Merge pull request #62 from GeneralMagicio/add_cors_allow_list

feat: implement authentication flow

Author: Meriem-BM

.env.example

@@ -1,3 +1,4 @@
 DATABASE_URL=
 WHITELISTED_ORIGINS=
-TUNNEL_DOMAINS=
+TUNNEL_DOMAINS=
+JWT_SECRET=

package.json

@@ -34,6 +34,7 @@
     "class-validator": "^0.14.1",
     "cookie-parser": "^1.4.7",
     "crypto": "^1.0.1",
+    "jsonwebtoken": "^9.0.2",
     "react": "^19.1.0",
     "reflect-metadata": "^0.2.2",
     "rxjs": "^7.8.1",

src/app.controller.ts

@@ -1,10 +1,12 @@
 import { Controller, Get } from '@nestjs/common';
 import { AppService } from './app.service';
+import { Public } from './auth/jwt-auth.guard';
 
 @Controller()
 export class AppController {
   constructor(private readonly appService: AppService) {}
 
+  @Public()
   @Get()
   getHello(): string {
     return this.appService.getHello();

src/auth/auth.controller.ts

@@ -1,25 +1,11 @@
-import {
-  BadRequestException,
-  Body,
-  Controller,
-  Get,
-  Post,
-  Req,
-  Res,
-} from '@nestjs/common';
-import { MiniAppWalletAuthSuccessPayload } from '@worldcoin/minikit-js';
+import { Body, Controller, Get, Post, Req, Res } from '@nestjs/common';
 import { Request, Response } from 'express';
 import { AuthService } from './auth.service';
-
-interface IRequestPayload {
-  payload: MiniAppWalletAuthSuccessPayload;
-}
-
-type RequestWithCookies = Request & {
-  cookies: {
-    siwe?: string;
-  };
-};
+import { JwtService } from './jwt.service';
+import { Public } from './jwt-auth.guard';
+import { VerifyWorldIdDto } from './auth.dto';
+import { SignatureVerificationFailureException } from 'src/common/exceptions';
+import { BadRequestException } from '@nestjs/common';
 
 function isHttps(req: Request) {
   return (
@@ -29,8 +15,12 @@ function isHttps(req: Request) {
 
 @Controller('auth')
 export class AuthController {
-  constructor(private readonly authService: AuthService) {}
+  constructor(
+    private readonly authService: AuthService,
+    private readonly jwtService: JwtService,
+  ) {}
 
+  @Public()
   @Get('nonce')
   generateNonce(@Req() req: Request, @Res() res: Response) {
     const nonce = this.authService.generateNonce();
@@ -41,20 +31,45 @@ export class AuthController {
       maxAge: 2 * 60 * 1000, //2 minutes
     });
 
-    return { nonce };
+    return res.json({ nonce });
   }
 
-  @Post('verifyPayload')
-  async verifyPayload(
-    @Req() req: RequestWithCookies,
-    @Body() body: IRequestPayload,
+  @Public()
+  @Post('verifyWorldId')
+  async verifyWorldId(
+    @Req() _req: Request,
+    @Body() body: VerifyWorldIdDto,
+    @Res() res: Response,
   ) {
-    const { payload } = body;
-    const storedNonce = req.cookies.siwe;
-    if (!storedNonce) {
-      throw new BadRequestException('No nonce found in cookies');
+    const { walletPayload, worldIdProof, nonce } = body;
+
+    try {
+      const isValid = await this.authService.verifyPayload(
+        walletPayload,
+        nonce,
+      );
+
+      if (!isValid) {
+        throw new SignatureVerificationFailureException();
+      }
+
+      const worldID = worldIdProof?.nullifier_hash;
+      const walletAddress = walletPayload?.address;
+
+      const user = await this.authService.createUser(worldID, '');
+
+      const token = this.jwtService.sign({
+        userId: user.id,
+        worldID,
+        address: walletAddress,
+      });
+
+      return res.status(200).json({ isValid: true, token });
+    } catch (error) {
+      console.error(error);
+      throw new BadRequestException(
+        error instanceof Error ? error.message : 'Unknown error',
+      );
     }
-    const isValid = await this.authService.verifyPayload(payload, storedNonce);
-    return { isValid };
   }
 }

src/auth/auth.dto.ts

@@ -0,0 +1,22 @@
+import { IsNotEmpty, IsString, ValidateNested } from 'class-validator';
+import {
+  MiniAppWalletAuthSuccessPayload,
+  ISuccessResult,
+} from '@worldcoin/minikit-js';
+import { Type } from 'class-transformer';
+
+export class VerifyWorldIdDto {
+  @IsNotEmpty()
+  @ValidateNested()
+  @Type(() => Object)
+  walletPayload: MiniAppWalletAuthSuccessPayload;
+
+  @IsNotEmpty()
+  @ValidateNested()
+  @Type(() => Object)
+  worldIdProof: ISuccessResult;
+
+  @IsNotEmpty()
+  @IsString()
+  nonce: string;
+}

src/auth/auth.module.ts

@@ -1,9 +1,11 @@
 import { Module } from '@nestjs/common';
 import { AuthController } from './auth.controller';
+import { JwtService } from './jwt.service';
 import { AuthService } from './auth.service';
 
 @Module({
   controllers: [AuthController],
-  providers: [AuthService],
+  providers: [AuthService, JwtService],
+  exports: [AuthService],
 })
 export class AuthModule {}

src/auth/auth.service.ts

@@ -3,8 +3,15 @@ import * as crypto from 'crypto';
 import {
   MiniAppWalletAuthSuccessPayload,
   verifySiweMessage,
+  SiweMessage,
 } from '@worldcoin/minikit-js';
 import { DatabaseService } from 'src/database/database.service';
+import { CreateUserException } from 'src/common/exceptions';
+
+interface IValidMessage {
+  isValid: boolean;
+  siweMessageData: SiweMessage;
+}
 
 @Injectable()
 export class AuthService {
@@ -18,7 +25,22 @@ export class AuthService {
   }
 
   async verifyPayload(payload: MiniAppWalletAuthSuccessPayload, nonce: string) {
-    const validMessage = await verifySiweMessage(payload, nonce);
+    const validMessage = (await verifySiweMessage(
+      payload,
+      nonce,
+    )) as IValidMessage;
     return validMessage.isValid;
   }
+
+  async createUser(worldID: string, name: string) {
+    const user = await this.databaseService.user.upsert({
+      where: { worldID },
+      update: { name },
+      create: { worldID, name },
+    });
+
+    if (!user) throw new CreateUserException();
+
+    return user;
+  }
 }

src/auth/jwt-auth.guard.ts

@@ -0,0 +1,54 @@
+import {
+  CanActivate,
+  ExecutionContext,
+  Injectable,
+  UnauthorizedException,
+} from '@nestjs/common';
+import { Request } from 'express';
+import { Reflector } from '@nestjs/core';
+import { SetMetadata } from '@nestjs/common';
+import { JwtService } from './jwt.service';
+
+const IS_PUBLIC_KEY = 'isPublic';
+export const Public = () => SetMetadata(IS_PUBLIC_KEY, true);
+
+export interface JwtPayload {
+  userId: number;
+  worldID: string;
+  address: string;
+}
+
+@Injectable()
+export class JwtAuthGuard implements CanActivate {
+  constructor(
+    private reflector: Reflector,
+    private readonly jwtService: JwtService,
+  ) {}
+
+  canActivate(context: ExecutionContext): boolean {
+    const isPublic = this.reflector.getAllAndOverride<boolean>(IS_PUBLIC_KEY, [
+      context.getHandler(),
+      context.getClass(),
+    ]);
+    if (isPublic) {
+      return true;
+    }
+
+    const request = context.switchToHttp().getRequest<Request>();
+    const authHeader = request.headers.authorization;
+    if (!authHeader?.startsWith('Bearer ')) {
+      throw new UnauthorizedException('Missing or invalid token');
+    }
+
+    const token = authHeader.replace('Bearer ', '');
+
+    try {
+      const payload: JwtPayload = this.jwtService.verify(token);
+      request.user = payload;
+      return true;
+    } catch (err) {
+      console.error(err);
+      throw new UnauthorizedException('Invalid or expired token');
+    }
+  }
+}

src/auth/jwt.service.ts

@@ -0,0 +1,30 @@
+import { Injectable } from '@nestjs/common';
+import jwt, { JwtPayload } from 'jsonwebtoken';
+import { JwtVerificationFailureException } from 'src/common/exceptions';
+
+@Injectable()
+export class JwtService {
+  private readonly secret =
+    process.env.JWT_SECRET ||
+    (function () {
+      throw new Error('JWT_SECRET environment variable must be set');
+    })();
+  private readonly expiresIn = '7d';
+
+  sign(payload: object): string {
+    return jwt.sign(payload, this.secret, { expiresIn: this.expiresIn });
+  }
+
+  verify(token: string): JwtPayload | string {
+    try {
+      return jwt.verify(token, this.secret);
+    } catch (error) {
+      console.error(error);
+      throw new JwtVerificationFailureException();
+    }
+  }
+
+  decode(token: string): null | { [key: string]: any } | string {
+    return jwt.decode(token);
+  }
+}

src/auth/user.docerator.ts

@@ -0,0 +1,10 @@
+import { createParamDecorator, ExecutionContext } from '@nestjs/common';
+import { JwtPayload } from './jwt-auth.guard';
+import { Request } from 'express';
+
+export const User = createParamDecorator(
+  (field: keyof JwtPayload, ctx: ExecutionContext) => {
+    const request = ctx.switchToHttp().getRequest<Request>();
+    return field ? request.user?.[field] : request.user;
+  },
+);