Merge pull request #1226 from joshunrau/libnest-v8

update libnest to v8. also adds new feature to playground for persistent login with custom limited scope access token.

Author: joshunrau

.github/workflows/ci.yaml

@@ -18,10 +18,6 @@ jobs:
           node-version-file: '.nvmrc'
       - name: Generate Environment
         run: ./scripts/generate-env.sh
-      - name: Setup Mongo
-        run: |
-          docker run -d --name mongo -p 27017:27017 mongo:7 --replSet rs0
-          docker exec mongo mongosh --eval "rs.initiate({_id: 'rs0', members: [{_id: 0, host: 'localhost:27017'}]});"
       - name: Configure Git
         run: |
           # necessary for the git commands used for release info

apps/api/libnest.config.ts

@@ -1,23 +1,25 @@
-/* eslint-disable @typescript-eslint/no-namespace */
 /* eslint-disable @typescript-eslint/no-empty-object-type */
 /* eslint-disable @typescript-eslint/consistent-type-definitions */
+/* eslint-disable @typescript-eslint/no-namespace */
 
 import * as fs from 'node:fs/promises';
 import * as path from 'node:path';
 import * as url from 'node:url';
 
 import { defineUserConfig } from '@douglasneuroinformatics/libnest/user-config';
-import type { InferUserConfig } from '@douglasneuroinformatics/libnest/user-config';
 import { getReleaseInfo } from '@opendatacapture/release-info';
 import type { TokenPayload } from '@opendatacapture/schemas/auth';
-import type { Permissions } from '@opendatacapture/schemas/core';
+
+import type { AppAbility } from '@/auth/auth.types.js';
+import type { RuntimePrismaClient } from '@/core/prisma.js';
+import type { $Env } from '@/core/schemas/env.schema.js';
 
 declare module '@douglasneuroinformatics/libnest/user-config' {
-  export interface UserConfig extends InferUserConfig<typeof config> {}
   export namespace UserTypes {
-    export interface JwtPayload extends TokenPayload {}
-    export interface UserQueryMetadata {
-      additionalPermissions?: Permissions;
+    export interface Env extends $Env {}
+    export interface PrismaClient extends RuntimePrismaClient {}
+    export interface RequestUser extends TokenPayload {
+      ability: AppAbility;
     }
   }
 }

apps/api/package.json

@@ -15,15 +15,19 @@
     "test": "env-cmd -f ../../.env vitest"
   },
   "dependencies": {
+    "@casl/ability": "^6.7.3",
+    "@casl/prisma": "^1.5.1",
     "@douglasneuroinformatics/libcrypto": "catalog:",
     "@douglasneuroinformatics/libjs": "catalog:",
-    "@douglasneuroinformatics/libnest": "^7.3.3",
+    "@douglasneuroinformatics/libnest": "^8.0.1",
     "@douglasneuroinformatics/libpasswd": "catalog:",
     "@douglasneuroinformatics/libstats": "catalog:",
     "@faker-js/faker": "^9.4.0",
     "@nestjs/axios": "^4.0.0",
     "@nestjs/common": "^11.0.11",
     "@nestjs/core": "^11.0.11",
+    "@nestjs/jwt": "^11.0.0",
+    "@nestjs/passport": "^11.0.5",
     "@nestjs/platform-express": "^11.0.11",
     "@nestjs/swagger": "^11.0.6",
     "@opendatacapture/demo": "workspace:*",
@@ -39,7 +43,9 @@
     "express": "^5.0.1",
     "lodash-es": "workspace:lodash-es__4.x@*",
     "mongodb": "^6.15.0",
-    "neverthrow": "^8.2.0",
+    "neverthrow": "catalog:",
+    "passport": "^0.7.0",
+    "passport-jwt": "^4.0.1",
     "reflect-metadata": "^0.1.14",
     "rxjs": "^7.8.2",
     "ts-pattern": "workspace:ts-pattern__5.x@*",
@@ -48,6 +54,9 @@
   "devDependencies": {
     "@nestjs/testing": "^11.0.11",
     "@types/express": "^5.0.0",
+    "@types/passport": "^1.0.17",
+    "@types/passport-jwt": "^4.0.1",
+    "mongodb-memory-server": "^10.3.0",
     "prisma": "catalog:",
     "prisma-json-types-generator": "^3.2.2"
   },

apps/api/src/assignments/assignments.controller.ts

@@ -1,9 +1,11 @@
-import { CurrentUser, RouteAccess } from '@douglasneuroinformatics/libnest';
-import type { AppAbility } from '@douglasneuroinformatics/libnest';
-import { Body, Controller, Get, Param, Patch, Post, Query } from '@nestjs/common/decorators';
+import { CurrentUser } from '@douglasneuroinformatics/libnest';
+import { Body, Controller, Get, Param, Patch, Post, Query } from '@nestjs/common';
 import { ApiOperation } from '@nestjs/swagger';
 import type { Assignment } from '@opendatacapture/schemas/assignment';
 
+import type { AppAbility } from '@/auth/auth.types';
+import { RouteAccess } from '@/core/decorators/route-access.decorator';
+
 import { AssignmentsService } from './assignments.service';
 import { CreateAssignmentDto } from './dto/create-assignment.dto';
 import { UpdateAssignmentDto } from './dto/update-assignment.dto';

apps/api/src/assignments/assignments.service.ts

@@ -1,11 +1,12 @@
 import crypto from 'node:crypto';
 
 import { HybridCrypto } from '@douglasneuroinformatics/libcrypto';
-import { accessibleQuery, ConfigService, InjectModel } from '@douglasneuroinformatics/libnest';
+import { ConfigService, InjectModel } from '@douglasneuroinformatics/libnest';
 import type { Model } from '@douglasneuroinformatics/libnest';
 import { Injectable, NotFoundException } from '@nestjs/common';
 import type { Assignment, UpdateAssignmentData } from '@opendatacapture/schemas/assignment';
 
+import { accessibleQuery } from '@/auth/ability.utils';
 import type { EntityOperationOptions } from '@/core/types';
 import { GatewayService } from '@/gateway/gateway.service';
 

apps/api/src/auth/__tests__/ability.utils.test.ts

@@ -0,0 +1,24 @@
+import { describe, expect, it, vi } from 'vitest';
+
+import { accessibleQuery } from '../ability.utils';
+
+const accessibleBy = vi.hoisted(() => vi.fn());
+
+vi.mock('@casl/prisma/runtime', () => ({
+  createAccessibleByFactory: () => accessibleBy
+}));
+
+describe('accessibleQuery', () => {
+  it('should return an empty object if ability is undefined', () => {
+    expect(accessibleQuery(undefined, 'manage', 'User')).toStrictEqual({});
+    expect(accessibleBy).not.toHaveBeenCalled();
+  });
+  it('should call accessibleBy with the correct parameters and return the result of accessibleBy for the model', () => {
+    accessibleBy.mockReturnValueOnce({
+      User: 'QUERY'
+    });
+    const ability = vi.fn();
+    expect(accessibleQuery(ability as any, 'manage', 'User')).toStrictEqual('QUERY');
+    expect(accessibleBy).toHaveBeenCalledExactlyOnceWith(ability, 'manage');
+  });
+});

apps/api/src/auth/ability.factory.ts

@@ -0,0 +1,63 @@
+import { AbilityBuilder } from '@casl/ability';
+import { createPrismaAbility } from '@casl/prisma';
+import { LoggingService } from '@douglasneuroinformatics/libnest';
+import { Injectable } from '@nestjs/common';
+import type { TokenPayload } from '@opendatacapture/schemas/auth';
+
+import { createAppAbility, detectAppSubject } from './ability.utils';
+
+import type { AppAbility, Permission } from './auth.types';
+
+@Injectable()
+export class AbilityFactory {
+  constructor(private readonly loggingService: LoggingService) {}
+
+  createForPayload(payload: Omit<TokenPayload, 'permissions'>): AppAbility {
+    this.loggingService.verbose({
+      message: 'Creating Ability From Payload',
+      payload
+    });
+    const ability = new AbilityBuilder<AppAbility>(createPrismaAbility);
+    const groupIds = payload.groups.map((group) => group.id);
+    switch (payload.basePermissionLevel) {
+      case 'ADMIN':
+        ability.can('manage', 'all');
+        break;
+      case 'GROUP_MANAGER':
+        ability.can('manage', 'Assignment', { groupId: { in: groupIds } });
+        ability.can('manage', 'Group', { id: { in: groupIds } });
+        ability.can('read', 'Instrument');
+        ability.can('create', 'InstrumentRecord');
+        ability.can('read', 'InstrumentRecord', { groupId: { in: groupIds } });
+        ability.can('create', 'Session');
+        ability.can('read', 'Session', { groupId: { in: groupIds } });
+        ability.can('create', 'Subject');
+        ability.can('read', 'Subject', { groupIds: { hasSome: groupIds } });
+        ability.can('read', 'User', { groupIds: { hasSome: groupIds } });
+        break;
+      case 'STANDARD':
+        ability.can('read', 'Group', { id: { in: groupIds } });
+        ability.can('read', 'Instrument');
+        ability.can('create', 'InstrumentRecord');
+        ability.can('read', 'Session', { groupId: { in: groupIds } });
+        ability.can('create', 'Session');
+        ability.can('create', 'Subject');
+        ability.can('read', 'Subject', { groupIds: { hasSome: groupIds } });
+        break;
+    }
+    payload.additionalPermissions?.forEach(({ action, subject }) => {
+      ability.can(action, subject);
+    });
+    return ability.build({
+      detectSubjectType: detectAppSubject
+    });
+  }
+
+  createForPermissions(permissions: Permission[]): AppAbility {
+    this.loggingService.verbose({
+      message: 'Creating Ability From Permissions',
+      permissions
+    });
+    return createAppAbility(permissions);
+  }
+}

apps/api/src/auth/ability.utils.ts

@@ -0,0 +1,35 @@
+import { detectSubjectType } from '@casl/ability';
+import { createPrismaAbility } from '@casl/prisma';
+import type { PrismaQuery } from '@casl/prisma';
+import { createAccessibleByFactory } from '@casl/prisma/runtime';
+import type { AppSubject, Prisma } from '@prisma/client';
+
+import type { PrismaModelWhereInputMap } from '@/core/prisma';
+
+import type { AppAbilities, AppAbility, AppAction, Permission } from './auth.types';
+
+const accessibleBy = createAccessibleByFactory<PrismaModelWhereInputMap, PrismaQuery>();
+
+export function detectAppSubject(obj: { [key: string]: any }) {
+  if (typeof obj.__modelName === 'string') {
+    return obj.__modelName as AppSubject;
+  }
+  return detectSubjectType(obj) as AppSubject;
+}
+
+export function createAppAbility(permissions: Permission[]): AppAbility {
+  return createPrismaAbility<AppAbilities>(permissions, {
+    detectSubjectType: detectAppSubject
+  });
+}
+
+export function accessibleQuery<T extends Prisma.ModelName>(
+  ability: AppAbility | undefined,
+  action: AppAction,
+  modelName: T
+): NonNullable<PrismaModelWhereInputMap[T]> {
+  if (!ability) {
+    return {};
+  }
+  return accessibleBy(ability, action)[modelName]!;
+}

apps/api/src/auth/auth.controller.ts

@@ -0,0 +1,29 @@
+import { CurrentUser } from '@douglasneuroinformatics/libnest';
+import type { RequestUser } from '@douglasneuroinformatics/libnest';
+import { Body, Controller, Get, HttpCode, HttpStatus, Post } from '@nestjs/common';
+import { ApiOperation } from '@nestjs/swagger';
+import { $LoginCredentials } from '@opendatacapture/schemas/auth';
+
+import { RouteAccess } from '@/core/decorators/route-access.decorator.js';
+
+import { AuthService } from './auth.service.js';
+
+@Controller({ path: 'auth' })
+export class AuthController {
+  constructor(private readonly authService: AuthService) {}
+
+  @Get('create-instrument-token')
+  @HttpCode(HttpStatus.OK)
+  @RouteAccess({ action: 'create', subject: 'Instrument' })
+  async getCreateInstrumentToken(@CurrentUser() currentUser: RequestUser): Promise<{ accessToken: string }> {
+    return this.authService.getCreateInstrumentToken(currentUser);
+  }
+
+  @ApiOperation({ summary: 'Login' })
+  @HttpCode(HttpStatus.OK)
+  @Post('login')
+  @RouteAccess('public')
+  async login(@Body() credentials: $LoginCredentials): Promise<{ accessToken: string }> {
+    return this.authService.login(credentials);
+  }
+}

apps/api/src/auth/auth.module.ts

@@ -0,0 +1,35 @@
+import { ConfigService } from '@douglasneuroinformatics/libnest';
+import { Module } from '@nestjs/common';
+import { APP_GUARD } from '@nestjs/core';
+import { JwtModule } from '@nestjs/jwt';
+
+import { UsersModule } from '@/users/users.module';
+
+import { AbilityFactory } from './ability.factory';
+import { AuthController } from './auth.controller';
+import { AuthService } from './auth.service';
+import { JwtAuthGuard } from './guards/jwt-auth.guard';
+import { JwtStrategy } from './strategies/jwt.strategy';
+
+@Module({
+  controllers: [AuthController],
+  imports: [
+    JwtModule.registerAsync({
+      inject: [ConfigService],
+      useFactory: (configService: ConfigService) => ({
+        secret: configService.get('SECRET_KEY')
+      })
+    }),
+    UsersModule
+  ],
+  providers: [
+    AbilityFactory,
+    AuthService,
+    JwtStrategy,
+    {
+      provide: APP_GUARD,
+      useClass: JwtAuthGuard
+    }
+  ]
+})
+export class AuthModule {}