AuthLevel decorator (#3439)

Author: CarsonF

src/components/authentication/anonymous.decorator.ts

@@ -0,0 +1,6 @@
+import { createMetadataDecorator } from '@seedcompany/nest';
+
+export const AuthLevel = createMetadataDecorator({
+  setter: (level: 'authenticated' | 'anonymous' | 'sessionless') => level,
+  types: ['class', 'method'],
+});

src/components/authentication/auth-level.decorator.ts

@@ -1,3 +1,3 @@
 export * from './authentication.service';
 export { SessionHost } from './session.host';
-export * from './anonymous.decorator';
+export * from './auth-level.decorator';

src/components/authentication/index.ts

@@ -11,12 +11,13 @@ import { Privileges } from '../authorization';
 import { Power } from '../authorization/dto';
 import { UserLoader } from '../user';
 import { User } from '../user/dto';
-import { Anonymous } from './anonymous.decorator';
+import { AuthLevel } from './auth-level.decorator';
 import { AuthenticationService } from './authentication.service';
 import { LoginInput, LoginOutput, LogoutOutput } from './dto';
 import { SessionHost } from './session.host';
 
 @Resolver(LoginOutput)
+@AuthLevel('anonymous')
 export class LoginResolver {
   constructor(
     private readonly authentication: AuthenticationService,
@@ -30,7 +31,6 @@ export class LoginResolver {
       @sensitive-secrets
     `,
   })
-  @Anonymous()
   async login(@Args('input') input: LoginInput): Promise<LoginOutput> {
     const user = await this.authentication.login(input);
     await this.authentication.refreshCurrentSession();
@@ -43,7 +43,6 @@ export class LoginResolver {
       @sensitive-secrets
     `,
   })
-  @Anonymous()
   async logout(): Promise<LogoutOutput> {
     const session = this.sessionHost.current;
     await this.authentication.logout(session.token);

src/components/authentication/login.resolver.ts

@@ -1,6 +1,6 @@
 import { Args, Mutation, Resolver } from '@nestjs/graphql';
 import { stripIndent } from 'common-tags';
-import { Anonymous } from './anonymous.decorator';
+import { AuthLevel } from './auth-level.decorator';
 import { AuthenticationService } from './authentication.service';
 import {
   ChangePasswordArgs,
@@ -31,6 +31,7 @@ export class PasswordResolver {
   @Mutation(() => ForgotPasswordOutput, {
     description: 'Forgot password; send password reset email',
   })
+  @AuthLevel('anonymous')
   async forgotPassword(
     @Args() { email }: ForgotPasswordArgs,
   ): Promise<ForgotPasswordOutput> {
@@ -44,7 +45,7 @@ export class PasswordResolver {
       @sensitive-secrets
     `,
   })
-  @Anonymous()
+  @AuthLevel('anonymous')
   async resetPassword(
     @Args('input') input: ResetPasswordInput,
   ): Promise<ResetPasswordOutput> {

src/components/authentication/password.resolver.ts

@@ -11,11 +11,12 @@ import { Privileges } from '../authorization';
 import { Power } from '../authorization/dto';
 import { UserLoader } from '../user';
 import { User } from '../user/dto';
-import { Anonymous } from './anonymous.decorator';
+import { AuthLevel } from './auth-level.decorator';
 import { AuthenticationService } from './authentication.service';
 import { RegisterInput, RegisterOutput } from './dto';
 
 @Resolver(RegisterOutput)
+@AuthLevel('anonymous')
 export class RegisterResolver {
   constructor(
     private readonly authentication: AuthenticationService,
@@ -28,7 +29,6 @@ export class RegisterResolver {
       @sensitive-secrets
     `,
   })
-  @Anonymous()
   async register(@Args('input') input: RegisterInput): Promise<RegisterOutput> {
     const user = await this.authentication.register(input);
     await this.authentication.login(input);

src/components/authentication/register.resolver.ts

@@ -25,7 +25,7 @@ import { ConfigService } from '~/core';
 import { Identity } from '~/core/authentication';
 import { GlobalHttpHook, type IRequest } from '~/core/http';
 import { rolesForScope } from '../authorization/dto';
-import { Anonymous } from './anonymous.decorator';
+import { AuthLevel } from './auth-level.decorator';
 import { AuthenticationService } from './authentication.service';
 import { SessionHost } from './session.host';
 
@@ -65,56 +65,59 @@ export class SessionInterceptor implements NestInterceptor {
       throw new Error('Session holder for request is not in async context');
     }
 
-    const type = executionContext.getType();
-
-    let isMutation = true;
-    let session;
-    if (type === 'graphql') {
-      const gqlExecutionContext = GqlExecutionContext.create(executionContext);
-      const op = gqlExecutionContext.getInfo().operation;
-      isMutation = op.operation === 'mutation';
-      session = await this.handleGql(executionContext);
-    } else if (type === 'http') {
-      const request = executionContext.switchToHttp().getRequest();
-      isMutation = request.method !== 'GET' && request.method !== 'HEAD';
-      session = await this.handleHttp(executionContext);
+    const isMutation = this.isMutation(executionContext);
+    const authLevel =
+      AuthLevel.get(executionContext.getHandler() as FnLike) ??
+      AuthLevel.get(executionContext.getClass()) ??
+      (isMutation ? 'authenticated' : 'anonymous');
+
+    if (authLevel === 'sessionless') {
+      return next.handle();
     }
-    session$.next(session);
-
-    const allowAnonymous =
-      Anonymous.get(executionContext.getHandler() as FnLike) ??
-      Anonymous.get(executionContext.getClass()) ??
-      !isMutation;
-    if (!allowAnonymous && session) {
-      this.identity.verifyLoggedIn();
+
+    const session = await this.startFromContext(executionContext);
+    if (session) {
+      session$.next(session);
+      if (authLevel === 'authenticated') {
+        this.identity.verifyLoggedIn();
+      }
     }
 
     return next.handle();
   }
 
-  private async handleHttp(executionContext: ExecutionContext) {
-    const enabled = Reflect.getMetadata(
-      'SESSION_WATERMARK',
-      executionContext.getClass(),
-      executionContext.getHandler().name,
-    );
-    if (!enabled) {
-      return;
+  private isMutation(executionContext: ExecutionContext) {
+    switch (executionContext.getType()) {
+      case 'graphql': {
+        const gqlExecutionContext =
+          GqlExecutionContext.create(executionContext);
+        const op = gqlExecutionContext.getInfo().operation;
+        return op.operation === 'mutation';
+      }
+      case 'http': {
+        const request = executionContext.switchToHttp().getRequest();
+        return request.method !== 'GET' && request.method !== 'HEAD';
+      }
+      default:
+        return undefined;
     }
-    const request = executionContext.switchToHttp().getRequest();
-    return await this.hydrateSession({ request });
   }
 
-  private async handleGql(executionContext: ExecutionContext) {
-    const gqlExecutionContext = GqlExecutionContext.create(executionContext);
-    const ctx = gqlExecutionContext.getContext();
-    const info = gqlExecutionContext.getInfo();
-
-    if (info.fieldName !== 'session') {
-      const session = await this.hydrateSession(ctx);
-      return session;
+  private async startFromContext(executionContext: ExecutionContext) {
+    switch (executionContext.getType()) {
+      case 'graphql': {
+        const gqlExecutionContext =
+          GqlExecutionContext.create(executionContext);
+        const ctx = gqlExecutionContext.getContext();
+        return await this.hydrateSession(ctx);
+      }
+      case 'http': {
+        const request = executionContext.switchToHttp().getRequest();
+        return await this.hydrateSession({ request });
+      }
+      default:
+        return undefined;
     }
-    return undefined;
   }
 
   async hydrateSession(context: Pick<GqlContextType, 'request'>) {

src/components/authentication/session.interceptor.ts

@@ -18,12 +18,14 @@ import { Privileges } from '../authorization';
 import { Power } from '../authorization/dto';
 import { UserLoader, UserService } from '../user';
 import { User } from '../user/dto';
+import { AuthLevel } from './auth-level.decorator';
 import { AuthenticationService } from './authentication.service';
 import { SessionOutput } from './dto';
 import { SessionHost } from './session.host';
 import { SessionInterceptor } from './session.interceptor';
 
 @Resolver(SessionOutput)
+@AuthLevel('sessionless')
 export class SessionResolver {
   constructor(
     private readonly authentication: AuthenticationService,

src/components/authentication/session.resolver.ts

@@ -10,12 +10,13 @@ import {
   Response,
 } from '@nestjs/common';
 import { type ID } from '~/common';
-import { Identity } from '~/core/authentication';
+import { AuthLevel, Identity } from '~/core/authentication';
 import { HttpAdapter, type IRequest, type IResponse } from '~/core/http';
 import { SessionInterceptor } from '../authentication/session.interceptor';
 import { FileService } from './file.service';
 
 @Controller(FileUrlController.path)
+@AuthLevel('sessionless')
 export class FileUrlController {
   static path = '/file';
 

src/components/file/file-url.controller.ts

@@ -11,6 +11,7 @@ import {
 import { DateTime } from 'luxon';
 import { URL } from 'node:url';
 import { InputException } from '~/common';
+import { AuthLevel } from '~/core/authentication';
 import {
   HttpAdapter,
   type IRequest,
@@ -23,6 +24,7 @@ import { FileBucket, InvalidSignedUrlException } from './bucket';
  * This fakes S3 web hosting for use with LocalBuckets.
  */
 @Controller(LocalBucketController.path)
+@AuthLevel('sessionless')
 export class LocalBucketController {
   static path = '/local-bucket';