Add Auth Interceptor (#742)

* Add Auth Interceptor to handle Bearer Token

* Improve BYPASS_LOADING context

* client,server: update packages

Author: avine

client/package-lock.json

@@ -53,7 +53,7 @@
     "canvas-confetti": "^1.9.3",
     "date-fns": "^4.1.0",
     "echarts": "^5.6.0",
-    "firebase": "^11.3.1",
+    "firebase": "^11.4.0",
     "js-cookie": "^3.0.5",
     "ngx-echarts": "^19.0.0",
     "rxjs": "~7.8.2",
@@ -77,7 +77,7 @@
     "eslint": "^9.21.0",
     "eslint-config-prettier": "^10.0.2",
     "eslint-plugin-prettier": "^5.2.3",
-    "firebase-tools": "^13.31.2",
+    "firebase-tools": "^13.32.0",
     "jest": "^29.7.0",
     "jest-preset-angular": "^14.5.3",
     "postcss": "^8.5.3",

client/package.json

@@ -5,6 +5,7 @@ import { provideRouter, withComponentInputBinding, withInMemoryScrolling, withVi
 import { environment } from '../environments/environment';
 import { routes } from './app.routes';
 import { provideAuth } from './shared/auth';
+import { authInterceptor } from './shared/auth/auth.interceptor';
 import { provideBaseHref } from './shared/base-href';
 import { provideFirebaseEmulator } from './shared/firebase';
 import { provideLanguage } from './shared/i18n/language';
@@ -23,7 +24,7 @@ export const appConfig: ApplicationConfig = {
       withViewTransitions(),
       withInMemoryScrolling({ scrollPositionRestoration: 'enabled' }),
     ),
-    provideHttpClient(withFetch(), withInterceptors([loadingInterceptor])),
+    provideHttpClient(withFetch(), withInterceptors([authInterceptor, loadingInterceptor])),
     provideAnimationsAsync(),
     provideMatPaginatorIntl(),
     provideBaseHref(),

client/src/app/app.config.ts

@@ -1,3 +1,9 @@
+import { HttpContext, HttpContextToken } from '@angular/common/http';
+
 export const AUTH_REDIRECT_PARAM = 'redirect';
 
 export const AUTH_REDIRECT_BYPASS_URL = '/home';
+
+export const BYPASS_AUTHORIZATION = new HttpContextToken(() => false);
+
+export const BYPASS_AUTHORIZATION_CONTEXT = new HttpContext().set(BYPASS_AUTHORIZATION, true);

client/src/app/shared/auth/auth.config.ts

@@ -0,0 +1,15 @@
+import { HttpInterceptorFn } from '@angular/common/http';
+import { inject } from '@angular/core';
+import { concatMap } from 'rxjs';
+import { environment } from '../../../environments/environment';
+import { BYPASS_AUTHORIZATION } from './auth.config';
+import { AuthService } from './auth.service';
+
+export const authInterceptor: HttpInterceptorFn = (req, next) => {
+  if (!req.url.startsWith(environment.apiBaseUrl) || req.context.get(BYPASS_AUTHORIZATION)) {
+    return next(req);
+  }
+  return inject(AuthService)
+    .getIdToken()
+    .pipe(concatMap((idToken) => next(req.clone({ headers: req.headers.set('Authorization', `Bearer ${idToken}`) }))));
+};

client/src/app/shared/auth/auth.interceptor.ts

@@ -10,7 +10,7 @@ import {
   signInWithEmailAndPassword,
   signInWithPopup,
 } from 'firebase/auth';
-import { Observable, catchError, concatMap, filter, first, from, map, of, switchMap, tap } from 'rxjs';
+import { Observable, catchError, concatMap, filter, first, from, map, of, tap } from 'rxjs';
 import { FirebaseService } from '../firebase';
 import { AUTH_REDIRECT_PARAM } from './auth.config';
 import { UserStatus } from './auth.types';
@@ -112,11 +112,4 @@ export class AuthService {
   getIdToken(): Observable<string | null> {
     return from(this._user()?.getIdToken() ?? Promise.resolve(null));
   }
-
-  withBearerIdToken<T>(requestFactory: (headers: { Authorization: string }) => Observable<T>) {
-    return this.getIdToken().pipe(
-      map((idToken) => ({ Authorization: `Bearer ${idToken}` })),
-      switchMap(requestFactory),
-    );
-  }
 }

client/src/app/shared/auth/auth.service.ts

@@ -1,10 +1,10 @@
-import { HttpClient, HttpContext } from '@angular/common/http';
+import { HttpClient } from '@angular/common/http';
 import { Injectable, computed, inject, signal } from '@angular/core';
 import { takeUntilDestroyed, toObservable } from '@angular/core/rxjs-interop';
 import { EMPTY, filter, switchMap, tap } from 'rxjs';
 import { environment } from '../../../environments/environment';
 import { AuthService } from '../auth';
-import { BYPASS_LOADING } from '../loading';
+import { BYPASS_LOADING_CONTEXT } from '../loading';
 import { UpdateManagerDto } from './employee.dto';
 import { EmployeeData } from './employee.types';
 import { isManager, updateEmployeeData } from './employee.utils';
@@ -40,21 +40,14 @@ export class EmployeeService {
   }
 
   private fetchData() {
-    return this.authService.withBearerIdToken((headers) =>
-      this.httpClient.get<EmployeeData>(`${this.apiBaseUrl}/employee`, {
-        headers,
-        // This request is executed when the page is loaded and is used initially to control the display of the
-        // "Manager" link in the header. This should not block the UI because of the loading spinner.
-        context: new HttpContext().set(BYPASS_LOADING, true),
-      }),
-    );
+    // This request is executed when the page is loaded and is used initially to control the display of the
+    // "Manager" link in the header. This should not block the UI because of the loading spinner.
+    return this.httpClient.get<EmployeeData>(`${this.apiBaseUrl}/employee`, { context: BYPASS_LOADING_CONTEXT });
   }
 
   updateManager(managerEmail: string) {
-    return this.authService.withBearerIdToken((headers) =>
-      this.httpClient
-        .post<void>(`${this.apiBaseUrl}/employee/manager`, { managerEmail } as UpdateManagerDto, { headers })
-        .pipe(tap(() => this._data.update((data) => updateEmployeeData(data, { managerEmail })))),
-    );
+    return this.httpClient
+      .post<void>(`${this.apiBaseUrl}/employee/manager`, { managerEmail } as UpdateManagerDto)
+      .pipe(tap(() => this._data.update((data) => updateEmployeeData(data, { managerEmail }))));
   }
 }

client/src/app/shared/employee/employee.service.ts

@@ -2,7 +2,7 @@ import { HttpClient, HttpErrorResponse } from '@angular/common/http';
 import { Injectable, inject } from '@angular/core';
 import { Observable, catchError, map, of } from 'rxjs';
 import { environment } from '../../../environments/environment';
-import { AuthService } from '../auth';
+import { BYPASS_AUTHORIZATION_CONTEXT } from '../auth';
 import {
   FeedbackArchiveRequestDto,
   FeedbackRequestAgainDto,
@@ -31,72 +31,66 @@ import {
 export class FeedbackService {
   private httpClient = inject(HttpClient);
 
-  private authService = inject(AuthService);
-
   private apiBaseUrl = environment.apiBaseUrl;
 
   // ----- Request feedback and give requested feedback -----
 
   // The cookie `app-locale-id` must be provided (using the `withCredentials` option)
   // so that the server can determine the language to be used in the emails.
   request(dto: FeedbackRequestDto): Observable<{ error: boolean; message?: 'invalid_email' }> {
-    return this.authService.withBearerIdToken((headers) =>
-      this.httpClient.post<void>(`${this.apiBaseUrl}/feedback/request`, dto, { headers, withCredentials: true }).pipe(
-        map(() => ({ error: false })),
-        catchError(({ error }: HttpErrorResponse) => of({ error: true, message: error?.message })),
-      ),
+    return this.httpClient.post<void>(`${this.apiBaseUrl}/feedback/request`, dto, { withCredentials: true }).pipe(
+      map(() => ({ error: false })),
+      catchError(({ error }: HttpErrorResponse) => of({ error: true, message: error?.message })),
     );
   }
 
   // The cookie `app-locale-id` must be provided (using the `withCredentials` option)
   // so that the server can determine the language to be used in the emails.
   requestAgain(feedbackId: string) {
-    return this.authService.withBearerIdToken((headers) =>
-      this.httpClient.post<void>(
-        `${this.apiBaseUrl}/feedback/request-again`,
-        { feedbackId } satisfies FeedbackRequestAgainDto,
-        { headers, withCredentials: true },
-      ),
+    return this.httpClient.post<void>(
+      `${this.apiBaseUrl}/feedback/request-again`,
+      { feedbackId } satisfies FeedbackRequestAgainDto,
+      { withCredentials: true },
     );
   }
 
   archiveRequest(feedbackId: string): Observable<{ error: boolean; message?: 'Forbidden' }> {
-    return this.authService.withBearerIdToken((headers) =>
-      this.httpClient
-        .post<void>(`${this.apiBaseUrl}/feedback/archive-request`, { feedbackId } satisfies FeedbackArchiveRequestDto, {
-          headers,
-        })
-        .pipe(
-          map(() => ({ error: false })),
-          catchError(({ error }: HttpErrorResponse) => {
-            const isForbidden = (error?.message as 'Bad Request' | 'Forbidden') === 'Forbidden';
-            return of({ error: true, message: isForbidden ? ('Forbidden' as const) : undefined });
-          }),
-        ),
-    );
+    return this.httpClient
+      .post<void>(`${this.apiBaseUrl}/feedback/archive-request`, { feedbackId } satisfies FeedbackArchiveRequestDto)
+      .pipe(
+        map(() => ({ error: false })),
+        catchError(({ error }: HttpErrorResponse) => {
+          const isForbidden = (error?.message as 'Bad Request' | 'Forbidden') === 'Forbidden';
+          return of({ error: true, message: isForbidden ? ('Forbidden' as const) : undefined });
+        }),
+      );
   }
 
   checkRequest(token: string) {
     return this.httpClient.get<{ request: FeedbackRequest; draft?: FeedbackRequestDraft }>(
       `${this.apiBaseUrl}/feedback/check-request/${token}`,
+      { context: BYPASS_AUTHORIZATION_CONTEXT },
     );
   }
 
   revealRequestTokenId(feedbackId: string) {
-    return this.authService.withBearerIdToken((headers) =>
-      this.httpClient.get<TokenObject>(`${this.apiBaseUrl}/feedback/reveal-request-token/${feedbackId}`, { headers }),
-    );
+    return this.httpClient.get<TokenObject>(`${this.apiBaseUrl}/feedback/reveal-request-token/${feedbackId}`);
   }
 
   giveRequestedDraft(dto: GiveRequestedFeedbackDto) {
-    return this.httpClient.post<void>(`${this.apiBaseUrl}/feedback/give-requested/draft`, dto);
+    return this.httpClient.post<void>(`${this.apiBaseUrl}/feedback/give-requested/draft`, dto, {
+      context: BYPASS_AUTHORIZATION_CONTEXT,
+    });
   }
 
   // The cookie `app-locale-id` must be provided (using the `withCredentials` option)
   // so that the server can determine the language to be used in the emails.
   giveRequested(dto: GiveRequestedFeedbackDto) {
     return this.httpClient
-      .post<void>(`${this.apiBaseUrl}/feedback/give-requested`, dto, { withCredentials: true })
+      .post<void>(`${this.apiBaseUrl}/feedback/give-requested`, dto, {
+        context: BYPASS_AUTHORIZATION_CONTEXT,
+        withCredentials: true,
+      })
       .pipe(
         map(() => true),
         catchError(() => of(false)),
@@ -107,30 +101,24 @@ export class FeedbackService {
 
   // Note: use the `FeedbackDraftService` wrapper to access this method
   getDraftList() {
-    return this.authService.withBearerIdToken((headers) =>
-      this.httpClient.get<FeedbackDraft[]>(`${this.apiBaseUrl}/feedback/give/draft`, { headers }),
-    );
+    return this.httpClient.get<FeedbackDraft[]>(`${this.apiBaseUrl}/feedback/give/draft`);
   }
 
   // Note: use the `FeedbackDraftService` wrapper to access this method
   giveDraft(dto: GiveFeedbackDto) {
-    return this.authService.withBearerIdToken((headers) =>
-      this.httpClient.post<void>(`${this.apiBaseUrl}/feedback/give/draft`, dto, { headers }),
-    );
+    return this.httpClient.post<void>(`${this.apiBaseUrl}/feedback/give/draft`, dto);
   }
 
   // The cookie `app-locale-id` must be provided (using the `withCredentials` option)
   // so that the server can determine the language to be used in the emails.
   give(dto: GiveFeedbackDto): Observable<IdObject | { id: undefined; error: true; message?: 'invalid_email' }> {
-    return this.authService.withBearerIdToken((headers) =>
-      this.httpClient.post<IdObject>(`${this.apiBaseUrl}/feedback/give`, dto, { headers, withCredentials: true }).pipe(
-        catchError(({ error }: HttpErrorResponse) =>
-          of({
-            id: undefined,
-            error: true as const,
-            message: error.message,
-          }),
-        ),
+    return this.httpClient.post<IdObject>(`${this.apiBaseUrl}/feedback/give`, dto, { withCredentials: true }).pipe(
+      catchError(({ error }: HttpErrorResponse) =>
+        of({
+          id: undefined,
+          error: true as const,
+          message: error.message,
+        }),
       ),
     );
   }
@@ -139,50 +127,34 @@ export class FeedbackService {
 
   // Note: use the `FeedbackDraftService` wrapper to access this method
   deleteDraft(type: FeedbackDraftType | FeedbackRequestDraftType, receiverEmailOrToken: string) {
-    return this.authService.withBearerIdToken((headers) =>
-      this.httpClient.delete<void>(`${this.apiBaseUrl}/feedback/draft/${type}/${receiverEmailOrToken}`, { headers }),
-    );
+    return this.httpClient.delete<void>(`${this.apiBaseUrl}/feedback/draft/${type}/${receiverEmailOrToken}`);
   }
 
   // ----- Archive feedback (with status "done") -----
 
   archive(feedbackId: string) {
-    return this.authService.withBearerIdToken((headers) =>
-      this.httpClient.post<void>(`${this.apiBaseUrl}/feedback/archive/${feedbackId}`, {}, { headers }),
-    );
+    return this.httpClient.post<void>(`${this.apiBaseUrl}/feedback/archive/${feedbackId}`, {});
   }
 
   // ----- View feedbacks (requested and given) -----
 
   getListMap(types: FeedbackListType[]) {
-    return this.authService.withBearerIdToken((headers) =>
-      this.httpClient.get<FeedbackListMap>(`${this.apiBaseUrl}/feedback/list-map`, {
-        headers,
-        params: { types: types.join() },
-      }),
-    );
+    return this.httpClient.get<FeedbackListMap>(`${this.apiBaseUrl}/feedback/list-map`, {
+      params: { types: types.join() },
+    });
   }
 
   getDocument(id: string) {
-    return this.authService.withBearerIdToken((headers) =>
-      this.httpClient.get<Feedback | FeedbackRequest | null>(`${this.apiBaseUrl}/feedback/document/${id}`, { headers }),
-    );
+    return this.httpClient.get<Feedback | FeedbackRequest | null>(`${this.apiBaseUrl}/feedback/document/${id}`);
   }
 
   getSharedFeedbackList(managedEmail: string) {
-    return this.authService.withBearerIdToken((headers) =>
-      this.httpClient.get<(FeedbackItem | FeedbackRequestItem)[]>(
-        `${this.apiBaseUrl}/feedback/shared/list/${managedEmail}`,
-        { headers },
-      ),
+    return this.httpClient.get<(FeedbackItem | FeedbackRequestItem)[]>(
+      `${this.apiBaseUrl}/feedback/shared/list/${managedEmail}`,
     );
   }
 
   getSharedFeedbackDocument(id: string) {
-    return this.authService.withBearerIdToken((headers) =>
-      this.httpClient.get<Feedback | FeedbackRequest>(`${this.apiBaseUrl}/feedback/shared/document/${id}`, {
-        headers,
-      }),
-    );
+    return this.httpClient.get<Feedback | FeedbackRequest>(`${this.apiBaseUrl}/feedback/shared/document/${id}`);
   }
 }

client/src/app/shared/feedback/feedback.service.ts

@@ -1,3 +1,5 @@
-import { HttpContextToken } from '@angular/common/http';
+import { HttpContext, HttpContextToken } from '@angular/common/http';
 
 export const BYPASS_LOADING = new HttpContextToken(() => false);
+
+export const BYPASS_LOADING_CONTEXT = new HttpContext().set(BYPASS_LOADING, true);

client/src/app/shared/loading/loading.config.ts

@@ -1,9 +1,8 @@
-import { HttpClient, HttpContext } from '@angular/common/http';
+import { HttpClient } from '@angular/common/http';
 import { Injectable, inject } from '@angular/core';
 import { Observable, catchError, of } from 'rxjs';
 import { environment } from '../../../environments/environment';
-import { AuthService } from '../auth/auth.service';
-import { BYPASS_LOADING } from '../loading';
+import { BYPASS_LOADING_CONTEXT } from '../loading';
 import { Person } from './people.types';
 
 @Injectable({
@@ -12,19 +11,14 @@ import { Person } from './people.types';
 export class PeopleService {
   private httpClient = inject(HttpClient);
 
-  private authService = inject(AuthService);
-
   private apiBaseUrl = environment.apiBaseUrl;
 
   search(query: string): Observable<Person[]> {
-    return this.authService
-      .withBearerIdToken((headers) =>
-        this.httpClient.get<Person[]>(`${this.apiBaseUrl}/people/search`, {
-          headers,
-          params: { query },
-          context: new HttpContext().set(BYPASS_LOADING, true),
-        }),
-      )
+    return this.httpClient
+      .get<Person[]>(`${this.apiBaseUrl}/people/search`, {
+        params: { query },
+        context: BYPASS_LOADING_CONTEXT,
+      })
       .pipe(catchError(() => of([])));
   }
 }