feat(api): make the permissions field optional for the access token (#36)

Fixes #35

Author: akdasa

modules/libs/protocol/auth.ts

@@ -39,7 +39,14 @@ export interface JwtToken {
 }
 
 export interface AccessToken extends JwtToken {
-  permissions: UserPermission[];
+  /**
+   * User permissions.
+   * @remarks This is an optional field. If not provided, service
+   *          should check the user's permissions from the database.
+   *          This is useful during development to avoid unnecessary
+   *          token refreshes.
+   */
+  permissions?: UserPermission[];
 }
 
 export interface RefreshToken extends JwtToken {
@@ -99,7 +106,6 @@ export interface LogOutResponse {
 
 /**
  * Permission object. Contains the organization ID, school ID, and permission.
- * 
  * @remarks Used short names for the properties to reduce the size of a JWT token.
  */
 export type UserPermission = {

modules/services/api/src/app.module.ts

@@ -4,6 +4,7 @@ import { Module } from '@nestjs/common';
 import { ConfigModule, ConfigType } from '@nestjs/config';
 import { TypeOrmModule } from '@nestjs/typeorm';
 import {
+  AuthConfig,
   DbConfig,
   JwtConfig,
   OtpConfig,
@@ -19,7 +20,7 @@ import { OrganizationsService } from './edu/services/organizations.service';
   imports: [
     ConfigModule.forRoot({
       isGlobal: true,
-      load: [DbConfig, OtpConfig, RedisConfig, JwtConfig],
+      load: [DbConfig, OtpConfig, RedisConfig, JwtConfig, AuthConfig],
     }),
     AutomapperModule.forRoot({
       strategyInitializer: classes(),

modules/services/api/src/auth/auth.module.ts

@@ -1,21 +1,21 @@
 import { Module } from '@nestjs/common';
 import { JwtModule } from '@nestjs/jwt';
 import { TypeOrmModule } from '@nestjs/typeorm';
-import { User } from '@vidya/entities';
+import { Role, User, UserRole } from '@vidya/entities';
 
 import { LoginController } from './controllers/login.controller';
 import { OtpController } from './controllers/otp.controller';
 import { ProfileController } from './controllers/profile.controller';
 import { TokensController } from './controllers/tokens.controller';
 import { AuthRolesMappingProfile } from './mappers/roles.mapper';
 import { AuthService } from './services/auth.service';
+import { AuthUsersService } from './services/auth-users.service';
 import { OtpService } from './services/otp.service';
 import { RevokedTokensService } from './services/revokedTokens.service';
-import { UsersService } from './services/users.service';
 
 @Module({
   imports: [
-    TypeOrmModule.forFeature([User]),
+    TypeOrmModule.forFeature([User, Role, UserRole]),
     JwtModule.register({ global: true }),
   ],
   controllers: [
@@ -26,11 +26,10 @@ import { UsersService } from './services/users.service';
   ],
   providers: [
     OtpService,
-    UsersService,
+    AuthUsersService,
     AuthService,
     RevokedTokensService,
     AuthRolesMappingProfile,
   ],
-  exports: [RevokedTokensService],
 })
 export class AuthModule {}

modules/services/api/src/auth/controllers/login.controller.ts

@@ -1,12 +1,12 @@
-import { Mapper } from '@automapper/core';
-import { InjectMapper } from '@automapper/nestjs';
 import {
   Body,
   Controller,
+  Inject,
   Post,
   UnauthorizedException,
   UseGuards,
 } from '@nestjs/common';
+import { ConfigType } from '@nestjs/config';
 import {
   ApiBadRequestResponse,
   ApiBearerAuth,
@@ -21,22 +21,23 @@ import * as dto from '@vidya/api/auth/dto';
 import { AuthenticatedUser } from '@vidya/api/auth/guards';
 import {
   AuthService,
+  AuthUsersService,
   OtpService,
   RevokedTokensService,
-  UsersService,
 } from '@vidya/api/auth/services';
-import * as entities from '@vidya/entities';
+import { AuthConfig } from '@vidya/api/configs';
 import { JwtToken, OtpType, Routes } from '@vidya/protocol';
 
 @Controller()
 @ApiTags('Authentication')
 export class LoginController {
   constructor(
+    @Inject(AuthConfig.KEY)
+    private readonly authConfig: ConfigType<typeof AuthConfig>,
     private readonly otpService: OtpService,
-    private readonly usersService: UsersService,
+    private readonly usersService: AuthUsersService,
     private readonly authService: AuthService,
     private readonly revokedTokensService: RevokedTokensService,
-    @InjectMapper() private readonly mapper: Mapper,
   ) {}
 
   /* -------------------------------------------------------------------------- */
@@ -66,7 +67,7 @@ export class LoginController {
   async loginWithOtp(
     @Body() request: dto.OtpLogInRequest,
   ): Promise<dto.OtpLogInResponse> {
-    // TODO: rate limit login attempts
+    // TODO rate limit login attempts
 
     // validate OTP, if invalid send 401 Unauthorized response
     const otp = await this.otpService.validate(request.login, request.otp);
@@ -85,7 +86,9 @@ export class LoginController {
     );
     const tokens = await this.authService.generateTokens(
       user.id,
-      this.mapper.mapArray(user.roles, entities.Role, dto.UserPermission),
+      this.authConfig.savePermissionsInJwtToken
+        ? await this.usersService.getUserPermissions(user.id)
+        : undefined,
     );
 
     return new dto.OtpLogInResponse({

modules/services/api/src/auth/controllers/profile.controller.ts

@@ -14,13 +14,13 @@ import {
 import { UserId } from '@vidya/api/auth/decorators';
 import * as dto from '@vidya/api/auth/dto';
 import { AuthenticatedUser } from '@vidya/api/auth/guards';
-import { UsersService } from '@vidya/api/auth/services';
+import { AuthUsersService } from '@vidya/api/auth/services';
 import { Routes } from '@vidya/protocol';
 
 @Controller()
 @ApiTags('User')
 export class ProfileController {
-  constructor(private readonly usersService: UsersService) {}
+  constructor(private readonly usersService: AuthUsersService) {}
 
   /* -------------------------------------------------------------------------- */
   /*                              GET /auth/profile                             */

modules/services/api/src/auth/controllers/tokens.controller.ts

@@ -1,5 +1,3 @@
-import { Mapper } from '@automapper/core';
-import { InjectMapper } from '@automapper/nestjs';
 import {
   Body,
   Controller,
@@ -17,10 +15,9 @@ import {
 import * as dto from '@vidya/api/auth/dto';
 import {
   AuthService,
+  AuthUsersService,
   RevokedTokensService,
-  UsersService,
 } from '@vidya/api/auth/services';
-import * as entities from '@vidya/entities';
 import { Routes } from '@vidya/protocol';
 
 @Controller()
@@ -29,8 +26,7 @@ export class TokensController {
   constructor(
     private readonly revokedTokensService: RevokedTokensService,
     private readonly authService: AuthService,
-    private readonly usersService: UsersService,
-    @InjectMapper() private readonly mapper: Mapper,
+    private readonly usersService: AuthUsersService,
   ) {}
 
   /* -------------------------------------------------------------------------- */
@@ -88,7 +84,7 @@ export class TokensController {
     // generate new tokens
     const tokens = await this.authService.generateTokens(
       refreshToken.sub,
-      this.mapper.mapArray(user.roles, entities.Role, dto.UserPermission),
+      await this.usersService.getUserPermissions(user.id),
     );
     return new dto.RefreshTokensResponse({
       accessToken: tokens.accessToken,

modules/services/api/src/auth/decorators/user-permissions.decorator.ts

@@ -1,19 +1,11 @@
-import {
-  createParamDecorator,
-  ExecutionContext,
-  UnauthorizedException,
-} from '@nestjs/common';
-import { UserPermissions } from '@vidya/api/auth/utils';
-import { AccessToken } from '@vidya/protocol';
+import { createParamDecorator, ExecutionContext } from '@nestjs/common';
+import { UserPermissions, VidyaRequest } from '@vidya/api/auth/utils';
 
 export const UserWithPermissions = createParamDecorator(
   (data, ctx: ExecutionContext) => {
-    const accessToken: AccessToken = ctx
+    const userPermissions = ctx
       .switchToHttp()
-      .getRequest().accessToken;
-    if (!accessToken) {
-      throw new UnauthorizedException('Access token not found');
-    }
-    return new UserPermissions(accessToken.permissions);
+      .getRequest<VidyaRequest>().userPermissions;
+    return new UserPermissions(userPermissions);
   },
 );

modules/services/api/src/auth/guards/authenticated-user.guard.ts

@@ -7,47 +7,60 @@ import {
 } from '@nestjs/common';
 import { ConfigType } from '@nestjs/config';
 import { JwtService } from '@nestjs/jwt';
+import {
+  AuthUsersService,
+  RevokedTokensService,
+} from '@vidya/api/auth/services';
+import { VidyaRequest } from '@vidya/api/auth/utils';
 import { JwtConfig } from '@vidya/api/configs';
-import { JwtToken } from '@vidya/protocol';
-import { Request } from 'express';
-
-import { RevokedTokensService } from '../services/revokedTokens.service';
+import { AccessToken } from '@vidya/protocol';
 
 @Injectable()
 export class AuthenticatedUser implements CanActivate {
   constructor(
     @Inject(JwtConfig.KEY)
     private readonly jwtConfig: ConfigType<typeof JwtConfig>,
     private readonly jwtService: JwtService,
-    private readonly revoketTokensService: RevokedTokensService,
+    private readonly revokedTokensService: RevokedTokensService,
+    private readonly usersService: AuthUsersService,
   ) {}
 
   async canActivate(context: ExecutionContext): Promise<boolean> {
-    const request = context.switchToHttp().getRequest();
+    const request = context.switchToHttp().getRequest<VidyaRequest>();
     const token = this.extractTokenFromHeader(request);
     if (!token) {
       throw new UnauthorizedException();
     }
 
     try {
-      const payload = await this.jwtService.verifyAsync<JwtToken>(token, {
-        secret: this.jwtConfig.secret,
-      });
+      // Verify the token and extract the payload
+      const accessToken = await this.jwtService.verifyAsync<AccessToken>(
+        token,
+        {
+          secret: this.jwtConfig.secret,
+        },
+      );
 
-      const isTokenRevoked = await this.revoketTokensService.isRevoked(payload);
+      // Check if the token has been revoked
+      const isTokenRevoked =
+        await this.revokedTokensService.isRevoked(accessToken);
       if (isTokenRevoked) {
         throw new UnauthorizedException();
       }
 
-      request['accessToken'] = payload;
-      request['userId'] = payload.sub;
+      // Attach the user id and permissions to the request object
+      request.userId = accessToken.sub;
+      request.accessToken = accessToken;
+      request.userPermissions = accessToken.permissions
+        ? accessToken.permissions
+        : await this.usersService.getUserPermissions(accessToken.sub);
     } catch {
       throw new UnauthorizedException();
     }
     return true;
   }
 
-  private extractTokenFromHeader(request: Request): string | undefined {
+  private extractTokenFromHeader(request: VidyaRequest): string | undefined {
     const [type, token] = request.headers.authorization?.split(' ') ?? [];
     return type === 'Bearer' ? token : undefined;
   }

modules/services/api/src/auth/services/auth-users.service.ts

@@ -0,0 +1,80 @@
+import { Mapper } from '@automapper/core';
+import { InjectMapper } from '@automapper/nestjs';
+import { Injectable } from '@nestjs/common';
+import { InjectRepository } from '@nestjs/typeorm';
+import * as dto from '@vidya/api/auth/dto';
+import { Role, User } from '@vidya/entities';
+import * as entities from '@vidya/entities';
+import { UserPermission } from '@vidya/protocol';
+import { Repository } from 'typeorm';
+
+export type LoginField = 'email' | 'phone';
+
+@Injectable()
+export class AuthUsersService {
+  /**
+   * Creates an instance of AuthUsersService.
+   * @param users Users repository
+   * @param roles Rples repository
+   * @param mapper Mapper instance
+   */
+  constructor(
+    @InjectRepository(User) private readonly users: Repository<User>,
+    @InjectRepository(Role) private readonly roles: Repository<Role>,
+    @InjectMapper() private readonly mapper: Mapper,
+  ) {}
+
+  /**
+   * Finds a user by id.
+   * @param id Id of the user
+   * @returns User with the given id or null if not found
+   */
+  async findById(id: string): Promise<User | null> {
+    return await this.users.findOne({ where: { id }, relations: ['roles'] });
+  }
+
+  /**
+   * Gets a user by login or creates a new one if not found.
+   * @param field Field to search by
+   * @param login Login value
+   * @returns User with the given login or null if not found
+   */
+  async getOrCreateByLogin(field: LoginField, login: string): Promise<User> {
+    const existingUser = await this.users.findOne({
+      where: { [field]: login },
+      relations: ['roles'],
+    });
+    if (existingUser) {
+      return existingUser;
+    }
+
+    const newUser = this.users.create({
+      [field]: login,
+      roles: [],
+    });
+    return await this.users.save(newUser);
+  }
+
+  /**
+   * Gets roles of a user.
+   * @param userId Id of the user
+   * @returns Roles of the user
+   */
+  async getRolesOfUser(userId: string): Promise<Role[]> {
+    return await this.roles
+      .createQueryBuilder('role')
+      .innerJoin('role.userRoles', 'userRole')
+      .where('userRole.userId = :userId', { userId })
+      .getMany();
+  }
+
+  /**
+   * Gets user permissions.
+   * @param userId User id
+   * @returns User permissions
+   */
+  async getUserPermissions(userId: string): Promise<UserPermission[]> {
+    const userRoles = await this.getRolesOfUser(userId);
+    return this.mapper.mapArray(userRoles, entities.Role, dto.UserPermission);
+  }
+}