Commit 82c2470
authored
feat(users): enhance and implement new OAuth flow (#451)
* feat(users): enhance security and performance
- Fix user enumeration vulnerabilities with generic error responses
- Add rate limiting to critical endpoints using @nestjs/throttler
- Implement batch getUsersDtoByIds to resolve N+1 query issues
- Replace synchronous bcrypt operations with async versions
- Add secure login with constant-time authentication
* feat(oauth): implement user-friendly OAuth flow with decision page
- Replace automatic user creation with user choice mechanism
- Add OAuth state token system for secure multi-step authentication
- Implement decision page flow allowing users to:
* Create new account with customizable username/nickname
* Bind OAuth account to existing user account
- Add new API endpoints:
* GET /users/auth/oauth/state - retrieve OAuth state information
* POST /users/oauth/create - create new user from OAuth decision
* POST /users/oauth/bind - bind OAuth to existing user
- Enhance nickname validation to support Chinese characters
- Improve error handling with better user-facing messages
- Add comprehensive test coverage for new OAuth scenarios
Breaking Changes:
- Replace UsersService.loginWithOAuth() with initiateOAuthFlow()
- OAuth callback now redirects to different pages based on user state:
* /oauth-success - existing OAuth connection
* /oauth-verify - email conflict (force binding)
* /oauth-complete - new decision page for user choice
This improves user experience by eliminating forced automatic registration
and allowing users to maintain control over their account creation process.
* fix: resolve SRP auth test failures and add error filter to users controller
- Update SRP tests to expect generic InvalidLoginCredentialsError
- Add @UseFilters decorator to UsersController
- Fix user profile e2e test user ID
* fix: resolve test failures and database constraint issues
- Update SRP tests to use generic error types
- Add error filter to users controller
- Fix foreign key constraint in user profile queries
* fix(auth): prevent type confusion in token validation
Add explicit string type check before calling indexOf() to prevent
parameter tampering attacks in verify() and decode() methods
* test(users): add unit tests for cookie helper utilities
* test(users): enhance unit tests for OAuth user creation and login flows1 parent 3803d29 commit 82c2470
File tree
13 files changed
+4179
-592
lines changed- src
- auth
- users
- helpers
- test
13 files changed
+4179
-592
lines changed| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
39 | 39 | | |
40 | 40 | | |
41 | 41 | | |
| 42 | + | |
42 | 43 | | |
43 | 44 | | |
44 | 45 | | |
| |||
50 | 51 | | |
51 | 52 | | |
52 | 53 | | |
| 54 | + | |
53 | 55 | | |
54 | 56 | | |
55 | 57 | | |
| |||
77 | 79 | | |
78 | 80 | | |
79 | 81 | | |
| 82 | + | |
80 | 83 | | |
81 | 84 | | |
82 | 85 | | |
| |||
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
79 | 79 | | |
80 | 80 | | |
81 | 81 | | |
82 | | - | |
| 82 | + | |
83 | 83 | | |
84 | 84 | | |
85 | 85 | | |
| |||
225 | 225 | | |
226 | 226 | | |
227 | 227 | | |
228 | | - | |
| 228 | + | |
229 | 229 | | |
230 | 230 | | |
231 | 231 | | |
| |||
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1 | 1 | | |
2 | 2 | | |
| 3 | + | |
3 | 4 | | |
4 | 5 | | |
5 | 6 | | |
| |||
19 | 20 | | |
20 | 21 | | |
21 | 22 | | |
| 23 | + | |
| 24 | + | |
| 25 | + | |
22 | 26 | | |
23 | 27 | | |
24 | 28 | | |
| |||
0 commit comments