feat: add server auth

.env.example

@@ -2,6 +2,7 @@ CLOUDINARY_API_KEY=
 CLOUDINARY_API_SECRET=
 CLOUDINARY_CLOUD_NAME=
 DATABASE_URL=
+FRONTEND_URL=
 REDIS_USERNAME=
 REDIS_PASSWORD=
 REDIS_HOST=
@@ -10,8 +11,13 @@ GOOGLE_CLIENT_ID=
 GOOGLE_CLIENT_SECRET=
 GOOGLE_REDIRECT_URI=
 PORT=
+NODE_ENV=
 API_PREFIX=
 ALLOWED_ORIGINS=
+COOKIE_HTTP_ONLY=
+COOKIE_SECURE=
+COOKIE_SAME_SITE=
+COOKIE_DOMAIN=
 ACCESS_JWT_SECRET=
 REFRESH_JWT_SECRET=
 ACCESS_JWT_EXPIRES_IN=

app/app.ts

@@ -1,4 +1,5 @@
 import express from 'express'
+import cookieParser from 'cookie-parser'
 import cors from 'cors'
 import helmet from 'helmet'
 import logger from 'morgan'
@@ -13,8 +14,9 @@ export const app = express()
 z.config(zodConfig)
 
 app.use(helmet())
-app.use(cors({ origin: env.ALLOWED_ORIGINS }))
+app.use(cors({ origin: env.ALLOWED_ORIGINS, credentials: true }))
 app.use(logger(app.get('env') === 'development' ? 'dev' : 'combined'))
+app.use(cookieParser())
 app.use(express.json())
 
 app.use(env.API_PREFIX, apiRouter)

app/config/env.config.ts

@@ -9,6 +9,7 @@ const envSchema = z.object({
   CLOUDINARY_API_SECRET: z.string(),
   CLOUDINARY_CLOUD_NAME: z.string(),
   DATABASE_URL: z.string(),
+  FRONTEND_URL: z.url(),
   GOOGLE_CLIENT_ID: z.string(),
   GOOGLE_CLIENT_SECRET: z.string(),
   GOOGLE_REDIRECT_URI: z.url(),
@@ -19,6 +20,11 @@ const envSchema = z.object({
   ACCESS_JWT_SECRET: z.string().transform(v => new TextEncoder().encode(v)),
   REFRESH_JWT_SECRET: z.string().transform(v => new TextEncoder().encode(v)),
   PORT: z.coerce.number().int().positive().min(1000).max(65535),
+  NODE_ENV: z.enum(['development', 'production']).default('development'),
+  COOKIE_HTTP_ONLY: z.stringbool(),
+  COOKIE_SECURE: z.stringbool(),
+  COOKIE_SAME_SITE: z.enum(['lax', 'strict', 'none']),
+  COOKIE_DOMAIN: z.string(),
   API_PREFIX: z.string(),
   ALLOWED_ORIGINS: z
     .string()

app/controllers/auth.controller.ts

@@ -1,11 +1,6 @@
 import crypto from 'crypto'
-import type {
-  GoogleCodeSchema,
-  RefreshTokenSchema,
-  SigninSchema,
-  SignupSchema
-} from '@/schemas'
-import type { JwtPayload, TypedRequestBody } from '@/types'
+import type { GoogleCodeSchema, SigninSchema, SignupSchema } from '@/schemas'
+import type { JwtPayload, TypedRequestBody, TypedRequestQuery } from '@/types'
 import type { NextFunction, Request, Response } from 'express'
 
 import { prisma } from '@/prisma'
@@ -26,7 +21,12 @@ const {
   REFRESH_JWT_ALGORITHM,
   GOOGLE_CLIENT_ID,
   GOOGLE_CLIENT_SECRET,
-  GOOGLE_REDIRECT_URI
+  GOOGLE_REDIRECT_URI,
+  FRONTEND_URL,
+  COOKIE_HTTP_ONLY,
+  COOKIE_DOMAIN,
+  COOKIE_SECURE,
+  COOKIE_SAME_SITE
 } = env
 
 class AuthController {
@@ -36,6 +36,9 @@ class AuthController {
     GOOGLE_REDIRECT_URI
   )
 
+  private readonly ACCESS_TOKEN_NAME = 'accessToken'
+  private readonly REFRESH_TOKEN_NAME = 'refreshToken'
+
   signup = async (
     { body }: TypedRequestBody<typeof SignupSchema>,
     res: Response,
@@ -54,13 +57,11 @@ class AuthController {
       }
     })
 
-    const newSession = await prisma.session.create({
-      data: { userId: user.id }
-    })
+    const tokens = await this.getNewTokens({ id: user.id })
 
-    const tokens = await this.getNewTokens({ id: user.id, sid: newSession.id })
+    this.setTokensCookie(res, tokens)
 
-    res.json({ user, ...tokens })
+    res.json({ user })
   }
 
   signin = async (
@@ -83,16 +84,14 @@ class AuthController {
 
     if (!isPasswordMatch) return next(Unauthorized('Email or password invalid'))
 
-    const newSession = await prisma.session.create({
-      data: { userId: user.id }
-    })
+    const tokens = await this.getNewTokens({ id: user.id })
 
-    const tokens = await this.getNewTokens({ id: user.id, sid: newSession.id })
+    this.setTokensCookie(res, tokens)
 
-    res.json({ user: userWithoutPassword, ...tokens })
+    res.json({ user: userWithoutPassword })
   }
 
-  getGoogleRedirectUrl = async (_: Request, res: Response) => {
+  googleInitiate = async (_: Request, res: Response) => {
     const state = crypto.randomBytes(32).toString('hex')
 
     await redisClient.set(`oauth_state:${state}`, 'true', 'EX', 5 * 60)
@@ -107,11 +106,11 @@ class AuthController {
   }
 
   googleCallback = async (
-    req: TypedRequestBody<typeof GoogleCodeSchema>,
+    req: TypedRequestQuery<typeof GoogleCodeSchema>,
     res: Response,
     next: NextFunction
   ) => {
-    const { code, state: receivedState } = req.body
+    const { code, state: receivedState } = req.query
 
     const redisStateKey = `oauth_state:${receivedState}`
 
@@ -126,15 +125,12 @@ class AuthController {
     if (!tokens.id_token) return next(Forbidden())
 
     const ticket = await this.googleClient.verifyIdToken({
-      idToken: tokens.id_token,
-      audience: GOOGLE_CLIENT_ID
+      idToken: tokens.id_token
     })
 
     const payload = ticket.getPayload()
 
-    if (!payload || !payload.email) {
-      return next(Forbidden('Invalid token'))
-    }
+    if (!payload || !payload.email) return next(Forbidden('Invalid token'))
 
     const {
       email,
@@ -151,68 +147,49 @@ class AuthController {
         data: { name, email, avatar: picture }
       })
 
-      const newSession = await prisma.session.create({
-        data: { userId: user.id }
-      })
+      const tokens = await this.getNewTokens({ id: user.id })
 
-      const tokens = await this.getNewTokens({
-        id: user.id,
-        sid: newSession.id
-      })
+      this.setTokensCookie(res, tokens)
 
-      res.json({ user, ...tokens })
+      res.redirect(FRONTEND_URL)
     } else {
-      const newSession = await prisma.session.create({
-        data: { userId: user.id }
-      })
+      const tokens = await this.getNewTokens({ id: user.id })
 
-      const tokens = await this.getNewTokens({
-        id: user.id,
-        sid: newSession.id
-      })
+      this.setTokensCookie(res, tokens)
 
-      res.json({ user, ...tokens })
+      res.redirect(FRONTEND_URL)
     }
   }
 
-  refresh = async (
-    { body }: TypedRequestBody<typeof RefreshTokenSchema>,
-    res: Response,
-    next: NextFunction
-  ) => {
+  refresh = async (req: Request, res: Response, next: NextFunction) => {
+    const refreshToken = req.cookies[this.REFRESH_TOKEN_NAME]
+
+    if (!refreshToken) return next(Forbidden())
+
     try {
       const {
-        payload: { id, sid }
-      } = await jwtVerify<JwtPayload>(body.refreshToken, REFRESH_JWT_SECRET)
+        payload: { id }
+      } = await jwtVerify<JwtPayload>(refreshToken, REFRESH_JWT_SECRET)
 
       const user = await prisma.user.findFirst({ where: { id } })
 
       if (!user) return next(Forbidden())
 
-      const currentSession = await prisma.session.findFirst({
-        where: { id: sid }
-      })
-
-      if (!currentSession) return next(Forbidden())
-
-      await prisma.session.delete({ where: { id: currentSession.id } })
+      const tokens = await this.getNewTokens({ id: user.id })
 
-      const newSid = await prisma.session.create({
-        data: { userId: user.id }
-      })
-
-      const tokens = await this.getNewTokens({ id: user.id, sid: newSid.id })
+      this.setTokensCookie(res, tokens)
 
-      res.json(tokens)
+      res.json({ message: 'Tokens refreshed successfully' })
     } catch (error) {
       if (error instanceof JWTExpired) return next(Forbidden(error.code))
 
       return next(Forbidden())
     }
   }
 
-  logout = async ({ session }: Request, res: Response) => {
-    await prisma.session.delete({ where: { id: session } })
+  logout = async (_: Request, res: Response) => {
+    res.clearCookie(this.ACCESS_TOKEN_NAME)
+    res.clearCookie(this.REFRESH_TOKEN_NAME)
 
     res.sendStatus(204)
   }
@@ -230,6 +207,25 @@ class AuthController {
 
     return { accessToken, refreshToken }
   }
+
+  private setTokensCookie = (
+    res: Response,
+    tokens: { accessToken: string; refreshToken: string }
+  ) => {
+    res.cookie(this.ACCESS_TOKEN_NAME, tokens.accessToken, {
+      httpOnly: COOKIE_HTTP_ONLY,
+      secure: COOKIE_SECURE,
+      sameSite: COOKIE_SAME_SITE,
+      domain: COOKIE_DOMAIN
+    })
+
+    res.cookie(this.REFRESH_TOKEN_NAME, tokens.refreshToken, {
+      httpOnly: COOKIE_HTTP_ONLY,
+      secure: COOKIE_SECURE,
+      sameSite: COOKIE_SAME_SITE,
+      domain: COOKIE_DOMAIN
+    })
+  }
 }
 
 export const authController = new AuthController()

app/middlewares/authenticate.ts

@@ -4,6 +4,7 @@ import type { NextFunction, Request, Response } from 'express'
 import { prisma } from '@/prisma'
 import { Unauthorized } from 'http-errors'
 import { jwtVerify } from 'jose'
+import { JWTExpired } from 'jose/errors'
 
 import { env } from '@/config'
 
@@ -12,30 +13,28 @@ export const authenticate = async (
   _: Response,
   next: NextFunction
 ) => {
-  const { authorization = '' } = req.headers
-  const [bearer, token] = authorization.split(' ')
+  const token: string = req.cookies.accessToken
 
-  if (bearer !== 'Bearer') return next(Unauthorized())
+  if (!token) return next(Unauthorized())
 
   try {
     const {
-      payload: { id, sid }
+      payload: { id }
     } = await jwtVerify<JwtPayload>(token, env.ACCESS_JWT_SECRET)
 
     const user = await prisma.user.findFirst({
       where: { id },
       omit: { password: false }
     })
 
-    const session = await prisma.session.findFirst({ where: { id: sid } })
-
-    if (!user || !session) return next(Unauthorized())
+    if (!user) return next(Unauthorized())
 
     req.user = user
-    req.session = session.id
 
     next()
-  } catch {
+  } catch (e) {
+    if (e instanceof JWTExpired) return next(Unauthorized(e.code))
+
     return next(Unauthorized())
   }
 }

app/routes/api/auth.ts

@@ -4,12 +4,7 @@ import { authController } from '@/controllers'
 
 import { authenticate, validateRequest } from '@/middlewares'
 
-import {
-  GoogleCodeSchema,
-  RefreshTokenSchema,
-  SigninSchema,
-  SignupSchema
-} from '@/schemas'
+import { GoogleCodeSchema, SigninSchema, SignupSchema } from '@/schemas'
 
 export const authRouter = Router()
 
@@ -25,18 +20,14 @@ authRouter.post(
   authController.signin
 )
 
-authRouter.get('/google/initiate', authController.getGoogleRedirectUrl)
+authRouter.post('/google/initiate', authController.googleInitiate)
 
-authRouter.post(
+authRouter.get(
   '/google/callback',
-  validateRequest({ body: GoogleCodeSchema }),
+  validateRequest({ query: GoogleCodeSchema }),
   authController.googleCallback
 )
 
-authRouter.post(
-  '/refresh',
-  validateRequest({ body: RefreshTokenSchema }),
-  authController.refresh
-)
+authRouter.post('/refresh', authController.refresh)
 
 authRouter.post('/logout', authenticate, authController.logout)

app/schemas/auth.schema.ts

@@ -10,10 +10,6 @@ export const SignupSchema = z.object({
   name: z.string().min(2)
 })
 
-export const RefreshTokenSchema = z.object({
-  refreshToken: z.string().min(1)
-})
-
 export const GoogleCodeSchema = z.object({
   code: z.string().min(1),
   state: z.optional(z.string())

app/schemas/index.ts

@@ -15,10 +15,5 @@ export {
   ColumnParamsSchema,
   UpdateColumnOrderSchema
 } from './column.schema'
-export {
-  SigninSchema,
-  SignupSchema,
-  RefreshTokenSchema,
-  GoogleCodeSchema
-} from './auth.schema'
+export { SigninSchema, SignupSchema, GoogleCodeSchema } from './auth.schema'
 export { EditUserSchema, NeedHelpSchema } from './user.schema'

app/types/express.d.ts

@@ -3,7 +3,6 @@ import type { User } from '@prisma/client'
 declare global {
   namespace Express {
     interface Request {
-      session: string
       user: User
     }
   }

app/types/jwt-payload.ts

@@ -1,4 +1,3 @@
 export type JwtPayload = {
   id?: string
-  sid?: string
 }