Merge pull request #3427 from SeedCompany/session-host

Author: CarsonF

src/common/context.type.ts

@@ -1,7 +1,5 @@
 import { type OperationDefinitionNode } from 'graphql';
-import { type BehaviorSubject } from 'rxjs';
 import type { IRequest, IResponse } from '~/core/http';
-import { type Session } from './session';
 
 /**
  * The type for graphql @Context() decorator
@@ -10,5 +8,4 @@ export interface GqlContextType {
   operation: OperationDefinitionNode;
   request?: IRequest;
   response?: IResponse;
-  readonly session$: BehaviorSubject<Session | undefined>;
 }

src/common/session.ts

@@ -1,16 +1,15 @@
 import {
-  createParamDecorator,
-  type ExecutionContext,
+  Injectable,
+  Param,
   type PipeTransform,
   type Type,
 } from '@nestjs/common';
 import { CONTROLLER_WATERMARK } from '@nestjs/common/constants.js';
 import { Context } from '@nestjs/graphql';
 import { uniq } from 'lodash';
 import { type DateTime } from 'luxon';
-import { NoSessionException } from '../components/authentication/no-session.exception';
+import { SessionHost } from '../components/authentication/session.host';
 import { type ScopedRole } from '../components/authorization/dto';
-import { type GqlContextType } from './context.type';
 import { UnauthenticatedException } from './exceptions';
 import { type ID } from './id-field';
 
@@ -41,38 +40,34 @@ export function loggedInSession(session: Session): Session {
   return session;
 }
 
-export const sessionFromContext = (context: GqlContextType) => {
-  const session = context.session$.value;
-  if (!session) {
-    throw new NoSessionException();
+@Injectable()
+export class SessionPipe implements PipeTransform {
+  constructor(private readonly sessionHost: SessionHost) {}
+
+  transform() {
+    return this.sessionHost.currentMaybe;
   }
-  return session;
-};
+}
 
+/** @deprecated */
 export const LoggedInSession = () =>
   AnonSession({ transform: loggedInSession });
 
+/** @deprecated */
 export const AnonSession =
   (...pipes: Array<Type<PipeTransform> | PipeTransform>): ParameterDecorator =>
   (...args) => {
-    Context({ transform: sessionFromContext }, ...pipes)(...args);
+    Context(SessionPipe, ...pipes)(...args);
     process.nextTick(() => {
       // Only set this metadata if it's a controller method.
       // Waiting for the next tick as class decorators execute after methods.
       if (Reflect.getMetadata(CONTROLLER_WATERMARK, args[0].constructor)) {
-        HttpSession(...pipes)(...args);
+        Param(SessionPipe, ...pipes)(...args);
         SessionWatermark(...args);
       }
     });
   };
 
-// Using Nest's custom decorator so that we can pass pipes.
-const HttpSession = createParamDecorator(
-  (_data: unknown, ctx: ExecutionContext) => {
-    return ctx.switchToHttp().getRequest().session;
-  },
-);
-
 const SessionWatermark: ParameterDecorator = (target, key) =>
   Reflect.defineMetadata('SESSION_WATERMARK', true, target.constructor, key!);
 

src/components/authentication/anonymous.decorator.ts

@@ -0,0 +1,7 @@
+import { createMetadataDecorator } from '@seedcompany/nest';
+
+export const LoggedIn = () => Anonymous(false);
+export const Anonymous = createMetadataDecorator({
+  setter: (anonymous = true) => anonymous,
+  types: ['class', 'method'],
+});

src/components/authentication/authentication.module.ts

@@ -1,13 +1,13 @@
 import { forwardRef, Global, Module } from '@nestjs/common';
 import { APP_INTERCEPTOR } from '@nestjs/core';
+import { SessionPipe } from '~/common/session';
 import { splitDb } from '~/core';
 import { AuthorizationModule } from '../authorization/authorization.module';
 import { UserModule } from '../user/user.module';
 import { AuthenticationGelRepository } from './authentication.gel.repository';
 import { AuthenticationRepository } from './authentication.repository';
 import { AuthenticationService } from './authentication.service';
 import { CryptoService } from './crypto.service';
-import { GelCurrentUserProvider } from './current-user.provider';
 import {
   LoginExtraInfoResolver,
   RegisterExtraInfoResolver,
@@ -16,6 +16,7 @@ import {
 import { LoginResolver } from './login.resolver';
 import { PasswordResolver } from './password.resolver';
 import { RegisterResolver } from './register.resolver';
+import { SessionHost, SessionHostImpl } from './session.host';
 import { SessionInterceptor } from './session.interceptor';
 import { SessionResolver } from './session.resolver';
 
@@ -39,10 +40,11 @@ import { SessionResolver } from './session.resolver';
     CryptoService,
     SessionInterceptor,
     { provide: APP_INTERCEPTOR, useExisting: SessionInterceptor },
-    GelCurrentUserProvider,
-    { provide: APP_INTERCEPTOR, useExisting: GelCurrentUserProvider },
+    { provide: SessionHost, useClass: SessionHostImpl },
+    SessionPipe,
   ],
   exports: [
+    SessionHost,
     SessionInterceptor,
     AuthenticationService,
     'AUTHENTICATION',

src/components/authentication/authentication.service.ts

@@ -7,7 +7,6 @@ import { DateTime } from 'luxon';
 import type { Writable } from 'ts-essentials';
 import {
   DuplicateException,
-  type GqlContextType,
   type ID,
   InputException,
   type Role,
@@ -16,7 +15,6 @@ import {
   UnauthenticatedException,
   UnauthorizedException,
 } from '~/common';
-import { sessionFromContext } from '~/common/session';
 import { ConfigService, ILogger, Logger } from '~/core';
 import { ForgotPassword } from '~/core/email/templates';
 import { disableAccessPolicies, Gel } from '~/core/gel';
@@ -28,6 +26,7 @@ import { AuthenticationRepository } from './authentication.repository';
 import { CryptoService } from './crypto.service';
 import type { LoginInput, RegisterInput, ResetPasswordInput } from './dto';
 import { NoSessionException } from './no-session.exception';
+import { SessionHost } from './session.host';
 
 interface JwtPayload {
   iat: number;
@@ -44,6 +43,7 @@ export class AuthenticationService {
     private readonly repo: AuthenticationRepository,
     private readonly gel: Gel,
     private readonly agents: SystemAgentRepository,
+    private readonly sessionHost: SessionHost,
     private readonly moduleRef: ModuleRef,
   ) {}
 
@@ -101,10 +101,10 @@ export class AuthenticationService {
     return userId;
   }
 
-  async updateSession(context: GqlContextType) {
-    const prev = sessionFromContext(context);
+  async refreshCurrentSession() {
+    const prev = this.sessionHost.current;
     const newSession = await this.resumeSession(prev.token);
-    context.session$.next(newSession);
+    this.sessionHost.current$.next(newSession);
     return newSession;
   }
 
@@ -169,10 +169,12 @@ export class AuthenticationService {
       : requesterSession;
 
     if (impersonatee) {
-      const p = this.privileges.for(requesterSession, AssignableRoles);
-      const valid = impersonatee.roles.every((role) =>
-        p.can('edit', withoutScope(role)),
-      );
+      const valid = this.sessionHost.withSession(requesterSession, () => {
+        const p = this.privileges.for(AssignableRoles);
+        return impersonatee.roles.every((role) =>
+          p.can('edit', withoutScope(role)),
+        );
+      });
       if (!valid) {
         // Don't expose what the requester is unable to do as this could leak
         // private information.
@@ -230,6 +232,15 @@ export class AuthenticationService {
     return this.repo.waitForRootUserId();
   }
 
+  async asUser<R>(
+    user: ID<'User'> | Session,
+    fn: (session: Session) => Promise<R>,
+  ): Promise<R> {
+    const session =
+      typeof user === 'string' ? await this.sessionForUser(user) : user;
+    return await this.sessionHost.withSession(session, () => fn(session));
+  }
+
   async sessionForUser(userId: ID): Promise<Session> {
     const roles = await this.repo.rolesForUser(userId);
     const session: Session = {

src/components/authentication/current-user.provider.ts

@@ -1 +1,3 @@
 export * from './authentication.service';
+export { SessionHost } from './session.host';
+export * from './anonymous.decorator';

src/components/authentication/index.ts

@@ -1,18 +1,18 @@
 import {
   Args,
-  Context,
   Mutation,
   Parent,
   ResolveField,
   Resolver,
 } from '@nestjs/graphql';
 import { stripIndent } from 'common-tags';
-import { AnonSession, type GqlContextType, type Session } from '~/common';
+import { AnonSession, type Session } from '~/common';
 import { Loader, type LoaderOf } from '~/core';
 import { Privileges } from '../authorization';
 import { Power } from '../authorization/dto';
 import { UserLoader } from '../user';
 import { User } from '../user/dto';
+import { Anonymous } from './anonymous.decorator';
 import { AuthenticationService } from './authentication.service';
 import { LoginInput, LoginOutput, LogoutOutput } from './dto';
 
@@ -29,13 +29,13 @@ export class LoginResolver {
       @sensitive-secrets
     `,
   })
+  @Anonymous()
   async login(
     @Args('input') input: LoginInput,
     @AnonSession() session: Session,
-    @Context() context: GqlContextType,
   ): Promise<LoginOutput> {
     const user = await this.authentication.login(input, session);
-    await this.authentication.updateSession(context);
+    await this.authentication.refreshCurrentSession();
     return { user };
   }
 
@@ -45,12 +45,10 @@ export class LoginResolver {
       @sensitive-secrets
     `,
   })
-  async logout(
-    @AnonSession() session: Session,
-    @Context() context: GqlContextType,
-  ): Promise<LogoutOutput> {
+  @Anonymous()
+  async logout(@AnonSession() session: Session): Promise<LogoutOutput> {
     await this.authentication.logout(session.token);
-    await this.authentication.updateSession(context); // ensure session data is fresh
+    await this.authentication.refreshCurrentSession(); // ensure session data is fresh
     return { success: true };
   }
 

src/components/authentication/login.resolver.ts

@@ -1,6 +1,7 @@
 import { Args, Mutation, Resolver } from '@nestjs/graphql';
 import { stripIndent } from 'common-tags';
 import { AnonSession, LoggedInSession, type Session } from '~/common';
+import { Anonymous } from './anonymous.decorator';
 import { AuthenticationService } from './authentication.service';
 import {
   ChangePasswordArgs,
@@ -45,6 +46,7 @@ export class PasswordResolver {
       @sensitive-secrets
     `,
   })
+  @Anonymous()
   async resetPassword(
     @Args('input') input: ResetPasswordInput,
     @AnonSession() session: Session,