hotfix(auth): some edits

* feat(auth): implement token exchange endpoint and related functionality

* feat(category): getCategories endpoint

* fix(user): return it back

* fix(db): return it back

Author: MarioRaafat

src/auth/auth.controller.ts

@@ -30,6 +30,7 @@ import { VerifyUpdateEmailDto } from './dto/verify-update-email.dto';
 import { MobileGoogleAuthDto } from './dto/mobile-google-auth.dto';
 import { MobileGitHubAuthDto } from './dto/mobile-github-auth.dto';
 import { ForgetPasswordDto } from './dto/forget-password.dto';
+import { ExchangeTokenDto } from './dto/exchange-token.dto';
 import {
     ApiBearerAuth,
     ApiBody,
@@ -63,6 +64,7 @@ import {
     change_password_swagger,
     check_identifier_swagger,
     confirm_password_swagger,
+    exchange_token_swagger,
     facebook_callback_swagger,
     facebook_oauth_swagger,
     forget_password_swagger,
@@ -281,6 +283,38 @@ export class AuthController {
         return { access_token };
     }
 
+    @ApiOperation(exchange_token_swagger.operation)
+    @ApiBody({ type: ExchangeTokenDto })
+    @ApiOkResponse(exchange_token_swagger.responses.completion_success)
+    @ApiUnauthorizedErrorResponse(ERROR_MESSAGES.INVALID_OR_EXPIRED_TOKEN)
+    @ResponseMessage(SUCCESS_MESSAGES.TOKEN_EXCHANGE_SUCCESS)
+    @Post('exchange-token')
+    async exchangeToken(@Body() body: ExchangeTokenDto, @Res() res: Response) {
+        const { exchange_token } = body;
+        const payload = await this.auth_service.validateExchangeToken(exchange_token);
+
+        if (payload.type === 'auth') {
+            if (!payload.user_id) {
+                throw new BadRequestException(ERROR_MESSAGES.INVALID_OR_EXPIRED_TOKEN);
+            }
+
+            const { access_token, refresh_token } = await this.auth_service.generateTokens(
+                payload.user_id
+            );
+            this.httpOnlyRefreshToken(res, refresh_token);
+
+            return res.json({
+                type: 'auth',
+                access_token,
+            });
+        } else {
+            return res.json({
+                type: 'completion',
+                session_token: payload.session_token,
+            });
+        }
+    }
+
     @ApiOperation(captcha_swagger.operation)
     @ApiResponse(captcha_swagger.responses.success)
     @ResponseMessage('ReCAPTCHA site key retrieved successfully')
@@ -403,8 +437,13 @@ export class AuthController {
             // if the user doesn't have a record for that email in DB, we will need to redirect the user to complete his data
             if (req.user?.needs_completion) {
                 const session_token = await this.auth_service.createOAuthSession(req.user.user);
+                const exchange_token = await this.auth_service.createExchangeToken({
+                    session_token,
+                    type: 'completion',
+                });
+
                 return res.redirect(
-                    `${process.env.FRONTEND_URL || 'http://localhost:3001'}/auth/oauth-complete?session=${encodeURIComponent(session_token)}&provider=google`
+                    `${process.env.FRONTEND_URL || 'http://localhost:3001'}/auth/oauth-complete?exchange_token=${encodeURIComponent(exchange_token)}&provider=google`
                 );
             }
 
@@ -417,15 +456,14 @@ export class AuthController {
             }
 
             // Normal OAuth flow for existing users
-            const { access_token, refresh_token } = await this.auth_service.generateTokens(
-                req.user.id
-            );
-
-            // Set refresh token in HTTP-only cookie
-            this.httpOnlyRefreshToken(res, refresh_token);
-
-            // Redirect to frontend with access token
-            const frontend_url = `${process.env.FRONTEND_URL || 'http://localhost:3001'}/auth/success?token=${encodeURIComponent(access_token)}`;
+            // Create secure exchange token with user_id (tokens will be generated on exchange)
+            const exchange_token = await this.auth_service.createExchangeToken({
+                user_id: req.user.id,
+                type: 'auth',
+            });
+
+            // Redirect to frontend with exchange token
+            const frontend_url = `${process.env.FRONTEND_URL || 'http://localhost:3001'}/auth/success?exchange_token=${encodeURIComponent(exchange_token)}&provider=google`;
             return res.redirect(frontend_url);
         } catch (error) {
             console.log('Google callback error:', error);
@@ -456,8 +494,13 @@ export class AuthController {
             // if the user doesn't have a record for that email in DB, we will need to redirect the user to complete his data
             if (req.user?.needs_completion) {
                 const session_token = await this.auth_service.createOAuthSession(req.user.user);
+                const exchange_token = await this.auth_service.createExchangeToken({
+                    session_token,
+                    type: 'completion',
+                });
+
                 return res.redirect(
-                    `${process.env.FRONTEND_URL || 'http://localhost:3001'}/auth/oauth-complete?session=${encodeURIComponent(session_token)}&provider=facebook`
+                    `${process.env.FRONTEND_URL || 'http://localhost:3001'}/auth/oauth-complete?exchange_token=${encodeURIComponent(exchange_token)}&provider=facebook`
                 );
             }
 
@@ -470,15 +513,13 @@ export class AuthController {
             }
 
             // Normal OAuth flow for existing users
-            const { access_token, refresh_token } = await this.auth_service.generateTokens(
-                req.user.id
-            );
+            const exchange_token = await this.auth_service.createExchangeToken({
+                user_id: req.user.id,
+                type: 'auth',
+            });
 
-            // Set refresh token in HTTP-only cookie
-            this.httpOnlyRefreshToken(res, refresh_token);
-
-            // Redirect to frontend with access token
-            const frontend_url = `${process.env.FRONTEND_URL || 'http://localhost:3001'}/auth/success?token=${encodeURIComponent(access_token)}`;
+            // Redirect to frontend with exchange token
+            const frontend_url = `${process.env.FRONTEND_URL || 'http://localhost:3001'}/auth/success?exchange_token=${encodeURIComponent(exchange_token)}&provider=facebook`;
             return res.redirect(frontend_url);
         } catch (error) {
             console.log('Facebook callback error:', error);
@@ -549,8 +590,13 @@ export class AuthController {
             // if the user doesn't have a record for that email in DB, we will need to redirect the user to complete his data
             if (req.user?.needs_completion) {
                 const session_token = await this.auth_service.createOAuthSession(req.user.user);
+                const exchange_token = await this.auth_service.createExchangeToken({
+                    session_token,
+                    type: 'completion',
+                });
+
                 return res.redirect(
-                    `${process.env.FRONTEND_URL || 'http://localhost:3001'}/auth/oauth-complete?session=${encodeURIComponent(session_token)}&provider=github`
+                    `${process.env.FRONTEND_URL || 'http://localhost:3001'}/auth/oauth-complete?exchange_token=${encodeURIComponent(exchange_token)}&provider=github`
                 );
             }
 
@@ -563,15 +609,13 @@ export class AuthController {
             }
 
             // Normal OAuth flow for existing users
-            const { access_token, refresh_token } = await this.auth_service.generateTokens(
-                req.user.id
-            );
-
-            // Set refresh token in HTTP-only cookie
-            this.httpOnlyRefreshToken(res, refresh_token);
+            const exchange_token = await this.auth_service.createExchangeToken({
+                user_id: req.user.id,
+                type: 'auth',
+            });
 
-            // Redirect to frontend with access token
-            const frontend_url = `${process.env.FRONTEND_URL || 'http://localhost:3001'}/auth/success?token=${encodeURIComponent(access_token)}`;
+            // Redirect to frontend with exchange token
+            const frontend_url = `${process.env.FRONTEND_URL || 'http://localhost:3001'}/auth/success?exchange_token=${encodeURIComponent(exchange_token)}&provider=github`;
             return res.redirect(frontend_url);
         } catch (error) {
             console.log('Github callback error:', error);

src/auth/auth.service.ts

@@ -31,6 +31,8 @@ import { ConfigService } from '@nestjs/config';
 import { instanceToPlain } from 'class-transformer';
 import { ERROR_MESSAGES } from 'src/constants/swagger-messages';
 import {
+    OAUTH_EXCHANGE_TOKEN_KEY,
+    OAUTH_EXCHANGE_TOKEN_OBJECT,
     OAUTH_SESSION_KEY,
     OAUTH_SESSION_OBJECT,
     OTP_KEY,
@@ -1022,6 +1024,53 @@ export class AuthService {
         };
     }
 
+    async createExchangeToken(payload: {
+        user_id?: string;
+        session_token?: string;
+        type: 'auth' | 'completion';
+    }): Promise<string> {
+        const token_id = crypto.randomUUID();
+        const exchange_token = this.jwt_service.sign(
+            { token_id, type: payload.type },
+            {
+                secret:
+                    process.env.OAUTH_EXCHANGE_TOKEN_SECRET ?? 'fallback-exchange-secret-change-me',
+                expiresIn: '5m',
+            }
+        );
+
+        const redis_object = OAUTH_EXCHANGE_TOKEN_OBJECT(token_id, payload);
+        await this.redis_service.set(redis_object.key, redis_object.value, redis_object.ttl);
+
+        return exchange_token;
+    }
+
+    async validateExchangeToken(exchange_token: string): Promise<{
+        user_id?: string;
+        session_token?: string;
+        type: 'auth' | 'completion';
+    }> {
+        try {
+            const decoded = this.jwt_service.verify(exchange_token, {
+                secret:
+                    process.env.OAUTH_EXCHANGE_TOKEN_SECRET ?? 'fallback-exchange-secret-change-me',
+            });
+
+            const { token_id, type } = decoded;
+            const redis_key = OAUTH_EXCHANGE_TOKEN_KEY(token_id);
+            const stored_data = await this.redis_service.get(redis_key);
+
+            if (!stored_data) {
+                throw new UnauthorizedException(ERROR_MESSAGES.INVALID_OR_EXPIRED_TOKEN);
+            }
+
+            await this.redis_service.del(redis_key);
+            const payload = JSON.parse(stored_data);
+            return { ...payload, type };
+        } catch (error) {
+            throw new UnauthorizedException(ERROR_MESSAGES.INVALID_OR_EXPIRED_TOKEN);
+        }
+    }
     async confirmPassword(confirm_password_dto: ConfirmPasswordDto, user_id: string) {
         const user = await this.user_repository.findById(user_id);
 

src/auth/auth.swagger.ts

@@ -1141,6 +1141,79 @@ export const verify_update_email_swagger = {
     },
 };
 
+export const exchange_token_swagger = {
+    operation: {
+        summary: 'Exchange one-time token for credentials',
+        description: `
+**Secure OAuth Token Exchange**
+
+This endpoint exchanges a one-time exchange token (received from OAuth callback redirect) for the actual credentials.
+
+**Security features:**
+- One-time use only - token is deleted after exchange
+- Short-lived (5 minutes)
+- Encrypted and stored in Redis
+- Prevents token exposure in URLs from being exploited
+
+**Use cases:**
+1. **After successful OAuth login**: Exchange token for access_token and refresh_token
+2. **After OAuth requiring completion**: Exchange token for session_token to complete registration
+
+**Flow:**
+1. User authenticates via OAuth (Google/Facebook/GitHub)
+2. Backend creates exchange token and stores only user_id or session_token in Redis (NO actual tokens stored)
+3. User is redirected to frontend with exchange token in URL
+4. Frontend immediately calls this endpoint to exchange token
+5. Backend generates fresh access_token and refresh_token on-the-fly (for auth type)
+6. Exchange token is deleted from Redis (single-use)
+
+**Important:** 
+- The exchange token can only be used once and expires after 5 minutes
+        `,
+    },
+
+    responses: {
+        auth_success: {
+            description: 'Exchange successful - credentials returned (type: auth)',
+            schema: {
+                example: {
+                    data: {
+                        type: 'auth',
+                        access_token:
+                            'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpZCI6ImQxMDJkYWRjLTBiMTctNGU4My04MTJiLTAwMTAzYjYwNmExZiIsImlhdCI6MTc1ODE0Nzg2OSwiZXhwIjoxNzU4MTUxNDY5fQ.DV3oA5Fn-cj-KHrGcafGaoWGyvYFx4N50L9Ke4_n6OU',
+                    },
+                    count: 1,
+                    message: SUCCESS_MESSAGES.TOKEN_EXCHANGE_SUCCESS,
+                },
+            },
+            headers: {
+                'Set-Cookie': {
+                    description: 'HttpOnly cookie containing refresh token (only for auth type)',
+                    schema: {
+                        type: 'string',
+                        example:
+                            'refresh_token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...; HttpOnly; Secure; SameSite=Strict',
+                    },
+                },
+            },
+        },
+        completion_success: {
+            description: 'Exchange successful - session token returned (type: completion)',
+            schema: {
+                example: {
+                    data: {
+                        type: 'completion',
+                        session_token: 'a1b2c3d4-e5f6-7890-abcd-ef1234567890',
+                        provider: 'google',
+                    },
+                    count: 1,
+                    message: SUCCESS_MESSAGES.TOKEN_EXCHANGE_SUCCESS,
+                },
+            },
+        },
+    },
+};
+
 export const confirm_password_swagger = {
     operation: {
         summary: 'Confirm password',

src/auth/dto/exchange-token.dto.ts

@@ -0,0 +1,14 @@
+import { ApiProperty } from '@nestjs/swagger';
+import { IsNotEmpty, IsString, MaxLength } from 'class-validator';
+import { LARGE_MAX_LENGTH } from 'src/constants/variables';
+
+export class ExchangeTokenDto {
+    @ApiProperty({
+        description: 'One-time exchange token received from OAuth callback redirect',
+        example: 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...',
+    })
+    @IsString()
+    @IsNotEmpty()
+    @MaxLength(LARGE_MAX_LENGTH)
+    exchange_token: string;
+}

src/category/category.controller.ts

@@ -1,7 +1,23 @@
-import { Controller } from '@nestjs/common';
+import { Controller, Get } from '@nestjs/common';
+import { ApiOkResponse, ApiOperation, ApiTags } from '@nestjs/swagger';
 import { CategoryService } from './category.service';
+import { Category } from './entities';
+import { get_categories_swagger } from './category.swagger';
+import { ResponseMessage } from '../decorators/response-message.decorator';
+import { ERROR_MESSAGES, SUCCESS_MESSAGES } from '../constants/swagger-messages';
+import { ApiInternalServerError } from '../decorators/swagger-error-responses.decorator';
 
+@ApiTags('Category')
 @Controller('category')
 export class CategoryController {
     constructor(private readonly categoryService: CategoryService) {}
+
+    @ApiOperation(get_categories_swagger.operation)
+    @ApiOkResponse(get_categories_swagger.responses.success)
+    @ApiInternalServerError(ERROR_MESSAGES.FAILED_TO_FETCH_FROM_DB)
+    @ResponseMessage(SUCCESS_MESSAGES.CATEGORIES_RETRIEVED)
+    @Get()
+    async getCategories(): Promise<string[]> {
+        return await this.categoryService.getCategories();
+    }
 }

src/category/category.service.ts

@@ -1,4 +1,22 @@
-import { Injectable } from '@nestjs/common';
+import { Injectable, InternalServerErrorException } from '@nestjs/common';
+import { InjectRepository } from '@nestjs/typeorm';
+import { Repository } from 'typeorm';
+import { Category } from './entities';
+import { ERROR_MESSAGES } from '../constants/swagger-messages';
 
 @Injectable()
-export class CategoryService {}
+export class CategoryService {
+    constructor(
+        @InjectRepository(Category)
+        private readonly categoryRepository: Repository<Category>
+    ) {}
+
+    async getCategories(): Promise<string[]> {
+        try {
+            const categories = await this.categoryRepository.find();
+            return categories.map((category) => category.name);
+        } catch (error) {
+            throw new InternalServerErrorException(ERROR_MESSAGES.FAILED_TO_FETCH_FROM_DB);
+        }
+    }
+}