Merge pull request #632 from SELab-2/400-backend---application---fix-student-teacher-account-overlap

[Backend] - Implementend User Acces Rights

Author: thomasdejaeghere

backend/api/openapi.yml

@@ -2520,6 +2520,7 @@ components:
       required:
         - email
         - password
+        - userType
       additionalProperties: false
       properties:
         email:
@@ -2529,6 +2530,11 @@ components:
         password:
           type: string
           description: User's password.
+        userType:
+          type: string
+          enum: [student, teacher]
+          default: student
+          description: User's type in the system.
 
     RegisterResponse:
       type: object

backend/src/application/auth.ts

@@ -1,7 +1,7 @@
 import bcrypt from "bcryptjs";
 import jwt from "jsonwebtoken";
 import { AuthenticationTokenPayload, TokenResponse } from "./types";
-import { User } from "../core/entities/user";
+import { User, UserType } from "../core/entities/user";
 import { GetUser, GetUserInput } from "../core/services/user";
 
 // TODO - Consider allowing only one active token per user (probably not)
@@ -33,7 +33,12 @@ export class AuthenticationManager {
         this.refreshExpiresIn = refreshExpiresIn;
     }
 
-    async authenticate(email: string, password: string, refreshToken?: string): Promise<TokenResponse | null> {
+    async authenticate(
+        email: string,
+        password: string,
+        userType?: UserType,
+        refreshToken?: string,
+    ): Promise<TokenResponse | null> {
         if (refreshToken) {
             const refreshResult = this.refreshAccessToken(refreshToken);
             if (refreshResult) {
@@ -43,14 +48,13 @@ export class AuthenticationManager {
         const input: GetUserInput = { email: email };
         let user = undefined;
         try {
-            user = (await this.getUserService.execute(input)) as User;
+            user = (await this.getUserService.execute("", input)) as User;
         } catch (e) {
             return null;
         }
-        if (user && (await bcrypt.compare(password, user.passwordHash))) {
+        if (user && userType && user.userType === userType && (await bcrypt.compare(password, user.passwordHash))) {
             return this.generateTokens(user.id!);
         }
-        console.log("not supposed to be here");
         return null;
     }
 

backend/src/application/controller.ts

@@ -1,5 +1,5 @@
 import { createErrorHandler, defaultResponder, ResponderFunction } from "./helpersExpress";
-import { ApiError, Request, Response, ErrorCode } from "./types";
+import { ApiError, Request, Response, ErrorCode, AuthenticatedRequestBody } from "./types";
 import { logger } from "../config/logger";
 import { Service, Services } from "../config/service";
 
@@ -60,6 +60,7 @@ export abstract class Controller {
         data: T,
         statusCode: number,
         operationName: string,
+        userId: string,
     ): Promise<Response> {
         if (!service) {
             this.logger.warn(`${operationName} operation not implemented`);
@@ -69,7 +70,7 @@ export abstract class Controller {
             });
         }
         this.logger.info(`Executing service: ${operationName}`, { statusCode });
-        const body = await service.execute(data);
+        const body = await service.execute(userId, data);
         return this.respond(statusCode, body);
     }
 
@@ -80,7 +81,13 @@ export abstract class Controller {
      * @returns Response with status 200 and entity data
      */
     public async getOne<T>(req: Request, data: T): Promise<Response> {
-        return this._executeService(this.services.get, data, 200, "Get");
+        return this._executeService(
+            this.services.get,
+            data,
+            200,
+            "Get",
+            (req.body as AuthenticatedRequestBody).authenticatedUserId,
+        );
     }
 
     /**
@@ -90,7 +97,13 @@ export abstract class Controller {
      * @returns Response with status 200 and list of entities
      */
     public async getAll<T>(req: Request, data: T): Promise<Response> {
-        return this._executeService(this.services.getAll, data, 200, "GetAll");
+        return this._executeService(
+            this.services.getAll,
+            data,
+            200,
+            "GetAll",
+            (req.body as AuthenticatedRequestBody).authenticatedUserId,
+        );
     }
 
     /**
@@ -101,7 +114,13 @@ export abstract class Controller {
      * @returns Response with status 200 and list of child entities
      */
     public async getChildren<T>(req: Request, data: T, service: Service<T>): Promise<Response> {
-        return this._executeService(service, data, 200, "GetChildren");
+        return this._executeService(
+            service,
+            data,
+            200,
+            "GetChildren",
+            (req.body as AuthenticatedRequestBody).authenticatedUserId,
+        );
     }
 
     /**
@@ -112,7 +131,13 @@ export abstract class Controller {
      * @returns Response with status 201 and created child entity data
      */
     public async addChild<T>(req: Request, data: T, service: Service<T>): Promise<Response> {
-        return this._executeService(service, data, 201, "AddChild");
+        return this._executeService(
+            service,
+            data,
+            201,
+            "AddChild",
+            (req.body as AuthenticatedRequestBody).authenticatedUserId,
+        );
     }
 
     /**
@@ -123,7 +148,13 @@ export abstract class Controller {
      * @returns Response with status 204 (No Content)
      */
     public async removeChild<T>(req: Request, data: T, service: Service<T>): Promise<Response> {
-        return this._executeService(service, data, 204, "RemoveChild");
+        return this._executeService(
+            service,
+            data,
+            204,
+            "RemoveChild",
+            (req.body as AuthenticatedRequestBody).authenticatedUserId,
+        );
     }
 
     /**
@@ -133,7 +164,13 @@ export abstract class Controller {
      * @returns Response with status 200 and updated entity data
      */
     public async update<T>(req: Request, data: T): Promise<Response> {
-        return this._executeService(this.services.update, data, 204, "Update");
+        return this._executeService(
+            this.services.update,
+            data,
+            204,
+            "Update",
+            (req.body as AuthenticatedRequestBody).authenticatedUserId,
+        );
     }
 
     /**
@@ -143,7 +180,13 @@ export abstract class Controller {
      * @returns Response with status 204 (No Content)
      */
     public async delete<T>(req: Request, data: T): Promise<Response> {
-        return this._executeService(this.services.remove, data, 204, "Delete");
+        return this._executeService(
+            this.services.remove,
+            data,
+            204,
+            "Delete",
+            (req.body as AuthenticatedRequestBody).authenticatedUserId,
+        );
     }
 
     /**
@@ -153,6 +196,12 @@ export abstract class Controller {
      * @returns Response with status 201 and created entity data
      */
     public async create<T>(req: Request, data: T): Promise<Response> {
-        return this._executeService(this.services.create, data, 201, "Create");
+        return this._executeService(
+            this.services.create,
+            data,
+            201,
+            "Create",
+            (req.body as AuthenticatedRequestBody).authenticatedUserId,
+        );
     }
 }

backend/src/application/middleware/loginMiddleware.ts

@@ -1,4 +1,5 @@
 import { Request as ExpressRequest, Response as ExpressResponse } from "express";
+import { UserType } from "../../core/entities/user";
 import { AuthenticationManager } from "../auth";
 import { defaultErrorHandler, defaultResponder, responseToExpress } from "../helpersExpress";
 import { ErrorCode } from "../types";
@@ -21,18 +22,23 @@ export function loginMiddleware(
             return;
         }
 
-        const { email, password, refreshToken } = req.body || {};
-        if (!((email && password) || (!email && !password && refreshToken))) {
+        const { email, password, userType, refreshToken } = req.body || {};
+        if (!((email && password && userType) || (!email && !password && !userType && refreshToken))) {
             const response = defaultErrorHandler({
                 code: ErrorCode.BAD_REQUEST,
-                message: "Email and password or refresh token are required",
+                message: "Email, password and userType or refresh token are required",
             });
             responseToExpress(response, res);
             return;
         }
 
         try {
-            const tokens = await authManager.authenticate(email || "", password || "", refreshToken);
+            const tokens = await authManager.authenticate(
+                email || "",
+                password || "",
+                userType as UserType,
+                refreshToken,
+            );
             if (!tokens) {
                 const response = defaultErrorHandler({
                     code: ErrorCode.UNAUTHORIZED,

backend/src/application/resources/taskResource.ts

@@ -79,6 +79,7 @@ export function taskRoutes(
                 controller,
                 extractor: extractors.getTask,
                 handler: (req, data) => controller.getOne(req, data),
+                middleware,
             },
             {
                 app,
@@ -87,6 +88,7 @@ export function taskRoutes(
                 controller,
                 extractor: extractors.getTask,
                 handler: (req, data) => controller.delete(req, data),
+                middleware,
             },
             {
                 app,

backend/src/application/types.ts

@@ -84,6 +84,11 @@ export interface TokenResponse {
     refreshToken: string;
 }
 
+export interface AuthenticatedRequestBody {
+    authenticatedUserId: string;
+    [key: string]: string;
+}
+
 /* ************* Path/Routing Types ************* */
 
 /**

backend/src/config/service.ts

@@ -1,6 +1,6 @@
 //TODO if application layer always asks for an object in return to we need to specify ReturnType?
 export interface Service<T> {
-    execute: (input: T) => Promise<object>;
+    execute: (userId: string, input: T) => Promise<object>;
 }
 
 //TODO can we abstract the params type in services to for a Params as abstracted class or interface?