KeyValueSoftwareSystems · bharathkeyvalue · Dec 11, 2024 · Dec 11, 2024 · Dec 11, 2024 · Dec 11, 2024
diff --git a/README.md b/README.md
@@ -55,14 +55,17 @@ Developers can customise this as per their requirement.
 -   Clone the repo and execute command `npm install`
 -   Create a copy of the env.sample file and rename it as .env
 -   Install postgres and redis
+-   Create a restricted tenant user that cannot bypass RLS policies
 -   Provide postgres, redis secrets and default user details in .env file as mentioned below
 
 | Database configuration(Required) |  |
 |--|--|
 |POSTGRES_HOST  | localhost |
 |POSTGRES_PORT  |  5432|
-|POSTGRES_USER  | postgres |
-|POSTGRES_PASSWORD  | postgres |
+|POSTGRES_ADMIN_USER  | postgres |
+|POSTGRES_ADMIN_PASSWORD  | postgres |
+|POSTGRES_TENANT_USER  | tenant |
+|POSTGRES_TENANT_PASSWORD  | tenant |
 |POSTGRES_DB  | auth_service |
 
 &nbsp;

diff --git a/env.sample b/env.sample
@@ -1,8 +1,13 @@
+# Superuser for migrations
+POSTGRES_ADMIN_USER=postgres
+POSTGRES_ADMIN_PASSWORD=postgres
+# Minimal user with restricted access
+POSTGRES_TENANT_USER=tenant
+POSTGRES_TENANT_PASSWORD=tenant
 POSTGRES_HOST=localhost
 POSTGRES_PORT=5432
-POSTGRES_USER=postgres
-POSTGRES_PASSWORD=postgres
 POSTGRES_DB=authentication-service
+POSTGRES_TENANT_MAX_CONNECTION_LIMIT=10
 REDIS_HOST=localhost
 REDIS_PORT=6379
 REDIS_CACHE_TTL=3600
@@ -32,3 +37,4 @@ MIN_RECAPTCHA_SCORE=.5
 RECAPTCHA_VERIFY_URL=https://www.google.com/recaptcha/api/siteverify
 DEFAULT_ADMIN_PASSWORD=adminpassword
 INVITATION_TOKEN_EXPTIME = 7d
+AUTH_KEY=
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -65,6 +65,7 @@
     "twilio": "^3.67.1",
     "typeorm": "^0.3.11",
     "typeorm-naming-strategies": "^2.0.0",
+    "uuid": "^8.3.2",
     "winston": "^3.3.3"
   },
   "devDependencies": {
@@ -86,6 +87,7 @@
     "@types/speakeasy": "^2.0.6",
     "@types/supertest": "^2.0.10",
     "@types/totp-generator": "0.0.2",
+    "@types/uuid": "^10.0.0",
     "@typescript-eslint/eslint-plugin": "^4.19.0",
     "@typescript-eslint/parser": "^4.19.0",
     "eslint": "^7.22.0",

diff --git a/src/app.module.ts b/src/app.module.ts
@@ -1,4 +1,4 @@
-import { Module } from '@nestjs/common';
+import { MiddlewareConsumer, Module } from '@nestjs/common';
 import * as Joi from '@hapi/joi';
 import { ConfigModule } from '@nestjs/config';
 
@@ -7,15 +7,18 @@ import { AppGraphQLModule } from './graphql/graphql.module';
 import { UserAuthModule } from './authentication/authentication.module';
 import { AuthorizationModule } from './authorization/authorization.module';
 import { HealthModule } from './health/health.module';
+import { ExecutionContextBinder } from './middleware/executionContext.middleware';
 
 @Module({
   imports: [
     ConfigModule.forRoot({
       validationSchema: Joi.object({
         POSTGRES_HOST: Joi.string().required(),
         POSTGRES_PORT: Joi.number().required(),
-        POSTGRES_USER: Joi.string().required(),
-        POSTGRES_PASSWORD: Joi.string().required(),
+        POSTGRES_ADMIN_USER: Joi.string().required(),
+        POSTGRES_ADMIN_PASSWORD: Joi.string().required(),
+        POSTGRES_TENANT_USER: Joi.string().required(),
+        POSTGRES_TENANT_PASSWORD: Joi.string().required(),
         POSTGRES_DB: Joi.string().required(),
         PORT: Joi.number(),
         JWT_SECRET: Joi.string().required().min(10),
@@ -30,4 +33,8 @@ import { HealthModule } from './health/health.module';
   controllers: [],
   providers: [],
 })
-export class AppModule {}
+export class AppModule {
+  configure(consumer: MiddlewareConsumer) {
+    consumer.apply(ExecutionContextBinder).forRoutes('*');
+  }
+}
diff --git a/src/authentication/authKey.guard.ts b/src/authentication/authKey.guard.ts
@@ -0,0 +1,20 @@
+import { Injectable, CanActivate, ExecutionContext } from '@nestjs/common';
+import { ConfigService } from '@nestjs/config';
+import { GqlExecutionContext } from '@nestjs/graphql';
+
+@Injectable()
+export class AuthKeyGuard implements CanActivate {
+  constructor(private configService: ConfigService) {}
+
+  canActivate(context: ExecutionContext): boolean {
+    const ctx = GqlExecutionContext.create(context).getContext();
+    if (ctx) {
+      const authKeyInHeader = ctx.headers['x-api-key'];
+      if (authKeyInHeader) {
+        const secretKey = this.configService.get('AUTH_KEY') as string;
+        return secretKey === authKeyInHeader;
+      }
+    }
+    return false;
+  }
+}
diff --git a/src/authentication/authentication.helper.ts b/src/authentication/authentication.helper.ts
@@ -13,9 +13,9 @@ export class AuthenticationHelper {
       this.configService.get('JWT_TOKEN_EXPTIME') * 1 || 60 * 60;
     const secret = this.configService.get('JWT_SECRET') as string;
     const username = userDetails.email || userDetails.phone;
-
     const dataStoredInToken = {
       username: username,
+      tenantId: userDetails.tenantId,
       sub: userDetails.id,
       env: this.configService.get('ENV') || 'local',
     };

diff --git a/src/authentication/authentication.module.ts b/src/authentication/authentication.module.ts
@@ -77,5 +77,6 @@ const providers: Provider[] = [
   ],
   providers,
   controllers: [GoogleAuthController],
+  exports: [AuthenticationHelper],
 })
 export class UserAuthModule {}
diff --git a/src/authentication/service/password.auth.service.ts b/src/authentication/service/password.auth.service.ts
@@ -25,6 +25,7 @@ import {
 } from '../exception/userauth.exception';
 import { Authenticatable } from '../interfaces/authenticatable';
 import { TokenService } from './token.service';
+import { getConnection } from '../../util/database.connection';
 
 @Injectable()
 export default class PasswordAuthService implements Authenticatable {
@@ -86,31 +87,34 @@ export default class PasswordAuthService implements Authenticatable {
     userFromInput.lastName = userDetails.lastName;
     userFromInput.status = Status.INVITED;
     let invitationToken: { token: any; tokenExpiryTime?: any };
-    const transaction = await this.dataSource.manager.transaction(async () => {
-      const savedUser = await this.userService.createUser(userFromInput);
-      invitationToken = this.authenticationHelper.generateInvitationToken(
-        { id: savedUser.id },
-        this.configService.get('INVITATION_TOKEN_EXPTIME'),
-      );
-      await this.userService.updateField(
-        savedUser.id,
-        'inviteToken',
-        invitationToken.token,
-      );
-      const user = await this.userService.getUserById(savedUser.id);
-      const userResponse = {
-        id: user.id,
-        firstName: user.firstName,
-        lastName: user.lastName,
-        inviteToken: user?.inviteToken,
-        status: user.status,
-      };
-      return {
-        inviteToken: invitationToken.token,
-        tokenExpiryTime: invitationToken.tokenExpiryTime,
-        user: userResponse,
-      };
-    });
+    const transaction = await (await getConnection()).manager.transaction(
+      async () => {
+        const savedUser = await this.userService.createUser(userFromInput);
+        invitationToken = this.authenticationHelper.generateInvitationToken(
+          { id: savedUser.id },
+          this.configService.get('INVITATION_TOKEN_EXPTIME'),
+        );
+        await this.userService.updateField(
+          savedUser.id,
+          'inviteToken',
+          invitationToken.token,
+        );
+        const user = await this.userService.getUserById(savedUser.id);
+        const userResponse = {
+          id: user.id,
+          firstName: user.firstName,
+          lastName: user.lastName,
+          inviteToken: user?.inviteToken,
+          status: user.status,
+          tenantId: user.tenantId,
+        };
+        return {
+          inviteToken: invitationToken.token,
+          tokenExpiryTime: invitationToken.tokenExpiryTime,
+          user: userResponse,
+        };
+      },
+    );
     return transaction;
   }
 

diff --git a/src/authorization/authorization.module.ts b/src/authorization/authorization.module.ts
@@ -51,6 +51,7 @@ import { UserService } from './service/user.service';
 import { UserServiceInterface } from './service/user.service.interface';
 import { UserCacheService } from './service/usercache.service';
 import { UserCacheServiceInterface } from './service/usercache.service.interface';
+import { TenantModule } from '../tenant/tenant.module';
 
 @Module({
   imports: [
@@ -67,6 +68,7 @@ import { UserCacheServiceInterface } from './service/usercache.service.interface
       GroupRole,
       RolePermission,
     ]),
+    TenantModule,
     RedisCacheModule,
   ],
   providers: [

diff --git a/src/authorization/entity/abstract.tenant.entity.ts b/src/authorization/entity/abstract.tenant.entity.ts
@@ -0,0 +1,12 @@
+import { Column } from 'typeorm';
+import BaseEntity from './base.entity';
+
+class AbstractTenantEntity extends BaseEntity {
+  @Column({
+    type: 'uuid',
+    default: () => "current_setting('app.tenant_id')::uuid",
+  })
+  public tenantId!: string;
+}
+
+export default AbstractTenantEntity;
diff --git a/src/authorization/entity/entity.entity.ts b/src/authorization/entity/entity.entity.ts
@@ -1,9 +1,9 @@
 import { Column, Entity, Index, PrimaryGeneratedColumn } from 'typeorm';
-import BaseEntity from './base.entity';
+import AbstractTenantEntity from './abstract.tenant.entity';
 
 @Entity()
 @Index('entity_name_unique_idx', { synchronize: false })
-class EntityModel extends BaseEntity {
+class EntityModel extends AbstractTenantEntity {
   @PrimaryGeneratedColumn('uuid')
   public id!: string;
 

diff --git a/src/authorization/entity/entityPermission.entity.ts b/src/authorization/entity/entityPermission.entity.ts
@@ -1,8 +1,8 @@
 import { Entity, PrimaryColumn } from 'typeorm';
-import BaseEntity from './base.entity';
+import AbstractTenantEntity from './abstract.tenant.entity';
 
 @Entity()
-class EntityPermission extends BaseEntity {
+class EntityPermission extends AbstractTenantEntity {
   @PrimaryColumn({ type: 'uuid' })
   public permissionId!: string;
 

diff --git a/src/authorization/entity/group.entity.ts b/src/authorization/entity/group.entity.ts
@@ -1,9 +1,9 @@
 import { Column, Entity, Index, PrimaryGeneratedColumn } from 'typeorm';
-import BaseEntity from './base.entity';
+import AbstractTenantEntity from './abstract.tenant.entity';
 
 @Entity()
 @Index('group_name_unique_idx', { synchronize: false })
-class Group extends BaseEntity {
+class Group extends AbstractTenantEntity {
   @PrimaryGeneratedColumn('uuid')
   public id!: string;
 

diff --git a/src/authorization/entity/groupPermission.entity.ts b/src/authorization/entity/groupPermission.entity.ts
@@ -1,8 +1,8 @@
 import { Entity, PrimaryColumn } from 'typeorm';
-import BaseEntity from './base.entity';
+import AbstractTenantEntity from './abstract.tenant.entity';
 
 @Entity()
-class GroupPermission extends BaseEntity {
+class GroupPermission extends AbstractTenantEntity {
   @PrimaryColumn({ type: 'uuid' })
   public permissionId!: string;
 

diff --git a/src/authorization/entity/groupRole.entity.ts b/src/authorization/entity/groupRole.entity.ts
@@ -1,8 +1,8 @@
 import { Entity, PrimaryColumn } from 'typeorm';
-import BaseEntity from './base.entity';
+import AbstractTenantEntity from './abstract.tenant.entity';
 
 @Entity()
-class GroupRole extends BaseEntity {
+class GroupRole extends AbstractTenantEntity {
   @PrimaryColumn({ type: 'uuid' })
   public roleId!: string;
 

diff --git a/src/authorization/entity/role.entity.ts b/src/authorization/entity/role.entity.ts
@@ -1,9 +1,9 @@
 import { Column, Entity, Index, PrimaryGeneratedColumn } from 'typeorm';
-import BaseEntity from './base.entity';
+import AbstractTenantEntity from './abstract.tenant.entity';
 
 @Entity()
 @Index('role_name_unique_idx', { synchronize: false })
-class Role extends BaseEntity {
+class Role extends AbstractTenantEntity {
   @PrimaryGeneratedColumn('uuid')
   public id!: string;