}

package/src/core/modules/auth/interfaces/jwt-payload.interface.ts

@@ -2,5 +2,8 @@
  * Interface for jwt payload
  */
 export interface JwtPayload {
+  [key: string]: any;
   id: string;
+  deviceId: string;
+  tokenId: string;
 }

package/src/core/modules/auth/services/core-auth.service.ts

@@ -1,6 +1,7 @@
-import { Injectable, UnauthorizedException } from '@nestjs/common';
+import { BadRequestException, Injectable, UnauthorizedException } from '@nestjs/common';
 import { JwtService } from '@nestjs/jwt';
 import * as bcrypt from 'bcrypt';
+import { randomUUID } from 'crypto';
 import { sha256 } from 'js-sha256';
 import { getStringIds } from '../../../common/helpers/db.helper';
 import { prepareServiceOptions } from '../../../common/helpers/service.helper';
@@ -37,40 +38,43 @@ export class CoreAuthService {
   /**
    * Logout user (from device)
    */
-  async logout(serviceOptions: ServiceOptions & { deviceId?: string }): Promise<boolean> {
+  async logout(
+    tokenOrRefreshToken: string,
+    serviceOptions: ServiceOptions & { allDevices?: boolean }
+  ): Promise<boolean> {
+    // Check authentication
     const user = serviceOptions.currentUser;
-    if (!serviceOptions.currentUser) {
+    if (!user || !tokenOrRefreshToken) {
       throw new UnauthorizedException();
     }
-    const deviceId = serviceOptions.deviceId;
-    if (deviceId) {
-      if (!user.refreshTokens[deviceId]) {
-        return false;
-      }
-      delete user.refreshTokens[deviceId];
-      await this.userService.update(user.id, { refreshTokens: user.refreshTokens }, serviceOptions);
+
+    // Check authorization
+    const deviceId = this.decodeJwt(tokenOrRefreshToken)?.deviceId;
+    if (!deviceId || !user.refreshTokens[deviceId]) {
+      throw new UnauthorizedException('Invalid refresh token');
+    }
+
+    // Logout from all devices
+    if (serviceOptions.allDevices) {
+      user.refreshTokens = {};
+      await this.userService.update(user.id, { refreshTokens: {} }, serviceOptions);
       return true;
     }
-    user.refreshToken = null;
-    user.refreshTokens = {};
-    await this.userService.update(
-      user.id,
-      {
-        refreshToken: user.refreshToken,
-        refreshTokens: user.refreshTokens,
-      },
-      serviceOptions
-    );
+
+    // Logout from specific devices
+    delete user.refreshTokens[deviceId];
+    await this.userService.update(user.id, { refreshTokens: user.refreshTokens }, serviceOptions);
     return true;
   }
 
   /**
    * Refresh tokens
    */
-  async refreshTokens(user: ICoreAuthUser, deviceId?: string) {
+  async refreshTokens(user: ICoreAuthUser, currentRefreshToken: string) {
     // Create new tokens
-    const tokens = await this.getTokens(user.id);
-    await this.updateRefreshToken(user, tokens.refreshToken, { deviceId });
+    const { deviceId, deviceDescription } = this.decodeJwt(currentRefreshToken);
+    const tokens = await this.createTokens(user.id, { deviceId, deviceDescription });
+    tokens.refreshToken = await this.updateRefreshToken(user, currentRefreshToken, tokens.refreshToken);
 
     // Return
     return CoreAuthModel.map({
@@ -93,10 +97,10 @@ export class CoreAuthService {
     });
 
     // Inputs
-    const { email, password, deviceId } = input;
+    const { email, password, deviceId, deviceDescription } = input;
 
     // Get user
-    const user = await this.userService.getViaEmail(email, serviceOptions);
+    const user = await this.userService.getViaEmail(email, serviceOptionsForUserService);
     if (
       !user ||
       !((await bcrypt.compare(password, user.password)) || (await bcrypt.compare(sha256(password), user.password)))
@@ -104,11 +108,8 @@ export class CoreAuthService {
       throw new UnauthorizedException();
     }
 
-    // Set device ID
-    serviceOptionsForUserService.deviceId = input.deviceId;
-
     // Return tokens and user
-    return this.getResult(user, serviceOptions);
+    return this.getResult(user, { deviceId, deviceDescription });
   }
 
   /**
@@ -124,14 +125,14 @@ export class CoreAuthService {
     // Get and check user
     const user = await this.userService.create(input, serviceOptionsForUserService);
     if (!user) {
-      throw Error('Email Address already in use');
+      throw new BadRequestException('Email Address already in use');
     }
 
     // Set device ID
-    serviceOptionsForUserService.deviceId = input.deviceId;
+    const { deviceId, deviceDescription } = input;
 
     // Return tokens and user
-    return this.getResult(user, serviceOptionsForUserService);
+    return this.getResult(user, { deviceId, deviceDescription });
   }
 
   /**
@@ -142,7 +143,8 @@ export class CoreAuthService {
     const user = await this.userService.get(payload.id);
 
     // Check if user exists and is logged in
-    if (!user?.refreshToken) {
+    const device = user?.refreshTokens?.[payload.deviceId];
+    if (!device || !payload.tokenId || device.tokenId !== payload.tokenId) {
       return null;
     }
 
@@ -157,12 +159,16 @@ export class CoreAuthService {
   /**
    * Rest result with user and tokens
    */
-  protected async getResult(user: ICoreAuthUser, serviceOptions: ServiceOptions & { deviceId?: string }) {
+  protected async getResult(
+    user: ICoreAuthUser,
+    data?: { [key: string]: any; deviceId?: string },
+    currentRefreshToken?: string
+  ) {
     // Create new tokens
-    const tokens = await this.getTokens(user.id);
+    const tokens = await this.createTokens(user.id, data);
 
     // Set refresh token
-    await this.updateRefreshToken(user, tokens.refreshToken, serviceOptions);
+    tokens.refreshToken = await this.updateRefreshToken(user, currentRefreshToken, tokens.refreshToken, data);
 
     // Return tokens and user
     return CoreAuthModel.map({
@@ -190,22 +196,22 @@ export class CoreAuthService {
   /**
    * Get JWT and refresh token
    */
-  protected async getTokens(userId: string) {
+  protected async createTokens(userId: string, data?: { [key: string]: any; deviceId?: string }) {
+    const payload: { [key: string]: any; id: string; deviceId: string } = {
+      ...data,
+      id: userId,
+      deviceId: data?.deviceId || randomUUID(),
+      tokenId: randomUUID(),
+    };
     const [token, refreshToken] = await Promise.all([
-      this.jwtService.signAsync(
-        { id: userId },
-        {
-          secret: this.getSecretFromConfig(false),
-          ...this.configService.getFastButReadOnly('jwt.signInOptions', {}),
-        }
-      ),
-      this.jwtService.signAsync(
-        { id: userId },
-        {
-          secret: this.getSecretFromConfig(true),
-          ...this.configService.getFastButReadOnly('jwt.refresh.signInOptions', {}),
-        }
-      ),
+      this.jwtService.signAsync(payload, {
+        secret: this.getSecretFromConfig(false),
+        ...this.configService.getFastButReadOnly('jwt.signInOptions', {}),
+      }),
+      this.jwtService.signAsync(payload, {
+        secret: this.getSecretFromConfig(true),
+        ...this.configService.getFastButReadOnly('jwt.refresh.signInOptions', {}),
+      }),
     ]);
     return {
       token,
@@ -218,39 +224,45 @@ export class CoreAuthService {
    */
   protected async updateRefreshToken(
     user: ICoreAuthUser,
-    refreshToken: string,
-    serviceOptions: ServiceOptions & { deviceId?: string } = {}
-  ) {
-    const hashedRefreshToken = await bcrypt.hash(refreshToken, 10);
-    const deviceId = serviceOptions?.deviceId;
-    if (deviceId) {
-      if (!user.refreshTokens) {
-        user.refreshTokens = {};
+    currentRefreshToken: string,
+    newRefreshToken: string,
+    data?: Record<string, any>
+  ): Promise<string> {
+    // Check if the update of the update token is allowed
+    let deviceId: string;
+    if (currentRefreshToken) {
+      deviceId = this.decodeJwt(currentRefreshToken)?.deviceId;
+      if (!deviceId || !user.refreshTokens?.[deviceId]) {
+        throw new UnauthorizedException('Invalid refresh token');
       }
-      user.refreshTokens[deviceId] = hashedRefreshToken;
-
-      // Refresh token must be set even if only a specific device is logged in, because of the check in the validateUser method
-      if (!user.refreshToken) {
-        user.refreshToken = hashedRefreshToken;
+      if (!this.configService.getFastButReadOnly('jwt.refresh.renewal')) {
+        // Return currentToken
+        return currentRefreshToken;
       }
+    }
 
-      return await this.userService.update(
-        getStringIds(user),
-        { refreshTokens: user.refreshTokens, refreshToken: user.refreshToken },
-        {
-          ...serviceOptions,
-          force: true,
-        }
-      );
+    // Prepare data
+    data = data || {};
+    if (!user.refreshTokens) {
+      user.refreshTokens = {};
     }
-    user.refreshToken = hashedRefreshToken;
-    return await this.userService.update(
-      getStringIds(user),
-      { refreshToken: hashedRefreshToken },
-      {
-        ...serviceOptions,
-        force: true,
-      }
-    );
+    if (deviceId) {
+      const oldData = user.refreshTokens[deviceId] || {};
+      data = Object.assign(oldData, data);
+    }
+
+    // Set new token
+    const payload = this.decodeJwt(newRefreshToken);
+    if (!payload) {
+      throw new UnauthorizedException();
+    }
+    if (!deviceId) {
+      deviceId = payload.deviceId;
+    }
+    user.refreshTokens[deviceId] = { ...data, deviceId, tokenId: payload.tokenId };
+    await this.userService.update(getStringIds(user), { refreshTokens: user.refreshTokens }, { force: true });
+
+    // Return new token
+    return newRefreshToken;
   }
 }

package/src/core/modules/auth/strategies/jwt-refresh.strategy.ts

@@ -37,17 +37,7 @@ export class JwtRefreshStrategy extends PassportStrategy(Strategy, 'jwt-refresh'
     // Check user
     const user = await this.authService.validateUser(payload);
     if (!user) {
-      throw new UnauthorizedException();
-    }
-
-    // Check refresh token
-    const refreshToken = req
-      .get('Authorization')
-      .replace(/bearer/i, '')
-      .trim();
-    const refreshTokenMatches = await bcrypt.compare(refreshToken, user.refreshToken);
-    if (!refreshTokenMatches) {
-      throw new ForbiddenException('Access Denied');
+      throw new UnauthorizedException('Unknown user');
     }
 
     // Return user

package/src/core/modules/auth/strategies/jwt.strategy.ts

@@ -41,7 +41,7 @@ export class JwtStrategy extends PassportStrategy(Strategy, 'jwt') {
   async validate(payload: JwtPayload) {
     const user = await this.authService.validateUser(payload);
     if (!user) {
-      throw new UnauthorizedException();
+      throw new UnauthorizedException('Unknown user');
     }
     return user;
   }