Verify logged-in at interceptor for all mutations unless the decorator overrides

Before we required that the resolver had a parameter
```ts
@LoggedInSession() session: Session
```
Which was clunky because we had to have it even if we didn't use it.

We almost always needed to pass it down, so it made sense.
Now, with the session moving to an ALS, we will rarely need it.

So this moves the verification to the interceptor to be run regardless of
handler parameters.

Author: CarsonF

src/common/session.ts

@@ -49,9 +49,11 @@ export class SessionPipe implements PipeTransform {
   }
 }
 
+/** @deprecated */
 export const LoggedInSession = () =>
   AnonSession({ transform: loggedInSession });
 
+/** @deprecated */
 export const AnonSession =
   (...pipes: Array<Type<PipeTransform> | PipeTransform>): ParameterDecorator =>
   (...args) => {

src/components/authentication/anonymous.decorator.ts

@@ -0,0 +1,7 @@
+import { createMetadataDecorator } from '@seedcompany/nest';
+
+export const LoggedIn = () => Anonymous(false);
+export const Anonymous = createMetadataDecorator({
+  setter: (anonymous = true) => anonymous,
+  types: ['class', 'method'],
+});

src/components/authentication/index.ts

@@ -1,2 +1,3 @@
 export * from './authentication.service';
 export { SessionHost } from './session.host';
+export * from './anonymous.decorator';

src/components/authentication/login.resolver.ts

@@ -12,6 +12,7 @@ import { Privileges } from '../authorization';
 import { Power } from '../authorization/dto';
 import { UserLoader } from '../user';
 import { User } from '../user/dto';
+import { Anonymous } from './anonymous.decorator';
 import { AuthenticationService } from './authentication.service';
 import { LoginInput, LoginOutput, LogoutOutput } from './dto';
 
@@ -28,6 +29,7 @@ export class LoginResolver {
       @sensitive-secrets
     `,
   })
+  @Anonymous()
   async login(
     @Args('input') input: LoginInput,
     @AnonSession() session: Session,
@@ -43,6 +45,7 @@ export class LoginResolver {
       @sensitive-secrets
     `,
   })
+  @Anonymous()
   async logout(@AnonSession() session: Session): Promise<LogoutOutput> {
     await this.authentication.logout(session.token);
     await this.authentication.refreshCurrentSession(); // ensure session data is fresh

src/components/authentication/password.resolver.ts

@@ -1,6 +1,7 @@
 import { Args, Mutation, Resolver } from '@nestjs/graphql';
 import { stripIndent } from 'common-tags';
 import { AnonSession, LoggedInSession, type Session } from '~/common';
+import { Anonymous } from './anonymous.decorator';
 import { AuthenticationService } from './authentication.service';
 import {
   ChangePasswordArgs,
@@ -45,6 +46,7 @@ export class PasswordResolver {
       @sensitive-secrets
     `,
   })
+  @Anonymous()
   async resetPassword(
     @Args('input') input: ResetPasswordInput,
     @AnonSession() session: Session,

src/components/authentication/register.resolver.ts

@@ -12,6 +12,7 @@ import { Privileges } from '../authorization';
 import { Power } from '../authorization/dto';
 import { UserLoader } from '../user';
 import { User } from '../user/dto';
+import { Anonymous } from './anonymous.decorator';
 import { AuthenticationService } from './authentication.service';
 import { RegisterInput, RegisterOutput } from './dto';
 
@@ -28,6 +29,7 @@ export class RegisterResolver {
       @sensitive-secrets
     `,
   })
+  @Anonymous()
   async register(
     @Args('input') input: RegisterInput,
     @AnonSession() session: Session,

src/components/authentication/session.interceptor.ts

@@ -7,7 +7,7 @@ import {
   type NestInterceptor,
 } from '@nestjs/common';
 import { GqlExecutionContext } from '@nestjs/graphql';
-import { csv } from '@seedcompany/common';
+import { csv, type FnLike } from '@seedcompany/common';
 import { AsyncLocalStorage } from 'async_hooks';
 import { BehaviorSubject } from 'rxjs';
 import {
@@ -21,9 +21,11 @@ import {
   type Session,
   UnauthenticatedException,
 } from '~/common';
+import { loggedInSession as verifyLoggedIn } from '~/common/session';
 import { ConfigService } from '~/core';
 import { GlobalHttpHook, type IRequest } from '~/core/http';
 import { rolesForScope } from '../authorization/dto';
+import { Anonymous } from './anonymous.decorator';
 import { AuthenticationService } from './authentication.service';
 import { SessionHost } from './session.host';
 
@@ -64,14 +66,28 @@ export class SessionInterceptor implements NestInterceptor {
 
     const type = executionContext.getType();
 
+    let isMutation = true;
     let session;
     if (type === 'graphql') {
+      const gqlExecutionContext = GqlExecutionContext.create(executionContext);
+      const op = gqlExecutionContext.getInfo().operation;
+      isMutation = op.operation === 'mutation';
       session = await this.handleGql(executionContext);
     } else if (type === 'http') {
+      const request = executionContext.switchToHttp().getRequest();
+      isMutation = request.method !== 'GET' && request.method !== 'HEAD';
       session = await this.handleHttp(executionContext);
     }
     session$.next(session);
 
+    const allowAnonymous =
+      Anonymous.get(executionContext.getHandler() as FnLike) ??
+      Anonymous.get(executionContext.getClass()) ??
+      !isMutation;
+    if (!allowAnonymous && session) {
+      verifyLoggedIn(session);
+    }
+
     return next.handle();
   }