Feat/field permission: 접근할 수 있는 필드를 권한에 따라 조정 (#15)

* feat: graphql context에서 user 정보 받도록

* feat: graphql 에서 유저가 선택한 필드 읽을 수 있는 권한을 검증

* chore: prisma-nestjs-graphql 의존성 삭제 -> 직접 작성하는 방식으로 변경

- custom decorator를 사용하기 위함

* chore: change to enum

* feat: user, post 의 graphql용 response dto를 설정

* fix: fix typo

* Update README.md

* Feat/guard (#9)

* feat: passport 사용한 guard 작업을 위한 라이브러리 설치

- @nestjs/jwt, @nestjs/passport, passport, passport-jwt, passport-local 설치
- @types/passport-jwt, @types/passport-local 설치

* feat: auth module 생성

* feat: bcrypt, class-validator 설치

* feat: auth module에 jwt module 추가 및 user module과 연결

- .example.env에 jwt 관련 환경변수 추가

* feat: LocalAuthGuard 구현

* feat: 로그인 후 반환되는 ObjectType JwtWithUser 구현

* feat: current-user.decorator.ts 구현

- gql 속 현재 user 정보를 가져오는 커스텀 데코레이터 구현

* feat: LocalAuthGuard에 사용되는 authenticate 메서드 구현

* chore: @nestjs/passport 버전 변경

- passport-jwt와의 호환성 문제 해결

* feat: JwtAuthGuard 구현

* feat: AuthModule에 AuthGuard들 추가

* feat: RS256에서 HS256으로 변경

* chore: AuthModule에 Strategy들 추가

* feat: signIn, signUp 구현

* chore: 400에러를 401에러로 구체화

* chore: @nestjs/passport 버전 복구

- ^10.0.3으로 다운그레이드 -> ^11.0.5로 복구

* chore: JwtStrategy 타입 이슈 해결

---------

Co-authored-by: Younha Lee <younha0088@gmail.com>

Author: Ho-s

package.json

@@ -71,7 +71,6 @@
     "globals": "^16.0.0",
     "jest": "^29.7.0",
     "prettier": "^3.4.2",
-    "prisma-nestjs-graphql": "^21.1.1",
     "serverless-dotenv-plugin": "^6.0.0",
     "source-map-support": "^0.5.21",
     "supertest": "^7.0.0",

src/app.module.ts

@@ -6,6 +6,8 @@ import { UserModule } from './user/user.module';
 import { ConfigModule, ConfigService } from '@nestjs/config';
 import { AuthModule } from './auth/auth.module';
 import { errorFormatter } from './common/exception/exception.format';
+import { graphQLContext } from './common/config/graphql.context';
+import { FieldAccessModule } from './common/field-access/field-access.module';
 
 @Module({
   imports: [
@@ -21,11 +23,13 @@ import { errorFormatter } from './common/exception/exception.format';
           graphiql: true,
           autoSchemaFile: (isDev ? `./src/` : '/tmp/') + SCHEMA_FILE_NAME,
           errorFormatter,
+          context: graphQLContext,
         };
       },
     }),
     UserModule,
     AuthModule,
+    FieldAccessModule,
   ],
   controllers: [],
   providers: [],

src/auth/auth.service.ts

@@ -4,7 +4,7 @@ import { PrismaService } from '../prisma/prisma.service';
 import * as bcrypt from 'bcrypt';
 import { SignInInput, SignUpInput } from './inputs/auth.input';
 import { JwtService } from '@nestjs/jwt';
-import { User } from '../@generated/user/user.model';
+import { User } from '@prisma/client';
 
 @Injectable()
 export class AuthService {

src/auth/entities/auth.entity.ts

@@ -1,5 +1,6 @@
 import { Field, ObjectType } from '@nestjs/graphql';
-import { User } from '../../@generated/user/user.model';
+import { User } from '@prisma/client';
+import { UserObject } from 'src/user/dto/user.object';
 
 @ObjectType()
 export class JwtWithUser {
@@ -9,6 +10,6 @@ export class JwtWithUser {
   @Field(() => String)
   refreshToken?: string;
 
-  @Field(() => User)
+  @Field(() => UserObject)
   user: User;
 }

src/common/config/graphql.context.ts

@@ -0,0 +1,25 @@
+import { Role, User } from '@prisma/client';
+import { FastifyReply, FastifyRequest } from 'fastify';
+
+export interface GraphQLContext {
+  req: FastifyRequest;
+  reply: FastifyReply;
+  user?: User;
+}
+
+export const graphQLContext = (
+  req: FastifyRequest,
+  reply: FastifyReply,
+): GraphQLContext => {
+  return {
+    req,
+    reply,
+    /**
+     * @todo
+     * Guard에서 주입받도록
+     */
+    user: {
+      role: Role.USER,
+    } as User,
+  };
+};

src/common/field-access/field-access.decorator.ts

@@ -0,0 +1,11 @@
+import 'reflect-metadata';
+import { User } from '@prisma/client';
+
+export const FIELD_ROLE = Symbol('FIELD_ROLE');
+
+export const FieldAccess = (...roles: User['role'][]): PropertyDecorator => {
+  return (target: object, propertyKey: string | symbol) => {
+    if (!roles.length) roles = ['USER'];
+    Reflect.defineMetadata(FIELD_ROLE, roles, target, propertyKey);
+  };
+};

src/common/field-access/field-access.interceptor.ts

@@ -0,0 +1,116 @@
+import {
+  Injectable,
+  NestInterceptor,
+  ExecutionContext,
+  CallHandler,
+  ForbiddenException,
+} from '@nestjs/common';
+import { GqlExecutionContext, TypeMetadataStorage } from '@nestjs/graphql';
+import { Observable, map } from 'rxjs';
+
+import { Role, User } from '@prisma/client';
+import {
+  FieldNode,
+  getNamedType,
+  GraphQLResolveInfo,
+  GraphQLType,
+  Kind,
+} from 'graphql';
+import { GraphQLContext } from '../config/graphql.context';
+import { FIELD_ROLE } from './field-access.decorator';
+
+@Injectable()
+export class FieldAccessInterceptor<T extends Record<string, unknown>>
+  implements NestInterceptor
+{
+  intercept(context: ExecutionContext, next: CallHandler): Observable<unknown> {
+    const gqlContext = GqlExecutionContext.create(context);
+
+    const { returnType, fieldNodes } = gqlContext.getInfo<GraphQLResolveInfo>();
+
+    const targetClass = this.extractTargetClass(returnType);
+
+    if (!targetClass) return next.handle();
+
+    const { user } = gqlContext.getContext<GraphQLContext>();
+
+    const selectField = this.extractSelectFields<T>([...fieldNodes]);
+
+    return next.handle().pipe(
+      map((data: T | T[]) => {
+        if (Array.isArray(data)) {
+          return data.map((v) =>
+            this.filterField(v, targetClass, selectField, user?.role),
+          );
+        }
+
+        return this.filterField(data, targetClass, selectField, user?.role);
+      }),
+    );
+  }
+
+  private filterField<T extends Record<string, unknown>>(
+    obj: T,
+    targetClass: { prototype: object },
+    selectField: (keyof T)[],
+    userRole?: User['role'],
+  ) {
+    if (!obj || typeof obj !== 'object') return obj;
+
+    return Object.keys(obj)
+      .filter((k) => selectField.includes(k))
+      .reduce((acc, cur: keyof T) => {
+        const requiredRoles = Reflect.getMetadata(
+          FIELD_ROLE,
+          targetClass.prototype,
+          cur as string,
+        ) as User['role'][] | undefined;
+
+        const isPermitted = this.hasAccess(requiredRoles, userRole);
+
+        if (!isPermitted) throw new ForbiddenException();
+
+        acc[cur] = obj[cur];
+
+        return acc;
+      }, {} as T);
+  }
+
+  private hasAccess<T extends User['role']>(
+    requiredRole: T[] | undefined,
+    userRole?: T,
+  ) {
+    if (userRole === Role.ADMIN) return true;
+
+    return requiredRole?.some((role) => role === userRole) ?? true;
+  }
+
+  private extractSelectFields<T>(fieldNodes: FieldNode[]): (keyof T)[] {
+    return fieldNodes.reduce(
+      (acc, { selectionSet }) => {
+        if (!selectionSet) return acc;
+
+        selectionSet.selections.forEach((selection) => {
+          if (selection.kind !== Kind.FIELD) return;
+
+          acc.push(selection.name.value as keyof T);
+        });
+
+        return acc;
+      },
+      [] as (keyof T)[],
+    );
+  }
+
+  private extractTargetClass(returnType: GraphQLType) {
+    const gqlType = getNamedType(returnType);
+
+    const typeName = gqlType.name;
+
+    const typeMetadata = TypeMetadataStorage.getObjectTypesMetadata().find(
+      (metadata) => metadata.name === typeName,
+    );
+
+    return typeMetadata?.target as { prototype: object };
+  }
+}

src/common/field-access/field-access.module.ts

@@ -0,0 +1,13 @@
+import { Module } from '@nestjs/common';
+import { APP_INTERCEPTOR } from '@nestjs/core';
+import { FieldAccessInterceptor } from './field-access.interceptor';
+import { GraphQLSchemaHost } from '@nestjs/graphql';
+
+@Module({
+  imports: [],
+  providers: [
+    GraphQLSchemaHost,
+    { provide: APP_INTERCEPTOR, useClass: FieldAccessInterceptor },
+  ],
+})
+export class FieldAccessModule {}

src/post/dto/post.object.ts

@@ -0,0 +1,27 @@
+import { Field, ID, ObjectType } from '@nestjs/graphql';
+import { Post, User } from '@prisma/client';
+import { UserObject } from 'src/user/dto/user.object';
+
+@ObjectType()
+export class PostObject implements Omit<Post, 'author' | 'authorId'> {
+  @Field(() => ID, { nullable: false })
+  id: string;
+
+  @Field(() => Date, { nullable: false })
+  createdAt: Date;
+
+  @Field(() => Date, { nullable: false })
+  updatedAt: Date;
+
+  @Field(() => String, { nullable: false })
+  title: string;
+
+  @Field(() => String, { nullable: true })
+  content: string | null;
+
+  @Field(() => UserObject, { nullable: false })
+  author: User;
+
+  @Field(() => String)
+  authorId: string;
+}

src/prisma/schema.prisma

@@ -3,11 +3,6 @@ generator client {
   provider      = "prisma-client-js"
 }
 
-generator nestgraphql {
-  provider = "node node_modules/prisma-nestjs-graphql"
-  output   = "../@generated"
-}
-
 datasource db {
   provider = "postgresql"
   url      = env("DB_URL")