WIP auth system

tacxou · tacxou · commit 41dda1b92cb3 · 2023-09-11T11:28:35.000+02:00
diff --git a/app/nuxt.config.ts b/app/nuxt.config.ts
@@ -36,9 +36,8 @@ export default defineNuxtConfig({
     provider: {
       type: 'local',
       endpoints: {
-        signIn: { path: '/login', method: 'post' },
+        signIn: { path: '/local', method: 'post' },
         signOut: { path: '/logout', method: 'post' },
-        signUp: { path: '/register', method: 'post' },
         getSession: { path: '/session', method: 'get' },
       },
       pages: {
diff --git a/app/src/pages/index.vue b/app/src/pages/index.vue
@@ -11,4 +11,5 @@ div
 <script lang='ts' setup>
 import { definePageMeta, useAuth } from '#imports'
 const { signIn, signOut, session, status, cookies, getProviders, user, sessionToken } = useAuth()
+
 </script>
diff --git a/service/.env b/service/.env
@@ -1 +1,2 @@
 TK_SERVICE_MONGOOSE_URI=mongodb://localhost:27017/teaket
+TK_SERVICE_JWT_SECRET=kkns]ge^BC2m|O1HY!eIhvRx,w9%i.PkH-X.+K~E;2.@yXh4Q=h2y@jT5L+rtP*
diff --git a/service/package.json b/service/package.json
@@ -31,6 +31,7 @@
     "@nestjs/swagger": "^7.1.10",
     "@streamkits/nestjs_module_scrud": "^0.0.15",
     "@typegoose/auto-increment": "^3.4.0",
+    "argon2": "^0.31.1",
     "cookie-parser": "^1.4.6",
     "dayjs": "^1.11.9",
     "deepmerge": "^4.3.1",
@@ -40,6 +41,7 @@
     "mongoose-unique-validator": "^4.0.0",
     "passport": "^0.6.0",
     "passport-jwt": "^4.0.1",
+    "passport-local": "^1.0.0",
     "reflect-metadata": "^0.1.13",
     "rxjs": "^7.2.0",
     "swagger-themes": "^1.2.30",
@@ -57,6 +59,7 @@
     "@types/node": "18.15.11",
     "@types/passport": "^1.0.12",
     "@types/passport-jwt": "^3.0.9",
+    "@types/passport-local": "^1.0.35",
     "@types/supertest": "^2.0.11",
     "@typescript-eslint/eslint-plugin": "^5.0.0",
     "@typescript-eslint/parser": "^5.0.0",
diff --git a/service/src/_common/decorators/params/req-identity.decorator.ts b/service/src/_common/decorators/params/req-identity.decorator.ts
@@ -0,0 +1,7 @@
+import { createParamDecorator, ExecutionContext } from '@nestjs/common'
+import { IdentityType } from '~/_common/types/identity.type'
+
+export const ReqIdentity = createParamDecorator((_data: unknown, ctx: ExecutionContext): IdentityType => {
+  const request = ctx.switchToHttp().getRequest()
+  return request.user
+})
diff --git a/service/src/_common/guards/auth.guard.ts b/service/src/_common/guards/auth.guard.ts
@@ -0,0 +1,22 @@
+import { ExecutionContext, Injectable } from '@nestjs/common'
+import { Reflector } from '@nestjs/core'
+import { AuthGuard as AuthGuardInternal } from '@nestjs/passport'
+import { Observable } from 'rxjs'
+import { META_UNPROTECTED } from '~/_common/decorators/public.decorator'
+
+@Injectable()
+export class AuthGuard extends AuthGuardInternal(['jwt']) {
+  public constructor(private readonly reflector: Reflector) {
+    super()
+  }
+
+  public canActivate(
+    context: ExecutionContext,
+  ): boolean | Promise<boolean> | Observable<boolean> {
+    const isUnprotected = this.reflector.getAllAndOverride<boolean>(
+      META_UNPROTECTED,
+      [context.getClass(), context.getHandler()],
+    )
+    return isUnprotected || super.canActivate(context)
+  }
+}
diff --git a/service/src/_common/types/identity.type.ts b/service/src/_common/types/identity.type.ts
@@ -0,0 +1,5 @@
+import { Identities } from '~/core/identities/_schemas/identities.schema'
+
+export const ExcludeIdentityType: (keyof Identities)[] = ['password']
+
+export type IdentityType = Partial<Omit<Identities, 'password'>>
diff --git a/service/src/app.module.ts b/service/src/app.module.ts
@@ -1,4 +1,4 @@
-import { INestApplication, Module } from '@nestjs/common'
+import { Module } from '@nestjs/common'
 import { AppController } from './app.controller'
 import { AppService } from './app.service'
 import { TicketsModule } from '~/tickets/tickets.module'
@@ -8,11 +8,12 @@ import { ConfigModule, ConfigService } from '@nestjs/config'
 import config, { MongoosePlugin } from './config'
 import { RedisModule } from '@nestjs-modules/ioredis'
 import { RedisOptions } from 'ioredis'
-import { APP_FILTER, APP_PIPE } from '@nestjs/core'
+import { APP_FILTER, APP_GUARD, APP_PIPE } from '@nestjs/core'
 import { MongooseValidationFilter } from './_common/filters/mongoose-validation.filter'
 import { DtoValidationPipe } from './_common/pipes/dto-validation.pipe'
 import { CoreModule } from '~/core/core.module'
 import { ShutdownService } from '~/shutdown.service'
+import { AuthGuard } from '~/_common/guards/auth.guard'
 
 @Module({
   imports: [
@@ -55,6 +56,10 @@ import { ShutdownService } from '~/shutdown.service'
   providers: [
     AppService,
     ShutdownService,
+    // {
+    //   provide: APP_GUARD,
+    //   useClass: AuthGuard,
+    // },
     {
       provide: APP_FILTER,
       useClass: MongooseValidationFilter,
diff --git a/service/src/config.ts b/service/src/config.ts
@@ -26,7 +26,7 @@ export interface ConfigInstance {
     options: IAuthModuleOptions
   }
   jwt: {
-    options: JwtModuleOptions & any
+    options: JwtModuleOptions
   }
   // oidc: {
   //   options: BuildOpenIdClientOptions
@@ -84,7 +84,7 @@ export default (): ConfigInstance => ({
        * @see https://randomkeygen.com/
        */
       secret: process.env.TK_SERVICE_JWT_SECRET,
-      jwksUri: 'http://127.0.0.1:2000/jwks',
+      // jwksUri: 'http://127.0.0.1:2000/jwks',
     },
   },
   // oidc: {
diff --git a/service/src/core/auth/auth.controller.ts b/service/src/core/auth/auth.controller.ts
@@ -1,45 +1,55 @@
-import { Controller, Get, Post, Res } from '@nestjs/common'
+import { Controller, Get, HttpStatus, Post, Res, UseGuards } from '@nestjs/common'
 import { AuthService } from './auth.service'
 import { AbstractController } from '~/_common/abstracts/abstract.controller'
 import { Response } from 'express'
 import { ApiTags } from '@nestjs/swagger'
+import { Public } from '~/_common/decorators/public.decorator'
+import { ModuleRef } from '@nestjs/core'
+import { AuthGuard } from '@nestjs/passport'
+import { IdentityType } from '~/_common/types/identity.type'
+import { ReqIdentity } from '~/_common/decorators/params/req-identity.decorator'
 
+@Public()
 @ApiTags('core')
 @Controller('auth')
 export class AuthController extends AbstractController {
-  constructor(private readonly service: AuthService) {
+  constructor(
+    protected moduleRef: ModuleRef,
+    private readonly service: AuthService,
+  ) {
     super()
   }
 
-  @Post('login')
-  public async login(@Res() res: Response): Promise<Response> {
-    console.log('login')
-    return res.json({
-      token: '123',
+  @Post('local')
+  @UseGuards(AuthGuard('local'))
+  public async authenticateWithLocal(@Res() res: Response, @ReqIdentity() identity: IdentityType): Promise<Response> {
+    const tokens = await this.service.createToken(identity)
+    return res.status(HttpStatus.CREATED).json({
+      ...tokens,
+      token: '1234',
+      identity,
       user: {
-        id: "1",
+        id: 1,
       }
     })
   }
 
   @Get('session')
-  public async session(@Res() res: Response): Promise<Response> {
-    // console.log('session')
-    return res.json({
+  // @UseGuards(AuthGuard('jwt'))
+  public async session(@Res() res: Response, @ReqIdentity() identity: IdentityType): Promise<Response> {
+    // const tokens = await this.service.createToken(identity)
+    return res.status(HttpStatus.OK).json({
+      // ...tokens,
       token: '1234',
+      identity,
       user: {
-        id: "1",
+        id: 1,
       }
     })
   }
 
-  @Get('credentials')
-  public async credentials(@Res() res: Response): Promise<Response> {
-    return res.json({
-      token: '123',
-      user: {
-        id: "1",
-      }
-    })
+  @Post('logout')
+  public async logout(@Res() res: Response): Promise<Response> {
+    return res.status(HttpStatus.NO_CONTENT).send()
   }
 }
diff --git a/service/src/core/auth/auth.module.ts b/service/src/core/auth/auth.module.ts
@@ -1,28 +1,40 @@
 import { Module } from '@nestjs/common'
 import { AuthService } from './auth.service'
 import { AuthController } from './auth.controller'
-import { PassportModule } from '@nestjs/passport'
+import { IAuthModuleOptions, PassportModule } from '@nestjs/passport'
 import { ConfigModule, ConfigService } from '@nestjs/config'
-import { JwtModule } from '@nestjs/jwt'
+import { JwtModule, JwtModuleOptions } from '@nestjs/jwt'
+import { IdentitiesModule } from '~/core/identities/identities.module'
+import { JwtStrategy } from '~/core/auth/jwt.strategy'
+import { LocalStrategy } from '~/core/auth/local.strategy'
 
 @Module({
   imports: [
     PassportModule.registerAsync({
       imports: [ConfigModule],
       inject: [ConfigService],
       useFactory: async (configService: ConfigService) => ({
-        ...configService.get<object>('passport.options', {}),
+        ...configService.get<IAuthModuleOptions>('passport.options', {}),
       }),
     }),
     JwtModule.registerAsync({
       imports: [ConfigModule],
       inject: [ConfigService],
       useFactory: async (configService: ConfigService) => ({
-        ...configService.get<object>('jwt.options', {}),
+        ...configService.get<JwtModuleOptions>('jwt.options', {}),
       }),
     }),
+    IdentitiesModule,
+  ],
+  providers: [
+    AuthService,
+    JwtStrategy,
+    LocalStrategy,
   ],
-  providers: [AuthService],
   controllers: [AuthController],
+  exports: [
+    PassportModule,
+    JwtModule,
+  ],
 })
 export class AuthModule {}
diff --git a/service/src/core/auth/auth.service.ts b/service/src/core/auth/auth.service.ts
@@ -1,9 +1,68 @@
 import { Injectable } from '@nestjs/common'
 import { AbstractService } from '~/_common/abstracts/abstract.service'
+import { JwtService } from '@nestjs/jwt'
+import { ModuleRef } from '@nestjs/core'
+import { InjectRedis } from '@nestjs-modules/ioredis'
+import Redis from 'ioredis'
+import { IdentitiesService } from '~/core/identities/identities.service'
+import { Identities } from '~/core/identities/_schemas/identities.schema'
+import { verify as argon2Verify } from 'argon2'
+import { IdentityType } from '~/_common/types/identity.type'
 
 @Injectable()
 export class AuthService extends AbstractService {
-  public constructor() {
+  public constructor(
+    protected moduleRef: ModuleRef,
+    private readonly jwtService: JwtService,
+    private readonly identityService: IdentitiesService,
+    @InjectRedis() private readonly redis: Redis,
+  ) {
     super()
   }
+
+  public async authenticateWithLocal(username: string, password: string): Promise<Identities> {
+    try {
+      const user: any = await this.identityService.findOne({ username })
+      if (user && await argon2Verify(user.password, password)) {
+        return user
+      }
+    } finally {
+    }
+    return null
+  }
+
+  public async verifyIdentity(jwtid: string): Promise<any> {
+    try {
+      const identity = await this.redis.get(`jwtid_${jwtid}`)
+      if (identity) {
+        return JSON.parse(identity)
+      }
+    } finally {
+    }
+    return null
+  }
+
+  public async createToken(identity: IdentityType, refresh_token?: string): Promise<{
+    access_token: string,
+    refresh_token?: string
+  }> {
+    const random = Math.random().toString(36).substring(2, 15) + Math.random().toString(36).substring(2, 15)
+    const jwtid = `${identity._id}_${random}`
+    const access_token = this.jwtService.sign({ identity }, {
+      expiresIn: '1h',
+      jwtid,
+    })
+    await this.redis.set(`jwtid_${jwtid}`, JSON.stringify({ identity }), 'EX', 3600)
+    return {
+      access_token,
+      refresh_token,
+    }
+  }
+
+  public async clearSession(): Promise<void> {
+    try {
+      await this.redis.del('session')
+    } finally {
+    }
+  }
 }
diff --git a/service/src/core/auth/jwt.strategy.ts b/service/src/core/auth/jwt.strategy.ts
@@ -1,8 +1,11 @@
-import { Injectable } from '@nestjs/common'
+import { ForbiddenException, Injectable, Logger, UnauthorizedException } from '@nestjs/common'
 import { ConfigService } from '@nestjs/config'
 import { PassportStrategy } from '@nestjs/passport'
 import { ExtractJwt, Strategy, VerifiedCallback } from 'passport-jwt'
 import { AuthService } from './auth.service'
+import { Request } from 'express'
+import { IdentityType } from '~/_common/types/identity.type'
+import { JwtPayload } from 'jsonwebtoken'
 
 @Injectable()
 export class JwtStrategy extends PassportStrategy(Strategy, 'jwt') {
@@ -14,19 +17,16 @@ export class JwtStrategy extends PassportStrategy(Strategy, 'jwt') {
       secretOrKey: config.get<string>('jwt.options.secret'),
       jwtFromRequest: ExtractJwt.fromAuthHeaderAsBearerToken(),
       ignoreExpiration: false,
+      passReqToCallback: true,
     })
   }
 
   // noinspection JSUnusedGlobalSymbols
-  public async validate(payload: any, done: VerifiedCallback): Promise<void> {
-    if (payload?.user) {
-      console.log('payload.user', payload.user)
-      return done(null, payload.user)
-    }
-    // const session = await this.auth.retrieveSession(
-    //   `${payload?.sub}`,
-    //   `${payload?.refreshKey}`,
-    // )
-    return done(null, {id: 123})
+  public async validate(_: Request, payload: JwtPayload & { identity: IdentityType }, done: VerifiedCallback): Promise<void> {
+    Logger.debug(`Atempt to authenticate with JTI: <${payload.jti}>`, 'JwtStrategy')
+    if (!payload?.identity) return done(new UnauthorizedException(), false)
+    const user = await this.auth.verifyIdentity(payload.jti)
+    if (!user) return done(new ForbiddenException(), false)
+    return done(null, payload?.identity)
   }
 }
diff --git a/service/src/core/auth/local.strategy.ts b/service/src/core/auth/local.strategy.ts
@@ -0,0 +1,25 @@
+import { ForbiddenException, Injectable, UnauthorizedException } from '@nestjs/common'
+import { PassportStrategy } from '@nestjs/passport'
+import { AuthService } from '~/core/auth/auth.service'
+import { Strategy } from 'passport-local'
+import { Request } from 'express'
+import { IdentityState } from '~/core/identities/_enum/identity-state.enum'
+import { ExcludeIdentityType, IdentityType } from '~/_common/types/identity.type'
+import { omit } from 'radash'
+
+
+@Injectable()
+export class LocalStrategy extends PassportStrategy(Strategy) {
+  public constructor(private readonly auth: AuthService) {
+    super({
+      passReqToCallback: true,
+    })
+  }
+
+  public async validate(_: Request, username: string, password: string): Promise<IdentityType> {
+    const user = await this.auth.authenticateWithLocal(username, password)
+    if (!user) throw new UnauthorizedException()
+    if (user.state.current !== IdentityState.ACTIVE) throw new ForbiddenException()
+    return omit(user.toObject(), ExcludeIdentityType) as IdentityType
+  }
+}
diff --git a/service/src/core/identities/_schemas/identities.schema.ts b/service/src/core/identities/_schemas/identities.schema.ts
@@ -52,6 +52,7 @@ export class Identities extends AbstractSchema {
   @Prop({
     type: StatePartSchema,
     required: true,
+    default: {},
   })
   public state: StatePart
 
diff --git a/service/src/core/identities/identities.module.ts b/service/src/core/identities/identities.module.ts
diff --git a/service/src/tickets/ticket/ticket.controller.ts b/service/src/tickets/ticket/ticket.controller.ts
diff --git a/yarn.lock b/yarn.lock

Original file line number	Diff line number	Diff line change
`@@ -1 +1,2 @@`
`1`	`1`	`TK_SERVICE_MONGOOSE_URI=mongodb://localhost:27017/teaket`
	`2`	`+TK_SERVICE_JWT_SECRET=kkns]ge^BC2m\|O1HY!eIhvRx,w9%i.PkH-X.+K~E;2.@yXh4Q=h2y@jT5L+rtP*`