Merge branch 'develop'

Author: CarsonF

package.json

@@ -63,10 +63,12 @@
     "extensionless": "^1.4.5",
     "fast-safe-stringify": "^2.1.1",
     "fastest-levenshtein": "^1.0.16",
+    "file-type": "^18.5.0",
     "got": "^13.0.0",
     "graphql": "^16.8.0",
     "graphql-parse-resolve-info": "^4.13.0",
     "graphql-scalars": "^1.22.2",
+    "graphql-upload": "^16.0.2",
     "human-format": "^1.2.0",
     "image-size": "^1.0.2",
     "ioredis": "^5.3.2",
@@ -77,6 +79,7 @@
     "lodash": "npm:lodash-es@^4.17.21",
     "lru-cache": "^7.18.3",
     "luxon": "^3.4.0",
+    "mime": "beta",
     "nanoid": "^4.0.2",
     "neo4j-driver": "^5.12.0",
     "nestjs-console": "^9.0.0",
@@ -91,6 +94,7 @@
     "reflect-metadata": "^0.1.13",
     "rimraf": "^5.0.1",
     "rxjs": "^7.8.1",
+    "sanitize-filename": "^1.6.3",
     "ts-essentials": "^9.3.2",
     "winston": "^3.10.0",
     "xlsx": "https://cdn.sheetjs.com/xlsx-0.20.0/xlsx-0.20.0.tgz",
@@ -107,6 +111,7 @@
     "@types/express": "^4.17.17",
     "@types/express-serve-static-core": "^4.17.35",
     "@types/ffprobe": "^1.1.5",
+    "@types/graphql-upload": "^16.0.1",
     "@types/jest": "^29.5.3",
     "@types/jsonwebtoken": "^9.0.2",
     "@types/lodash": "^4.14.197",

src/common/scalars.ts

@@ -1,6 +1,7 @@
 import { Type } from '@nestjs/common';
 import { CustomScalar } from '@nestjs/graphql';
 import { GraphQLScalarType } from 'graphql';
+import UploadScalar from 'graphql-upload/GraphQLUpload.mjs';
 import { DateScalar, DateTimeScalar } from './luxon.graphql';
 import { RichTextScalar } from './rich-text.scalar';
 import { UrlScalar } from './url.field';
@@ -12,5 +13,6 @@ export const getRegisteredScalars = (): Scalar[] => [
   DateScalar,
   DateTimeScalar,
   RichTextScalar,
+  UploadScalar,
   UrlScalar,
 ];

src/components/authentication/authentication.service.ts

@@ -117,15 +117,16 @@ export class AuthenticationService {
       );
     }
 
-    impersonatee = impersonatee
-      ? {
-          id: impersonatee?.id,
-          roles: [
-            ...(impersonatee.roles ?? []),
-            ...(result.impersonateeRoles ?? []),
-          ],
-        }
-      : undefined;
+    impersonatee =
+      impersonatee && result.userId
+        ? {
+            id: impersonatee?.id,
+            roles: [
+              ...(impersonatee.roles ?? []),
+              ...(result.impersonateeRoles ?? []),
+            ],
+          }
+        : undefined;
 
     const requesterSession: Session = {
       token,

src/components/authentication/login.resolver.ts

@@ -6,6 +6,7 @@ import {
   ResolveField,
   Resolver,
 } from '@nestjs/graphql';
+import { stripIndent } from 'common-tags';
 import { AnonSession, GqlContextType, Session } from '../../common';
 import { Loader, LoaderOf } from '../../core';
 import { Powers as Power, Privileges } from '../authorization';
@@ -21,7 +22,10 @@ export class LoginResolver {
   ) {}
 
   @Mutation(() => LoginOutput, {
-    description: 'Login a user',
+    description: stripIndent`
+      Login a user
+      @sensitive-secrets
+    `,
   })
   async login(
     @Args('input') input: LoginInput,
@@ -34,7 +38,10 @@ export class LoginResolver {
   }
 
   @Mutation(() => LogoutOutput, {
-    description: 'Logout a user',
+    description: stripIndent`
+      Logout a user
+      @sensitive-secrets
+    `,
   })
   async logout(
     @AnonSession() session: Session,

src/components/authentication/password.resolver.ts

@@ -1,4 +1,5 @@
 import { Args, Mutation, Resolver } from '@nestjs/graphql';
+import { stripIndent } from 'common-tags';
 import { AnonSession, LoggedInSession, Session } from '../../common';
 import { AuthenticationService } from './authentication.service';
 import {
@@ -15,7 +16,10 @@ export class PasswordResolver {
   constructor(private readonly authentication: AuthenticationService) {}
 
   @Mutation(() => ChangePasswordOutput, {
-    description: 'Change your password',
+    description: stripIndent`
+      Change your password
+      @sensitive-secrets
+    `,
   })
   async changePassword(
     @Args() { oldPassword, newPassword }: ChangePasswordArgs,
@@ -36,7 +40,10 @@ export class PasswordResolver {
   }
 
   @Mutation(() => ResetPasswordOutput, {
-    description: 'Reset Password',
+    description: stripIndent`
+      Reset Password
+      @sensitive-secrets
+    `,
   })
   async resetPassword(
     @Args('input') input: ResetPasswordInput,

src/components/authentication/register.resolver.ts

@@ -6,6 +6,7 @@ import {
   ResolveField,
   Resolver,
 } from '@nestjs/graphql';
+import { stripIndent } from 'common-tags';
 import { AnonSession, GqlContextType, Session } from '../../common';
 import { Loader, LoaderOf } from '../../core';
 import { Powers as Power, Privileges } from '../authorization';
@@ -21,7 +22,10 @@ export class RegisterResolver {
   ) {}
 
   @Mutation(() => RegisterOutput, {
-    description: 'Register a new user',
+    description: stripIndent`
+      Register a new user
+      @sensitive-secrets
+    `,
   })
   async register(
     @Args('input') input: RegisterInput,

src/components/engagement/events/engagement-updated.event.ts

@@ -11,20 +11,20 @@ export class EngagementUpdatedEvent {
   constructor(
     public updated: UnsecuredDto<Engagement>,
     readonly previous: UnsecuredDto<Engagement>,
-    readonly updates: UpdateLanguageEngagement | UpdateInternshipEngagement,
+    readonly input: UpdateLanguageEngagement | UpdateInternshipEngagement,
     readonly session: Session,
   ) {}
 
   isLanguageEngagement(): this is EngagementUpdatedEvent & {
-    engagement: UnsecuredDto<LanguageEngagement>;
-    updates: UpdateLanguageEngagement;
+    updated: UnsecuredDto<LanguageEngagement>;
+    input: UpdateLanguageEngagement;
   } {
     return this.updated.__typename === 'LanguageEngagement';
   }
 
   isInternshipEngagement(): this is EngagementUpdatedEvent & {
-    engagement: UnsecuredDto<InternshipEngagement>;
-    updates: UpdateInternshipEngagement;
+    updated: UnsecuredDto<InternshipEngagement>;
+    input: UpdateInternshipEngagement;
   } {
     return this.updated.__typename === 'InternshipEngagement';
   }

src/components/file/bucket/composite-bucket.ts

@@ -2,7 +2,13 @@ import { HeadObjectOutput } from '@aws-sdk/client-s3';
 import { Type } from '@nestjs/common';
 import { Command } from '@smithy/smithy-client';
 import { NotFoundException } from '~/common';
-import { FileBucket, GetObjectOutput, SignedOp } from './file-bucket';
+import {
+  FileBucket,
+  GetObjectOutput,
+  InvalidSignedUrlException,
+  PutObjectInput,
+  SignedOp,
+} from './file-bucket';
 
 /**
  * A bucket that is composed of multiple other sources.
@@ -36,6 +42,18 @@ export class CompositeBucket extends FileBucket {
     return await source.getSignedUrl(operation, input);
   }
 
+  async parseSignedUrl(url: URL) {
+    const results = await Promise.allSettled(
+      this.sources.map(async (source) => await source.parseSignedUrl(url)),
+    );
+    for (const result of results) {
+      if (result.status === 'fulfilled') {
+        return result.value;
+      }
+    }
+    throw new InvalidSignedUrlException();
+  }
+
   async getObject(key: string): Promise<GetObjectOutput> {
     const [source] = await this.selectSource(key);
     return await source.getObject(key);
@@ -46,6 +64,12 @@ export class CompositeBucket extends FileBucket {
     return output;
   }
 
+  async putObject(input: PutObjectInput): Promise<void> {
+    await this.doAndThrowAllErrors(
+      this.writableSources.map((bucket) => bucket.putObject(input)),
+    );
+  }
+
   async copyObject(oldKey: string, newKey: string): Promise<void> {
     const [existing] = await this.selectSources(oldKey, this.writableSources);
     await this.doAndThrowAllErrors(

src/components/file/bucket/file-bucket.ts

@@ -1,17 +1,36 @@
 import {
   GetObjectOutput as AwsGetObjectOutput,
+  PutObjectCommandInput as AwsPutObjectCommandInput,
   HeadObjectOutput,
 } from '@aws-sdk/client-s3';
 import { RequestPresigningArguments } from '@aws-sdk/types';
 import { Type } from '@nestjs/common';
+import { MaybeAsync } from '@seedcompany/common';
 import { Command } from '@smithy/smithy-client';
+import { NodeJsRuntimeStreamingBlobPayloadInputTypes } from '@smithy/types/dist-types/streaming-payload/streaming-blob-payload-input-types';
 import { Readable } from 'stream';
-import { Merge } from 'type-fest';
-import { DurationIn } from '~/common';
+import {
+  Except,
+  LiteralUnion,
+  Merge,
+  SetNonNullable,
+  SetRequired,
+} from 'type-fest';
+import { DurationIn, InputException, InputExceptionArgs } from '~/common';
 
 // Limit body to only `Readable` which is always the case for Nodejs execution.
 export type GetObjectOutput = Merge<AwsGetObjectOutput, { Body: Readable }>;
 
+export type PutObjectInput = Merge<
+  SetNonNullable<
+    SetRequired<Except<AwsPutObjectCommandInput, 'Bucket'>, 'ContentType'>,
+    'Key'
+  >,
+  {
+    Body: NodeJsRuntimeStreamingBlobPayloadInputTypes;
+  }
+>;
+
 export type SignedOp<T extends object> = Omit<T, 'Bucket'> & {
   Key: string;
   signing: Merge<RequestPresigningArguments, { expiresIn: DurationIn }>;
@@ -29,13 +48,24 @@ export abstract class FileBucket {
     operation: Type<Command<TCommandInput, any, any>>,
     input: SignedOp<TCommandInput>,
   ): Promise<string>;
+  abstract parseSignedUrl(url: URL): MaybeAsync<{
+    Key: string;
+    operation: LiteralUnion<'PutObject' | 'GetObject', string>;
+  }>;
 
   abstract getObject(key: string): Promise<GetObjectOutput>;
   abstract headObject(key: string): Promise<HeadObjectOutput>;
+  abstract putObject(input: PutObjectInput): Promise<void>;
   abstract copyObject(oldKey: string, newKey: string): Promise<void>;
   abstract deleteObject(key: string): Promise<void>;
   async moveObject(oldKey: string, newKey: string) {
     await this.copyObject(oldKey, newKey);
     await this.deleteObject(oldKey);
   }
 }
+
+export class InvalidSignedUrlException extends InputException {
+  constructor(...args: InputExceptionArgs) {
+    super(...InputException.parseArgs('Invalid signed URL', args));
+  }
+}

src/components/file/bucket/local-bucket.ts

@@ -3,13 +3,20 @@ import {
   PutObjectCommand as PutObject,
 } from '@aws-sdk/client-s3';
 import { Type } from '@nestjs/common';
+import { bufferFromStream } from '@seedcompany/common';
 import { Command } from '@smithy/smithy-client';
 import { pickBy } from 'lodash';
 import { DateTime, Duration } from 'luxon';
 import { URL } from 'node:url';
+import { Readable } from 'stream';
 import { assert } from 'ts-essentials';
-import { InputException } from '~/common';
-import { FileBucket, GetObjectOutput, SignedOp } from './file-bucket';
+import {
+  FileBucket,
+  GetObjectOutput,
+  InvalidSignedUrlException,
+  PutObjectInput,
+  SignedOp,
+} from './file-bucket';
 
 export interface LocalBucketOptions {
   baseUrl: URL;
@@ -62,12 +69,25 @@ export abstract class LocalBucket<
 
   protected abstract saveFile(key: string, file: FakeAwsFile): Promise<void>;
 
+  async putObject(input: PutObjectInput) {
+    const buffer =
+      input.Body instanceof Readable
+        ? await bufferFromStream(input.Body)
+        : Buffer.from(input.Body);
+    await this.saveFile(input.Key, {
+      LastModified: new Date(),
+      ...input,
+      Body: buffer,
+      ContentLength: buffer.byteLength,
+    });
+  }
+
   async getSignedUrl<TCommandInput extends object>(
     operation: Type<Command<TCommandInput, any, any>>,
     input: SignedOp<TCommandInput>,
   ) {
     const signed = JSON.stringify({
-      operation: operation.constructor.name,
+      operation: operation.name.replace(/Command$/, ''),
       ...input,
       signing: {
         ...input.signing,
@@ -88,27 +108,40 @@ export abstract class LocalBucket<
     operation: Type<Command<TCommandInput, any, any>>,
     url: string,
   ): SignedOp<TCommandInput> & { Key: string } {
-    let raw;
+    let u: URL;
     try {
-      raw = new URL(url).searchParams.get('signed');
+      u = new URL(url);
     } catch (e) {
-      raw = url;
+      u = new URL('http://localhost');
+      u.searchParams.set('signed', url);
     }
-    assert(typeof raw === 'string');
-    let parsed;
     try {
-      parsed = JSON.parse(raw) as SignedOp<TCommandInput> & {
+      const parsed = this.parseSignedUrl(u) as SignedOp<TCommandInput> & {
         operation: string;
-        Key: string;
       };
-      assert(parsed.operation === operation.constructor.name);
+      assert(
+        parsed.operation === operation.name ||
+          `${parsed.operation}Command` === operation.name,
+      );
+      return parsed;
+    } catch (e) {
+      throw new InvalidSignedUrlException(e);
+    }
+  }
+
+  parseSignedUrl(url: URL) {
+    const raw = url.searchParams.get('signed');
+    let parsed;
+    try {
+      parsed = JSON.parse(raw || '') as SignedOp<{ operation: string }>;
+      assert(typeof parsed.operation === 'string');
       assert(typeof parsed.Key === 'string');
       assert(typeof parsed.signing.expiresIn === 'number');
     } catch (e) {
-      throw new InputException(e);
+      throw new InvalidSignedUrlException(e);
     }
     if (DateTime.local() > DateTime.fromMillis(parsed.signing.expiresIn)) {
-      throw new InputException('url expired');
+      throw new InvalidSignedUrlException('URL expired');
     }
     return parsed;
   }