Skip to content

update libnest to v8 #1226

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
joshunrau merged 34 commits into from
Nov 19, 2025
Merged

update libnest to v8 #1226

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
34 commits
Select commit Hold shift + click to select a range
38eb059
chore: update libnest to v8
joshunrau Nov 5, 2025
f57d373
refactor: implement libnest v8
joshunrau Nov 5, 2025
eeca32c
test: add redirect test
joshunrau Nov 5, 2025
b6ad230
test: remove global env setup complete
joshunrau Nov 5, 2025
45c549c
refactor: rename prisma.client to prisma
joshunrau Nov 5, 2025
c4100e8
add mongodb-memory-server
joshunrau Nov 5, 2025
342a41e
implement memory db for test
joshunrau Nov 5, 2025
0b246c4
fix esm issue with new swc version
joshunrau Nov 5, 2025
17d9ff7
fix type import of config service
joshunrau Nov 5, 2025
22a3712
cleanup and add tests
joshunrau Nov 5, 2025
5ca6d83
remove setup mongo from ci
joshunrau Nov 6, 2025
b55be28
add defineSeriesInstrument function
joshunrau Nov 6, 2025
c6c45c8
pipe stdout in ci test
joshunrau Nov 6, 2025
29f3875
update runtime to v1.8.8
joshunrau Nov 6, 2025
07205bd
remove open access forms moved to other repo
joshunrau Nov 6, 2025
8408df3
merge branch 'main' into libnest-v8
joshunrau Nov 19, 2025
0639d84
reinstall deps
joshunrau Nov 19, 2025
c06cd80
fix request user types
joshunrau Nov 19, 2025
08e437a
add getCreateInstrumentToken
joshunrau Nov 19, 2025
c68ba1c
add login form to playground
joshunrau Nov 19, 2025
57ebc73
add auth slice to playground
joshunrau Nov 19, 2025
d1e5df4
add payload to auth
joshunrau Nov 19, 2025
562ec4a
add login dialog
joshunrau Nov 19, 2025
03c0051
add neverthrow to catalog
joshunrau Nov 19, 2025
03d22be
update login dialog
joshunrau Nov 19, 2025
b4a29fa
update upload dialog
joshunrau Nov 19, 2025
2cec2d3
add login button
joshunrau Nov 19, 2025
d0b3988
add login status
joshunrau Nov 19, 2025
3d3d7d7
add login workflow
joshunrau Nov 19, 2025
33668a5
persist access token
joshunrau Nov 19, 2025
2b72881
add revalidate
joshunrau Nov 19, 2025
8aae222
use revalidate token
joshunrau Nov 19, 2025
15b094a
Update apps/api/src/instrument-records/instrument-records.controller.ts
joshunrau Nov 19, 2025
edc56f6
increment version
joshunrau Nov 19, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 0 additions & 4 deletions .github/workflows/ci.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,10 +18,6 @@ jobs:
node-version-file: '.nvmrc'
- name: Generate Environment
run: ./scripts/generate-env.sh
- name: Setup Mongo
run: |
docker run -d --name mongo -p 27017:27017 mongo:7 --replSet rs0
docker exec mongo mongosh --eval "rs.initiate({_id: 'rs0', members: [{_id: 0, host: 'localhost:27017'}]});"
- name: Configure Git
run: |
# necessary for the git commands used for release info
Expand Down
16 changes: 9 additions & 7 deletions apps/api/libnest.config.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,23 +1,25 @@
/* eslint-disable @typescript-eslint/no-namespace */
/* eslint-disable @typescript-eslint/no-empty-object-type */
/* eslint-disable @typescript-eslint/consistent-type-definitions */
/* eslint-disable @typescript-eslint/no-namespace */

import * as fs from 'node:fs/promises';
import * as path from 'node:path';
import * as url from 'node:url';

import { defineUserConfig } from '@douglasneuroinformatics/libnest/user-config';
import type { InferUserConfig } from '@douglasneuroinformatics/libnest/user-config';
import { getReleaseInfo } from '@opendatacapture/release-info';
import type { TokenPayload } from '@opendatacapture/schemas/auth';
import type { Permissions } from '@opendatacapture/schemas/core';

import type { AppAbility } from '@/auth/auth.types.js';
import type { RuntimePrismaClient } from '@/core/prisma.js';
import type { $Env } from '@/core/schemas/env.schema.js';

declare module '@douglasneuroinformatics/libnest/user-config' {
export interface UserConfig extends InferUserConfig<typeof config> {}
export namespace UserTypes {
export interface JwtPayload extends TokenPayload {}
export interface UserQueryMetadata {
additionalPermissions?: Permissions;
export interface Env extends $Env {}
export interface PrismaClient extends RuntimePrismaClient {}
export interface RequestUser extends TokenPayload {
ability: AppAbility;
}
}
}
Expand Down
13 changes: 11 additions & 2 deletions apps/api/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -15,15 +15,19 @@
"test": "env-cmd -f ../../.env vitest"
},
"dependencies": {
"@casl/ability": "^6.7.3",
"@casl/prisma": "^1.5.1",
"@douglasneuroinformatics/libcrypto": "catalog:",
"@douglasneuroinformatics/libjs": "catalog:",
"@douglasneuroinformatics/libnest": "^7.3.3",
"@douglasneuroinformatics/libnest": "^8.0.1",
"@douglasneuroinformatics/libpasswd": "catalog:",
"@douglasneuroinformatics/libstats": "catalog:",
"@faker-js/faker": "^9.4.0",
"@nestjs/axios": "^4.0.0",
"@nestjs/common": "^11.0.11",
"@nestjs/core": "^11.0.11",
"@nestjs/jwt": "^11.0.0",
"@nestjs/passport": "^11.0.5",
"@nestjs/platform-express": "^11.0.11",
"@nestjs/swagger": "^11.0.6",
"@opendatacapture/demo": "workspace:*",
Expand All @@ -39,7 +43,9 @@
"express": "^5.0.1",
"lodash-es": "workspace:lodash-es__4.x@*",
"mongodb": "^6.15.0",
"neverthrow": "^8.2.0",
"neverthrow": "catalog:",
"passport": "^0.7.0",
"passport-jwt": "^4.0.1",
"reflect-metadata": "^0.1.14",
"rxjs": "^7.8.2",
"ts-pattern": "workspace:ts-pattern__5.x@*",
Expand All @@ -48,6 +54,9 @@
"devDependencies": {
"@nestjs/testing": "^11.0.11",
"@types/express": "^5.0.0",
"@types/passport": "^1.0.17",
"@types/passport-jwt": "^4.0.1",
"mongodb-memory-server": "^10.3.0",
"prisma": "catalog:",
"prisma-json-types-generator": "^3.2.2"
},
Expand Down
8 changes: 5 additions & 3 deletions apps/api/src/assignments/assignments.controller.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,9 +1,11 @@
import { CurrentUser, RouteAccess } from '@douglasneuroinformatics/libnest';
import type { AppAbility } from '@douglasneuroinformatics/libnest';
import { Body, Controller, Get, Param, Patch, Post, Query } from '@nestjs/common/decorators';
import { CurrentUser } from '@douglasneuroinformatics/libnest';
import { Body, Controller, Get, Param, Patch, Post, Query } from '@nestjs/common';
import { ApiOperation } from '@nestjs/swagger';
import type { Assignment } from '@opendatacapture/schemas/assignment';

import type { AppAbility } from '@/auth/auth.types';
import { RouteAccess } from '@/core/decorators/route-access.decorator';

import { AssignmentsService } from './assignments.service';
import { CreateAssignmentDto } from './dto/create-assignment.dto';
import { UpdateAssignmentDto } from './dto/update-assignment.dto';
Expand Down
3 changes: 2 additions & 1 deletion apps/api/src/assignments/assignments.service.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,11 +1,12 @@
import crypto from 'node:crypto';

import { HybridCrypto } from '@douglasneuroinformatics/libcrypto';
import { accessibleQuery, ConfigService, InjectModel } from '@douglasneuroinformatics/libnest';
import { ConfigService, InjectModel } from '@douglasneuroinformatics/libnest';
import type { Model } from '@douglasneuroinformatics/libnest';
import { Injectable, NotFoundException } from '@nestjs/common';
import type { Assignment, UpdateAssignmentData } from '@opendatacapture/schemas/assignment';

import { accessibleQuery } from '@/auth/ability.utils';
import type { EntityOperationOptions } from '@/core/types';
import { GatewayService } from '@/gateway/gateway.service';

Expand Down
24 changes: 24 additions & 0 deletions apps/api/src/auth/__tests__/ability.utils.test.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
import { describe, expect, it, vi } from 'vitest';

import { accessibleQuery } from '../ability.utils';

const accessibleBy = vi.hoisted(() => vi.fn());

vi.mock('@casl/prisma/runtime', () => ({
createAccessibleByFactory: () => accessibleBy
}));

describe('accessibleQuery', () => {
it('should return an empty object if ability is undefined', () => {
expect(accessibleQuery(undefined, 'manage', 'User')).toStrictEqual({});
expect(accessibleBy).not.toHaveBeenCalled();
});
it('should call accessibleBy with the correct parameters and return the result of accessibleBy for the model', () => {
accessibleBy.mockReturnValueOnce({
User: 'QUERY'
});
const ability = vi.fn();
expect(accessibleQuery(ability as any, 'manage', 'User')).toStrictEqual('QUERY');
expect(accessibleBy).toHaveBeenCalledExactlyOnceWith(ability, 'manage');
});
});
63 changes: 63 additions & 0 deletions apps/api/src/auth/ability.factory.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,63 @@
import { AbilityBuilder } from '@casl/ability';
import { createPrismaAbility } from '@casl/prisma';
import { LoggingService } from '@douglasneuroinformatics/libnest';
import { Injectable } from '@nestjs/common';
import type { TokenPayload } from '@opendatacapture/schemas/auth';

import { createAppAbility, detectAppSubject } from './ability.utils';

import type { AppAbility, Permission } from './auth.types';

@Injectable()
export class AbilityFactory {
constructor(private readonly loggingService: LoggingService) {}

createForPayload(payload: Omit<TokenPayload, 'permissions'>): AppAbility {
this.loggingService.verbose({
message: 'Creating Ability From Payload',
payload
});
const ability = new AbilityBuilder<AppAbility>(createPrismaAbility);
const groupIds = payload.groups.map((group) => group.id);
switch (payload.basePermissionLevel) {
case 'ADMIN':
ability.can('manage', 'all');
break;
case 'GROUP_MANAGER':
ability.can('manage', 'Assignment', { groupId: { in: groupIds } });
ability.can('manage', 'Group', { id: { in: groupIds } });
ability.can('read', 'Instrument');
ability.can('create', 'InstrumentRecord');
ability.can('read', 'InstrumentRecord', { groupId: { in: groupIds } });
ability.can('create', 'Session');
ability.can('read', 'Session', { groupId: { in: groupIds } });
ability.can('create', 'Subject');
ability.can('read', 'Subject', { groupIds: { hasSome: groupIds } });
ability.can('read', 'User', { groupIds: { hasSome: groupIds } });
break;
case 'STANDARD':
ability.can('read', 'Group', { id: { in: groupIds } });
ability.can('read', 'Instrument');
ability.can('create', 'InstrumentRecord');
ability.can('read', 'Session', { groupId: { in: groupIds } });
ability.can('create', 'Session');
ability.can('create', 'Subject');
ability.can('read', 'Subject', { groupIds: { hasSome: groupIds } });
break;
Comment on lines +22 to +46
Copy link
Contributor

@coderabbitai coderabbitai bot Nov 5, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

Verify that create permissions for InstrumentRecord, Session, and Subject are properly scoped at the service layer.

The permission rules allow GROUP_MANAGER and STANDARD users to create records without explicit ability-level constraints on which groups they can create for. Ensure that service methods enforce group membership checks when creating these entities.

🏁 Script executed:

#!/bin/bash
# Verify that create methods in services enforce group scoping

echo "=== Checking InstrumentRecords Service ==="
rg -A 10 -B 2 'create.*InstrumentRecord' --type=ts apps/api/src/instrument-records/

echo -e "\n=== Checking Sessions Service ==="
rg -A 10 -B 2 'create.*Session' --type=ts apps/api/src/sessions/

echo -e "\n=== Checking Subjects Service ==="
rg -A 10 -B 2 'create.*Subject' --type=ts apps/api/src/subjects/

Length of output: 8128

🏁 Script executed:

#!/bin/bash
# Find @RouteAccess decorator implementation and Sessions/InstrumentRecords create implementations

echo "=== Finding @RouteAccess decorator ==="
fd -t f '@RouteAccess' --type ts apps/api/src/ || rg -l '@RouteAccess' apps/api/src/ --type ts | head -5

echo -e "\n=== Checking for RouteAccess decorator definition ==="
rg -A 5 -B 2 'RouteAccess.*decorator\|export.*RouteAccess' --type=ts apps/api/src/

echo -e "\n=== Sessions service.create full implementation ==="
rg -A 30 'async create\(' apps/api/src/sessions/sessions.service.ts

echo -e "\n=== InstrumentRecords service.create full implementation ==="
rg -A 30 'async create\(' apps/api/src/instrument-records/instrument-records.service.ts

Length of output: 2843

🏁 Script executed:

#!/bin/bash
# Verify groupsService.findById and Sessions controller behavior

echo "=== GroupsService.findById implementation ==="
rg -A 15 'async findById\(' apps/api/src/groups/groups.service.ts

echo -e "\n=== Sessions controller.create full method ==="
rg -B 5 -A 10 'create\(@Body\(\)' apps/api/src/sessions/sessions.controller.ts

echo -e "\n=== Search for RouteAccess definition ==="
rg 'export.*RouteAccess\|function RouteAccess' apps/api/src/ -A 3

Length of output: 1017

🏁 Script executed:

#!/bin/bash
# Final verification: check Subjects controller and RouteAccess type

echo "=== Subjects controller.create method ==="
rg -B 3 -A 8 '@RouteAccess.*Subject' apps/api/src/subjects/subjects.controller.ts | grep -A 8 'create\('

echo -e "\n=== RouteAccess in common/auth or shared ==="
find apps/api/src -name '*.ts' -exec grep -l 'export.*RouteAccess\|RouteAccess.*=' {} \; 2>/dev/null | head -3

echo -e "\n=== Check RouteAccess import source ==="
rg 'import.*RouteAccess' apps/api/src/sessions/sessions.controller.ts

Length of output: 337

🏁 Script executed:

#!/bin/bash
# Check RouteAccess decorator implementation and Subjects controller

echo "=== RouteAccess decorator implementation ==="
cat apps/api/src/core/decorators/route-access.decorator.ts

echo -e "\n=== Subjects controller.create full method ==="
rg -B 2 -A 12 'create\(@Body' apps/api/src/subjects/subjects.controller.ts

Length of output: 1348

🏁 Script executed:

#!/bin/bash
# Check Subjects service create method (not createMany)

echo "=== Subjects service.create implementation ==="
rg -A 20 'async create\(' apps/api/src/subjects/subjects.service.ts | head -30

Length of output: 647

Authorization bypass in Sessions and Subjects create endpoints.

Verification confirms the original concern: Session and Subject create operations bypass authorization checks.

  • Sessions: Controller doesn't pass ability to service; service calls groupsService.findById(groupId) without ability, allowing any user to create sessions for any group.
  • Subjects: Controller doesn't pass ability to service; service.create() doesn't use accessibleQuery at all, allowing any user to create subjects.
  • InstrumentRecords: Properly scoped—controller passes ability through the service chain and checks group access.

Both Sessions and Subjects endpoints need ability enforcement at the service layer, following the InstrumentRecords pattern: pass ability from controller and use accessibleQuery in service create methods.

}
payload.additionalPermissions?.forEach(({ action, subject }) => {
ability.can(action, subject);
});
return ability.build({
detectSubjectType: detectAppSubject
});
}

createForPermissions(permissions: Permission[]): AppAbility {
this.loggingService.verbose({
message: 'Creating Ability From Permissions',
permissions
});
return createAppAbility(permissions);
}
}
35 changes: 35 additions & 0 deletions apps/api/src/auth/ability.utils.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
import { detectSubjectType } from '@casl/ability';
import { createPrismaAbility } from '@casl/prisma';
import type { PrismaQuery } from '@casl/prisma';
import { createAccessibleByFactory } from '@casl/prisma/runtime';
import type { AppSubject, Prisma } from '@prisma/client';

import type { PrismaModelWhereInputMap } from '@/core/prisma';

import type { AppAbilities, AppAbility, AppAction, Permission } from './auth.types';

const accessibleBy = createAccessibleByFactory<PrismaModelWhereInputMap, PrismaQuery>();

export function detectAppSubject(obj: { [key: string]: any }) {
if (typeof obj.__modelName === 'string') {
return obj.__modelName as AppSubject;
}
return detectSubjectType(obj) as AppSubject;
}

export function createAppAbility(permissions: Permission[]): AppAbility {
return createPrismaAbility<AppAbilities>(permissions, {
detectSubjectType: detectAppSubject
});
}

export function accessibleQuery<T extends Prisma.ModelName>(
ability: AppAbility | undefined,
action: AppAction,
modelName: T
): NonNullable<PrismaModelWhereInputMap[T]> {
if (!ability) {
return {};
}
return accessibleBy(ability, action)[modelName]!;
}
29 changes: 29 additions & 0 deletions apps/api/src/auth/auth.controller.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
import { CurrentUser } from '@douglasneuroinformatics/libnest';
import type { RequestUser } from '@douglasneuroinformatics/libnest';
import { Body, Controller, Get, HttpCode, HttpStatus, Post } from '@nestjs/common';
import { ApiOperation } from '@nestjs/swagger';
import { $LoginCredentials } from '@opendatacapture/schemas/auth';

import { RouteAccess } from '@/core/decorators/route-access.decorator.js';

import { AuthService } from './auth.service.js';

@Controller({ path: 'auth' })
export class AuthController {
constructor(private readonly authService: AuthService) {}

@Get('create-instrument-token')
@HttpCode(HttpStatus.OK)
@RouteAccess({ action: 'create', subject: 'Instrument' })
async getCreateInstrumentToken(@CurrentUser() currentUser: RequestUser): Promise<{ accessToken: string }> {
return this.authService.getCreateInstrumentToken(currentUser);
}

@ApiOperation({ summary: 'Login' })
@HttpCode(HttpStatus.OK)
@Post('login')
@RouteAccess('public')
async login(@Body() credentials: $LoginCredentials): Promise<{ accessToken: string }> {
return this.authService.login(credentials);
}
Comment on lines +22 to +28
Copy link
Contributor

@coderabbitai coderabbitai bot Nov 19, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

Consider rate limiting and enhance API documentation.

The login endpoint is publicly accessible and lacks visible rate limiting, making it vulnerable to brute-force attacks. Also consider documenting error responses (401, 400) using @ApiResponse decorators.

Verify rate limiting configuration:

If rate limiting isn't configured, consider adding it:

import { Throttle } from '@nestjs/throttler';

// Add above the login method:
@Throttle({ default: { limit: 5, ttl: 60000 } }) // 5 attempts per minute

🏁 Script executed:

#!/bin/bash
# Check if rate limiting is configured globally or on auth routes
rg -nP --type=ts -C5 'ThrottlerModule|RateLimit|@Throttle'

Length of output: 0

🏁 Script executed:

#!/bin/bash
# Check app.module.ts for ThrottlerModule import
fd -t f "app.module.ts" --exec cat {}

# Check main.ts for global guards or rate limiting setup
fd -t f "main.ts" --exec cat {}

# Search for any throttler-related imports in the codebase
rg -n "throttler|rate.limit" -i --type=ts

Length of output: 6568

Rate limiting is not configured. Add throttling to the login endpoint to prevent brute-force attacks.

Verification confirms no rate limiting is configured globally or on the auth routes. The login endpoint remains unprotected.

Add the @Throttle() decorator from @nestjs/throttler above the login method:

@Throttle({ default: { limit: 5, ttl: 60000 } })

Also document error responses using @ApiResponse decorators for 401 and 400 status codes.

🤖 Prompt for AI Agents 
In apps/api/src/auth/auth.controller.ts around lines 22 to 28, the login
endpoint lacks rate limiting and response documentation; add the Throttle
decorator from @nestjs/throttler directly above the login method with the
provided settings (limit 5, ttl 60000) and add @ApiResponse decorators for 401
(Unauthorized) and 400 (Bad Request) to document error responses; also update
imports to include Throttle from @nestjs/throttler and ApiResponse from
@nestjs/swagger, placing the decorators immediately above the method signature
so Nest registers throttling and Swagger documents the error responses.

}
35 changes: 35 additions & 0 deletions apps/api/src/auth/auth.module.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
import { ConfigService } from '@douglasneuroinformatics/libnest';
import { Module } from '@nestjs/common';
import { APP_GUARD } from '@nestjs/core';
import { JwtModule } from '@nestjs/jwt';

import { UsersModule } from '@/users/users.module';

import { AbilityFactory } from './ability.factory';
import { AuthController } from './auth.controller';
import { AuthService } from './auth.service';
import { JwtAuthGuard } from './guards/jwt-auth.guard';
import { JwtStrategy } from './strategies/jwt.strategy';

@Module({
controllers: [AuthController],
imports: [
JwtModule.registerAsync({
inject: [ConfigService],
useFactory: (configService: ConfigService) => ({
secret: configService.get('SECRET_KEY')
})
}),
UsersModule
],
providers: [
AbilityFactory,
AuthService,
JwtStrategy,
{
provide: APP_GUARD,
useClass: JwtAuthGuard
}
]
})
export class AuthModule {}
73 changes: 73 additions & 0 deletions apps/api/src/auth/auth.service.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,73 @@
import { CryptoService } from '@douglasneuroinformatics/libnest';
import type { RequestUser } from '@douglasneuroinformatics/libnest';
import { ForbiddenException, Injectable, NotFoundException, UnauthorizedException } from '@nestjs/common';
import { JwtService } from '@nestjs/jwt';
import type { $LoginCredentials, TokenPayload } from '@opendatacapture/schemas/auth';
import type { Group, User } from '@prisma/client';

import { UsersService } from '@/users/users.service';

import { AbilityFactory } from './ability.factory';

@Injectable()
export class AuthService {
constructor(
private readonly abilityFactory: AbilityFactory,
private readonly cryptoService: CryptoService,
private readonly jwtService: JwtService,
private readonly usersService: UsersService
) {}

async getCreateInstrumentToken(currentUser: RequestUser) {
if (!currentUser.ability.can('create', 'Instrument')) {
throw new ForbiddenException();
}

const limitedAbility = this.abilityFactory.createForPermissions([{ action: 'create', subject: 'Instrument' }]);

return {
accessToken: await this.jwtService.signAsync({ permissions: limitedAbility.rules }, { expiresIn: '1h' })
};
}

async login(credentials: $LoginCredentials): Promise<{ accessToken: string }> {
let user: User & {
groups: Group[];
};
try {
user = await this.usersService.findByUsername(credentials.username, { includeHashedPassword: true });
} catch (err) {
if (err instanceof NotFoundException) {
throw new UnauthorizedException('Invalid Credentials');
}
throw err;
}
const isCorrectPassword = await this.cryptoService.comparePassword(credentials.password, user.hashedPassword);
if (isCorrectPassword !== true) {
throw new UnauthorizedException('Invalid Credentials');
}

const tokenPayload: Omit<TokenPayload, 'permissions'> = {
additionalPermissions: user.additionalPermissions,
basePermissionLevel: user.basePermissionLevel,
firstName: user.firstName,
groups: user.groups,
lastName: user.lastName,
username: user.username
};

const ability = this.abilityFactory.createForPayload(tokenPayload);

return {
accessToken: await this.jwtService.signAsync(
{
...tokenPayload,
permissions: ability.rules
},
{
expiresIn: '1h'
}
)
};
}
}
Loading
Loading