Create Identity service as the new authentication facade

In ~/core.

Migrate SessionHost consumers to this facade.

Author: CarsonF

src/common/session.ts

@@ -8,7 +8,7 @@ import { CONTROLLER_WATERMARK } from '@nestjs/common/constants.js';
 import { Context } from '@nestjs/graphql';
 import { uniq } from 'lodash';
 import { type DateTime } from 'luxon';
-import { SessionHost } from '../components/authentication/session.host';
+import { Identity } from '~/core/authentication';
 import { type ScopedRole } from '../components/authorization/dto';
 import { UnauthenticatedException } from './exceptions';
 import { type ID } from './id-field';
@@ -42,10 +42,10 @@ export function loggedInSession(session: Session): Session {
 
 @Injectable()
 export class SessionPipe implements PipeTransform {
-  constructor(private readonly sessionHost: SessionHost) {}
+  constructor(private readonly identity: Identity) {}
 
   transform() {
-    return this.sessionHost.currentMaybe;
+    return this.identity.currentMaybe;
   }
 }
 

src/components/authentication/authentication.module.ts

@@ -2,6 +2,7 @@ import { forwardRef, Global, Module } from '@nestjs/common';
 import { APP_INTERCEPTOR } from '@nestjs/core';
 import { SessionPipe } from '~/common/session';
 import { splitDb } from '~/core';
+import { Identity } from '~/core/authentication';
 import { AuthorizationModule } from '../authorization/authorization.module';
 import { UserModule } from '../user/user.module';
 import { AuthenticationGelRepository } from './authentication.gel.repository';
@@ -34,6 +35,7 @@ import { SessionResolver } from './session.resolver';
     SessionExtraInfoResolver,
     LoginExtraInfoResolver,
     RegisterExtraInfoResolver,
+    Identity,
     AuthenticationService,
     splitDb(AuthenticationRepository, AuthenticationGelRepository),
     { provide: 'AUTHENTICATION', useExisting: AuthenticationService },
@@ -44,6 +46,7 @@ import { SessionResolver } from './session.resolver';
     SessionPipe,
   ],
   exports: [
+    Identity,
     SessionHost,
     SessionInterceptor,
     AuthenticationService,

src/components/authorization/policy/executor/edge-privileges.ts

@@ -57,7 +57,7 @@ export class EdgePrivileges<
       : perm.isAllowed({
           object: this.object,
           resource: this.resource,
-          session: this.policyExecutor.sessionHost.current,
+          session: this.policyExecutor.identity.current,
         });
   }
 

src/components/authorization/policy/executor/policy-executor.ts

@@ -2,8 +2,8 @@ import { forwardRef, Inject, Injectable } from '@nestjs/common';
 import { CachedByArg } from '@seedcompany/common';
 import { identity, intersection } from 'lodash';
 import { type EnhancedResource, type Session } from '~/common';
+import { Identity } from '~/core/authentication';
 import { type QueryFragment } from '~/core/database/query';
-import { SessionHost } from '../../../authentication/session.host';
 import { withoutScope } from '../../dto';
 import { RoleCondition } from '../../policies/conditions/role.condition';
 import { type Permission } from '../builder/perm-granter';
@@ -40,7 +40,7 @@ export interface FilterOptions {
 @Injectable()
 export class PolicyExecutor {
   constructor(
-    readonly sessionHost: SessionHost,
+    readonly identity: Identity,
     private readonly policyFactory: PolicyFactory,
     @Inject(forwardRef(() => ConditionOptimizer))
     private readonly conditionOptimizer: ConditionOptimizer & {},
@@ -64,7 +64,7 @@ export class PolicyExecutor {
       }
     }
 
-    const session = this.sessionHost.current;
+    const session = this.identity.current;
     const policies = this.getPolicies(session);
     const isChildRelation = prop && resource.childKeys.has(prop);
 
@@ -187,7 +187,7 @@ export class PolicyExecutor {
 
       const other = {
         resource: params.resource,
-        session: this.sessionHost.current,
+        session: this.identity.current,
       };
       return query
         .comment("Loading policy condition's context")

src/components/authorization/policy/executor/privileges.ts

@@ -6,7 +6,7 @@ import {
   type ResourceShape,
   type SecuredPropsPlusExtraKey,
 } from '~/common';
-import { SessionHost } from '../../../authentication/session.host';
+import { Identity } from '~/core/authentication';
 import type { Power } from '../../dto';
 import { MissingPowerException } from '../../missing-power.exception';
 import {
@@ -23,7 +23,7 @@ import { ResourcePrivileges } from './resource-privileges';
 export class Privileges {
   constructor(
     private readonly policyExecutor: PolicyExecutor,
-    private readonly sessionHost: SessionHost,
+    private readonly identity: Identity,
   ) {}
 
   forResource<TResourceStatic extends ResourceShape<any>>(
@@ -90,7 +90,7 @@ export class Privileges {
    * I think this should be replaced in-app code with `.for(X).verifyCan('create')`
    */
   verifyPower(power: Power) {
-    const session = this.sessionHost.current;
+    const session = this.identity.current;
     if (!this.powers.has(power)) {
       throw new MissingPowerException(
         power,
@@ -102,7 +102,7 @@ export class Privileges {
   }
 
   get powers(): Set<Power> {
-    const session = this.sessionHost.current;
+    const session = this.identity.current;
     const policies = this.policyExecutor.getPolicies(session);
     return new Set(policies.flatMap((policy) => [...policy.powers]));
   }

src/components/authorization/policy/executor/resource-privileges.ts

@@ -106,7 +106,7 @@ export class ResourcePrivileges<TResourceStatic extends ResourceShape<any>> {
       : perm.isAllowed({
           object: this.object,
           resource: this.resource,
-          session: this.policyExecutor.sessionHost.current,
+          session: this.policyExecutor.identity.current,
         });
   }
 

src/components/comments/comment.service.ts

@@ -13,8 +13,8 @@ import {
 } from '~/common';
 import { isAdmin } from '~/common/session';
 import { ResourceLoader, ResourcesHost } from '~/core';
+import { Identity } from '~/core/authentication';
 import { type BaseNode, isBaseNode } from '~/core/database/results';
-import { SessionHost } from '../authentication';
 import { Privileges } from '../authorization';
 import { CommentRepository } from './comment.repository';
 import {
@@ -39,7 +39,7 @@ export class CommentService {
     private readonly privileges: Privileges,
     private readonly resources: ResourceLoader,
     private readonly resourcesHost: ResourcesHost,
-    private readonly sessionHost: SessionHost,
+    private readonly identity: Identity,
     private readonly mentionNotificationService: CommentViaMentionNotificationService,
   ) {}
 
@@ -118,7 +118,7 @@ export class CommentService {
   }
 
   secureThread(thread: UnsecuredDto<CommentThread>): CommentThread {
-    const session = this.sessionHost.current;
+    const session = this.identity.current;
     return {
       ...thread,
       firstComment: this.secureComment(thread.firstComment),

src/components/engagement/engagement.rules.ts

@@ -9,9 +9,9 @@ import {
   UnauthorizedException,
 } from '~/common';
 import { ILogger, Logger } from '~/core';
+import { Identity } from '~/core/authentication';
 import { DatabaseService } from '~/core/database';
 import { ACTIVE, INACTIVE } from '~/core/database/query';
-import { SessionHost } from '../authentication';
 import { withoutScope } from '../authorization/dto';
 import { ProjectStep } from '../project/dto';
 import {
@@ -35,7 +35,7 @@ const rolesThatCanBypassWorkflow: Role[] = [Role.Administrator];
 export class EngagementRules {
   constructor(
     private readonly db: DatabaseService,
-    private readonly sessionHost: SessionHost,
+    private readonly identity: Identity,
     // eslint-disable-next-line @seedcompany/no-unused-vars
     @Logger('engagement:rules') private readonly logger: ILogger,
   ) {}
@@ -317,7 +317,7 @@ export class EngagementRules {
     currentUserRoles?: Role[],
     changeset?: ID,
   ): Promise<EngagementStatusTransition[]> {
-    const session = this.sessionHost.current;
+    const session = this.identity.current;
     if (session.anonymous) {
       return [];
     }
@@ -357,7 +357,7 @@ export class EngagementRules {
   }
 
   async canBypassWorkflow() {
-    const session = this.sessionHost.current;
+    const session = this.identity.current;
     const roles = session.roles.map(withoutScope);
     return intersection(rolesThatCanBypassWorkflow, roles).length > 0;
   }
@@ -369,7 +369,7 @@ export class EngagementRules {
   ) {
     // If current user's roles include a role that can bypass workflow
     // stop the check here.
-    const session = this.sessionHost.current;
+    const session = this.identity.current;
     const currentUserRoles = session.roles.map(withoutScope);
     if (intersection(rolesThatCanBypassWorkflow, currentUserRoles).length > 0) {
       return;

src/components/progress-report/media/handlers/update-media-metadata-check.handler.ts

@@ -1,5 +1,4 @@
 import { EventsHandler, ResourceLoader } from '~/core';
-import { SessionHost } from '../../../authentication';
 import { Privileges } from '../../../authorization';
 import { CanUpdateMediaUserMetadataEvent } from '../../../file/media/events/can-update-event';
 import { ProgressReportMedia as ReportMedia } from '../dto';
@@ -9,7 +8,6 @@ export class ProgressReportUpdateMediaMetadataCheckHandler {
   constructor(
     private readonly resources: ResourceLoader,
     private readonly privileges: Privileges,
-    private readonly sessionHost: SessionHost,
   ) {}
 
   async handle(event: CanUpdateMediaUserMetadataEvent) {

src/components/progress-report/workflow/handlers/progress-report-workflow-notification.handler.ts

@@ -9,11 +9,11 @@ import {
   ILogger,
   Logger,
 } from '~/core';
+import { Identity } from '~/core/authentication';
 import {
   type ProgressReportStatusChangedProps as EmailReportStatusNotification,
   ProgressReportStatusChanged,
 } from '~/core/email/templates/progress-report-status-changed.template';
-import { AuthenticationService } from '../../../authentication';
 import { LanguageService } from '../../../language';
 import { PeriodicReportService } from '../../../periodic-report';
 import { ProjectService } from '../../../project';
@@ -36,7 +36,7 @@ export class ProgressReportWorkflowNotificationHandler
   implements IEventHandler<WorkflowUpdatedEvent>
 {
   constructor(
-    private readonly auth: AuthenticationService,
+    private readonly identity: Identity,
     private readonly repo: ProgressReportWorkflowRepository,
     private readonly configService: ConfigService,
     private readonly userService: UserService,
@@ -113,7 +113,7 @@ export class ProgressReportWorkflowNotificationHandler
     languageId: ID,
   ): Promise<EmailReportStatusNotification> {
     const recipientId = receiver.userId ?? this.configService.rootUser.id;
-    return await this.auth.asUser(recipientId, async () => {
+    return await this.identity.asUser(recipientId, async () => {
       const recipient = receiver.userId
         ? await this.userService.readOne(recipientId)
         : this.fakeUserFromEmailAddress(receiver.email!);