feat(api): add user permissions caching and JWT token storage configuration

akdasa · akdasa · commit 930802beec8e · 2025-03-09T17:48:27.000Z
diff --git a/docs/api/Configurations.md b/docs/api/Configurations.md
@@ -0,0 +1,12 @@
+# Api Service Configurations
+
+## Environment Variables
+
+#### `VIDYA_AUTH_SAVE_PERMISSIONS_IN_JWT_TOKEN`.
+Saves user permissions in the JWT token. This will allow to keep the permissions in the token itself and avoid querying the database for each request. 
+
+#### `VIDYA_AUTH_USER_PERMISSIONS_CACHE_TTL`. 
+Time to live for the user permissions cache in seconds. Set to 0 to disable caching for development purposes for example. 
+
+- If `VIDYA_AUTH_SAVE_PERMISSIONS_IN_JWT_TOKEN` is set to `false`, then user permissions will be fetched from the database for each request and stored in cache for the specified time.
+- If `VIDYA_AUTH_SAVE_PERMISSIONS_IN_JWT_TOKEN` is set to `true`, this will be ignored and user permissions will be stored in the JWT token itself.
diff --git a/modules/libs/protocol/auth.ts b/modules/libs/protocol/auth.ts
@@ -1,6 +1,8 @@
 import * as domain from '@vidya/domain';
 import { OtpType } from "./otp";
 
+export const UserPermissionsStorageKey = (userId: string) => `users:permissions:${userId}`;
+
 /* -------------------------------------------------------------------------- */
 /*                              One Time Password                             */
 /* -------------------------------------------------------------------------- */
diff --git a/modules/services/api/src/auth/services/auth-users.service.ts b/modules/services/api/src/auth/services/auth-users.service.ts
@@ -1,17 +1,23 @@
 import { Mapper } from '@automapper/core';
 import { InjectMapper } from '@automapper/nestjs';
-import { Injectable } from '@nestjs/common';
+import { Inject, Injectable, Logger } from '@nestjs/common';
+import { ConfigType } from '@nestjs/config';
 import { InjectRepository } from '@nestjs/typeorm';
 import * as dto from '@vidya/api/auth/dto';
+import { AuthConfig, RedisConfig } from '@vidya/api/configs';
 import { Role, User } from '@vidya/entities';
 import * as entities from '@vidya/entities';
-import { UserPermission } from '@vidya/protocol';
+import { UserPermission, UserPermissionsStorageKey } from '@vidya/protocol';
+import Redis from 'ioredis';
 import { Repository } from 'typeorm';
 
 export type LoginField = 'email' | 'phone';
 
 @Injectable()
 export class AuthUsersService {
+  private readonly redis: Redis;
+  private readonly logger = new Logger(AuthUsersService.name);
+
   /**
    * Creates an instance of AuthUsersService.
    * @param users Users repository
@@ -22,7 +28,16 @@ export class AuthUsersService {
     @InjectRepository(User) private readonly users: Repository<User>,
     @InjectRepository(Role) private readonly roles: Repository<Role>,
     @InjectMapper() private readonly mapper: Mapper,
-  ) {}
+    @Inject(RedisConfig.KEY)
+    private readonly redisConfig: ConfigType<typeof RedisConfig>,
+    @Inject(AuthConfig.KEY)
+    private readonly authConfig: ConfigType<typeof AuthConfig>,
+  ) {
+    this.redis = new Redis({
+      host: redisConfig.host,
+      port: redisConfig.port,
+    });
+  }
 
   /**
    * Finds a user by id.
@@ -74,7 +89,37 @@ export class AuthUsersService {
    * @returns User permissions
    */
   async getUserPermissions(userId: string): Promise<UserPermission[]> {
-    const userRoles = await this.getRolesOfUser(userId);
-    return this.mapper.mapArray(userRoles, entities.Role, dto.UserPermission);
+    // Get permissions from cache if available
+    const permissions = await this.redis.get(UserPermissionsStorageKey(userId));
+
+    if (permissions) {
+      // Permissions are cached. Parse and return them.
+      return JSON.parse(permissions);
+    } else {
+      this.logger.verbose(`Fetching '${userId}' permissions from DB`);
+
+      // Permissions are not cached. Fetch them from the database.
+      const userRoles = await this.getRolesOfUser(userId);
+      const permissions = this.mapper.mapArray(
+        userRoles,
+        entities.Role,
+        dto.UserPermission,
+      );
+
+      // Cache the permissions if cache TTL is set to a positive value
+      // otherwise, users permissions will be fetched from the database
+      // on every request (which is good for development only)
+      if (this.authConfig.userPermissionsCacheTtl > 0) {
+        await this.redis.set(
+          UserPermissionsStorageKey(userId),
+          JSON.stringify(permissions),
+          'EX',
+          this.authConfig.userPermissionsCacheTtl,
+        );
+      }
+
+      // Return the permissions
+      return permissions;
+    }
   }
 }
diff --git a/modules/services/api/src/configs/auth.config.ts b/modules/services/api/src/configs/auth.config.ts
@@ -1,6 +1,29 @@
 import { registerAs } from '@nestjs/config';
 
 export default registerAs('auth', () => ({
+  /**
+   * Saves user permissions in the JWT token. This will allow
+   * to keep the permissions in the token itself and avoid
+   * querying the database for each request.
+   */
   savePermissionsInJwtToken:
     process.env.VIDYA_AUTH_SAVE_PERMISSIONS_IN_JWT_TOKEN === 'true',
+
+  /**
+   * Time to live for the user permissions cache in seconds.
+   * Set to 0 to disable caching for development purposes
+   * for example.
+   *
+   * If `VIDYA_AUTH_SAVE_PERMISSIONS_IN_JWT_TOKEN` is set to `false`,
+   * then user permissions will be fetched from the database for each
+   * request and stored in cache for the specified time.
+   *
+   * If `VIDYA_AUTH_SAVE_PERMISSIONS_IN_JWT_TOKEN` is set to `true`,
+   * this will be ignored and user permissions will be stored in the
+   * JWT token itself.
+   */
+  userPermissionsCacheTtl: parseInt(
+    process.env.VIDYA_AUTH_USER_PERMISSIONS_CACHE_TTL ?? '0',
+    10,
+  ),
 }));
diff --git a/modules/services/api/src/edu/shared/testing-app.ts b/modules/services/api/src/edu/shared/testing-app.ts
@@ -1,7 +1,11 @@
 import { INestApplication, ValidationPipe } from '@nestjs/common';
 import { Test } from '@nestjs/testing';
 import { AppModule } from '@vidya/api/app.module';
-import { OtpService, RevokedTokensService } from '@vidya/api/auth/services';
+import {
+  AuthUsersService,
+  OtpService,
+  RevokedTokensService,
+} from '@vidya/api/auth/services';
 import { inMemoryDataSource } from '@vidya/api/utils';
 import { useContainer } from 'class-validator';
 import { DataSource } from 'typeorm';
@@ -12,10 +16,15 @@ export const createTestingApp = async (): Promise<INestApplication> => {
   })
     .overrideProvider(DataSource)
     .useValue(await inMemoryDataSource())
+    // Mock the services with Redis client
+    // to avoid connecting to the actual Redis server
+    // and keeping connection open during the tests
     .overrideProvider(OtpService)
     .useValue({ validate: jest.fn() })
     .overrideProvider(RevokedTokensService)
     .useValue({ isRevoked: jest.fn() })
+    .overrideProvider(AuthUsersService)
+    .useValue({})
     .compile();
 
   const app = module.createNestApplication();
