Add Supabase Authorization on backend (#5)

- Add `signIn`, `signOut`, `signUp`, `me` endpoints 
- Add `AuthGuard` to guard endpoints where users should be
authenticated. To use, just add this `@UseGuards(AuthGuard('supabase'))`
- Created profiles database with following columns:
<img width="972" alt="image"
src="https://github.com/user-attachments/assets/fba00cd9-32cf-4b7e-aac6-9432b3daf486">
- Added Row Level Security for selecting, inserting and modifying
- Uses Supabase generated types and added a `update-types` command (can
automate in workflow in future)

Author: javinchua

project/apps/api-gateway/.env.example

@@ -0,0 +1,2 @@
+SUPABASE_URL=your-supabase-url
+SUPABASE_KEY=your-supabase-key

project/apps/api-gateway/package.json

@@ -18,23 +18,32 @@
     "test:watch": "jest --watch",
     "test:cov": "jest --coverage",
     "test:debug": "node --inspect-brk -r tsconfig-paths/register -r ts-node/register node_modules/.bin/jest --runInBand",
-    "test:e2e": "jest --config ./test/jest-e2e.json"
+    "test:e2e": "jest --config ./test/jest-e2e.json",
+    "update-types": "npx supabase gen types --lang=typescript --project-id kamxbsekjfdzemvoevgz > src/supabase/database.types.ts"
   },
   "dependencies": {
     "@repo/pipes": "workspace:*",
     "@repo/dtos": "workspace:*",
     "@repo/eslint-config": "workspace:*",
     "@nestjs/common": "^10.0.0",
+    "@nestjs/config": "^3.2.3",
     "@nestjs/core": "^10.0.0",
     "@nestjs/microservices": "^10.4.3",
     "@nestjs/platform-express": "^10.0.0",
+    "@repo/dtos": "workspace:*",
+    "@repo/pipes": "workspace:*",
+    "@supabase/supabase-js": "^2.45.4",
+    "cookie-parser": "^1.4.6",
+    "nestjs-pino": "^4.1.0",
+    "pino-pretty": "^11.2.2",
     "reflect-metadata": "^0.2.0",
     "rxjs": "^7.8.1"
   },
   "devDependencies": {
     "@nestjs/cli": "^10.0.0",
     "@nestjs/schematics": "^10.0.0",
     "@nestjs/testing": "^10.0.0",
+    "@types/cookie-parser": "^1.4.7",
     "@types/express": "^4.17.17",
     "@types/jest": "^29.5.2",
     "@types/node": "^20.3.1",

project/apps/api-gateway/src/api-gateway.module.ts

@@ -1,9 +1,24 @@
 import { Module } from '@nestjs/common';
 import { ClientsModule, Transport } from '@nestjs/microservices';
 import { QuestionsController } from './questions/questions.controller';
+import { SupabaseService } from './supabase/supabase.service';
+import { ConfigModule } from '@nestjs/config';
+import { AuthController } from './auth/auth.controller';
+import { AuthService } from './auth/auth.service';
+import { LoggerModule } from 'nestjs-pino';
 
 @Module({
   imports: [
+    ConfigModule.forRoot({
+      isGlobal: true,
+    }),
+    LoggerModule.forRoot({
+      pinoHttp: {
+        transport: {
+          target: 'pino-pretty',
+        },
+      },
+    }),
     // Client for Questions Service
     ClientsModule.register([
       {
@@ -15,6 +30,7 @@ import { QuestionsController } from './questions/questions.controller';
       },
     ]),
   ],
-  controllers: [QuestionsController],
+  controllers: [QuestionsController, AuthController],
+  providers: [SupabaseService, AuthService],
 })
 export class ApiGatewayModule {}

project/apps/api-gateway/src/auth/auth.controller.ts

@@ -0,0 +1,71 @@
+import {
+  Body,
+  Controller,
+  Get,
+  HttpStatus,
+  Post,
+  Req,
+  Res,
+  UsePipes,
+} from '@nestjs/common';
+
+import {
+  SignInDto,
+  signInSchema,
+  SignUpDto,
+  signUpSchema,
+} from '@repo/dtos/auth';
+import { ZodValidationPipe } from '@repo/pipes/zod-validation-pipe.pipe';
+import { Request, Response } from 'express';
+import { AuthService } from './auth.service';
+
+@Controller('auth')
+export class AuthController {
+  constructor(private readonly authService: AuthService) {}
+
+  @Post('signup')
+  @UsePipes(new ZodValidationPipe(signUpSchema))
+  async signUp(@Body() body: SignUpDto, @Res() res: Response) {
+    const { userData, session } = await this.authService.signUp(body);
+    res.cookie('token', session.access_token, {
+      httpOnly: true,
+      secure: process.env.NODE_ENV === 'production',
+      sameSite: 'lax',
+      maxAge: 60 * 60 * 24 * 7 * 1000,
+    });
+
+    return res.status(HttpStatus.OK).json({ userData });
+  }
+
+  @Post('signin')
+  @UsePipes(new ZodValidationPipe(signInSchema))
+  async signIn(@Body() body: SignInDto, @Res() res: Response) {
+    const { userData, session } = await this.authService.signIn(body);
+    res.cookie('token', session.access_token, {
+      httpOnly: true,
+      secure: process.env.NODE_ENV === 'production',
+      sameSite: 'lax',
+      maxAge: 60 * 60 * 24 * 7 * 1000,
+    });
+
+    return res.status(HttpStatus.OK).json({ userData });
+  }
+
+  @Post('signout')
+  async signOut(@Res() res: Response) {
+    res.clearCookie('token');
+    return res
+      .status(HttpStatus.OK)
+      .json({ message: 'Signed out successfully' });
+  }
+
+  @Get('me')
+  async me(@Req() request: Request, @Res() res: Response) {
+    const token = request.cookies['token'];
+    if (!token) {
+      return res.status(HttpStatus.UNAUTHORIZED).json({ user: null });
+    }
+    const { userData } = await this.authService.me(token);
+    return res.status(HttpStatus.OK).json({ userData });
+  }
+}

project/apps/api-gateway/src/auth/auth.guard.ts

@@ -0,0 +1,32 @@
+import {
+  Injectable,
+  CanActivate,
+  ExecutionContext,
+  UnauthorizedException,
+} from '@nestjs/common';
+import { SupabaseService } from '../supabase/supabase.service';
+
+@Injectable()
+export class AuthGuard implements CanActivate {
+  constructor(private readonly supabaseService: SupabaseService) {}
+
+  async canActivate(context: ExecutionContext): Promise<boolean> {
+    const request = context.switchToHttp().getRequest();
+    const token = request.cookies['token'];
+
+    if (!token) {
+      throw new UnauthorizedException('No token found');
+    }
+
+    const { data, error } = await this.supabaseService
+      .getClient()
+      .auth.getUser(token);
+
+    if (error || !data) {
+      throw new UnauthorizedException('Invalid token');
+    }
+
+    request.user = data;
+    return true;
+  }
+}

project/apps/api-gateway/src/auth/auth.service.ts

@@ -0,0 +1,114 @@
+import {
+  Injectable,
+  BadRequestException,
+  UnauthorizedException,
+} from '@nestjs/common';
+import { SupabaseService } from '../supabase/supabase.service';
+import { SignInDto, SignUpDto } from '@repo/dtos/auth';
+import { UserDetails } from 'src/supabase/collection';
+
+@Injectable()
+export class AuthService {
+  constructor(private readonly supabaseService: SupabaseService) {}
+  private readonly PROFILES_TABLE = 'profiles';
+
+  async me(token: string) {
+    const { data, error } = await this.supabaseService
+      .getClient()
+      .auth.getUser(token);
+
+    if (error) {
+      throw new UnauthorizedException(error.message);
+    }
+    const { user } = data;
+    if (!user || !data) {
+      throw new BadRequestException('Unexpected sign-in response.');
+    }
+    const { data: userData, error: profileError } = await this.supabaseService
+      .getClient()
+      .from(this.PROFILES_TABLE)
+      .select(`id, email, username`)
+      .eq('id', user.id)
+      .returns<UserDetails[]>()
+      .single();
+    if (profileError) {
+      throw new BadRequestException(profileError.message);
+    }
+    return { userData };
+  }
+
+  async signUp(signUpDto: SignUpDto) {
+    const { email, password, username } = signUpDto;
+
+    // Step 1: Create user in Supabase Auth
+    const { data, error } = await this.supabaseService.getClient().auth.signUp({
+      email,
+      password,
+      options: {
+        data: {
+          username,
+        },
+      },
+    });
+    if (error) {
+      throw new BadRequestException(error.message);
+    }
+    const { user, session } = data;
+
+    if (!user || !session) {
+      throw new BadRequestException('Unexpected error occured');
+    }
+
+    // Step 2: Insert profile data into profiles table
+    const { data: userData, error: profileError } = await this.supabaseService
+      .getClient()
+      .from(this.PROFILES_TABLE)
+      .insert([
+        {
+          id: user.id,
+          username,
+          email,
+        },
+      ])
+      .returns<UserDetails[]>()
+      .single();
+
+    if (profileError) {
+      // Delete the created user if profile creation fails
+      await this.supabaseService.getClient().auth.admin.deleteUser(user.id);
+      throw new BadRequestException(profileError.message);
+    }
+
+    // Return user and session information
+    return { userData, session };
+  }
+
+  async signIn(signInDto: SignInDto) {
+    const { email, password } = signInDto;
+    const { data, error } = await this.supabaseService
+      .getClient()
+      .auth.signInWithPassword({ email, password });
+
+    if (error) {
+      throw new BadRequestException(error.message);
+    }
+    const { user, session } = data;
+    if (!user || !data) {
+      throw new BadRequestException('Unexpected sign-in response.');
+    }
+
+    const { data: userData, error: profileError } = await this.supabaseService
+      .getClient()
+      .from(this.PROFILES_TABLE)
+      .select(`id, email, username`)
+      .eq('id', user.id)
+      .returns<UserDetails[]>()
+      .single();
+
+    if (profileError) {
+      throw new BadRequestException(profileError.message);
+    }
+
+    return { userData, session };
+  }
+}

project/apps/api-gateway/src/main.ts

@@ -2,9 +2,17 @@ import { NestFactory } from '@nestjs/core';
 import { ApiGatewayModule } from './api-gateway.module';
 import { RpcExceptionFilter } from './filters/rpc-exception.filter';
 import { RpcExceptionInterceptor } from './interceptors/rpc-exception.interceptor';
+import * as cookieParser from 'cookie-parser';
+import { Logger } from 'nestjs-pino';
 
 async function bootstrap() {
-  const app = await NestFactory.create(ApiGatewayModule);
+  const app = await NestFactory.create(ApiGatewayModule, { bufferLogs: true });
+  app.use(cookieParser());
+  app.useLogger(app.get(Logger));
+  app.enableCors({
+    origin: 'http://localhost:3000',
+    credentials: true,
+  });
   app.useGlobalFilters(new RpcExceptionFilter());
   app.useGlobalInterceptors(new RpcExceptionInterceptor());
   await app.listen(4000);

project/apps/api-gateway/src/questions/questions.controller.ts

@@ -7,15 +7,17 @@ import {
   Inject,
   Body,
   Post,
+  UseGuards,
   Put,
   Delete,
   Query,
 } from '@nestjs/common';
 import { ClientProxy } from '@nestjs/microservices';
-
+import { AuthGuard } from 'src/auth/auth.guard';
 import { CreateQuestionDto, UpdateQuestionDto } from '@repo/dtos/questions';
 
 @Controller('questions')
+@UseGuards(AuthGuard) // Can comment out if we dw auth for now
 export class QuestionsController {
   constructor(
     @Inject('QUESTIONS_SERVICE')

project/apps/api-gateway/src/supabase/collection.ts

@@ -0,0 +1,2 @@
+import { Tables } from './database.types';
+export type UserDetails = Tables<'profiles'>;