Merge pull request #1402 from credebl/fix/create-account-problem

Fix: create account with large token size

Author: shitrerohit

.env.demo

@@ -158,6 +158,12 @@ OTEL_LOGGER_NAME='credebl-platform-logger'
 HOSTNAME='localhost'
 SESSIONS_LIMIT=10
 # SSO
+APP_PROTOCOL=http
+#To add more clients, simply copy the variable below and change the word 'CREDEBL' to your client's name.
+CREDEBL_CLIENT_ALIAS=CREDEBL
+CREDEBL_DOMAIN=http://localhost:3000
+CREDEBL_KEYCLOAK_MANAGEMENT_CLIENT_ID= #Provide the value in its encrypted form using CRYPTO_PRIVATE_KEY.
+CREDEBL_KEYCLOAK_MANAGEMENT_CLIENT_SECRET= #Provide the value in its encrypted form using CRYPTO_PRIVATE_KEY.
 # To add more clients, simply add comma separated values of client names
 SUPPORTED_SSO_CLIENTS=CREDEBL
 

.env.sample

@@ -178,9 +178,14 @@ OTEL_LOGGER_NAME='credebl-platform-logger'       # Name of the logger used for O
 HOSTNAME='localhost'                             # Hostname or unique identifier for the service instance
 
 # SSO
+#To add more clients, simply copy the variable below and change the word 'CREDEBL' to your client's name.
+CREDEBL_CLIENT_ALIAS=CREDEBL
+CREDEBL_DOMAIN=http://localhost:3000
+CREDEBL_KEYCLOAK_MANAGEMENT_CLIENT_ID= #Provide the value in its encrypted form using CRYPTO_PRIVATE_KEY.
+CREDEBL_KEYCLOAK_MANAGEMENT_CLIENT_SECRET= #Provide the value in its encrypted form using CRYPTO_PRIVATE_KEY.
 # To add more clients, simply add comma separated values of client names
 SUPPORTED_SSO_CLIENTS=CREDEBL
-NEXTAUTH_PROTOCOL=
+APP_PROTOCOL=
 
 # Key for agent base wallet
 AGENT_API_KEY='supersecret-that-too-16chars'

apps/api-gateway/src/authz/jwt.strategy.ts

@@ -1,17 +1,18 @@
 import * as dotenv from 'dotenv';
+import * as jwt from 'jsonwebtoken';
 
 import { ExtractJwt, Strategy } from 'passport-jwt';
-import { Injectable, Logger, UnauthorizedException, NotFoundException } from '@nestjs/common';
+import { Injectable, Logger, NotFoundException, UnauthorizedException } from '@nestjs/common';
 
+import { AuthzService } from './authz.service';
+import { CommonConstants } from '@credebl/common/common.constant';
+import { IOrganization } from '@credebl/common/interfaces/organization.interface';
 import { JwtPayload } from './jwt-payload.interface';
+import { OrganizationService } from '../organization/organization.service';
 import { PassportStrategy } from '@nestjs/passport';
+import { ResponseMessages } from '@credebl/common/response-messages';
 import { UserService } from '../user/user.service';
-import * as jwt from 'jsonwebtoken';
 import { passportJwtSecret } from 'jwks-rsa';
-import { CommonConstants } from '@credebl/common/common.constant';
-import { OrganizationService } from '../organization/organization.service';
-import { IOrganization } from '@credebl/common/interfaces/organization.interface';
-import { ResponseMessages } from '@credebl/common/response-messages';
 
 dotenv.config();
 
@@ -21,15 +22,20 @@ export class JwtStrategy extends PassportStrategy(Strategy) {
 
   constructor(
     private readonly usersService: UserService,
-    private readonly organizationService: OrganizationService
-    ) {
-
+    private readonly organizationService: OrganizationService,
+    private readonly authzService: AuthzService
+  ) {
     super({
       jwtFromRequest: ExtractJwt.fromAuthHeaderAsBearerToken(),
-      secretOrKeyProvider: (request, jwtToken, done) => {
+      secretOrKeyProvider: async (request, jwtToken, done) => {
+        // Todo: We need to add this logic in seprate jwt gurd to handle the token expiration functionality.
         // eslint-disable-next-line @typescript-eslint/no-explicit-any
         const decodedToken: any = jwt.decode(jwtToken);
-
+        const currentTime = Math.floor(Date.now() / 1000);
+        if (decodedToken?.exp < currentTime) {
+          const sessionIds = { sessions: [decodedToken?.sid] };
+          await this.authzService.logout(sessionIds);
+        }
         if (!decodedToken) {
           throw new UnauthorizedException(ResponseMessages.user.error.invalidAccessToken);
         }
@@ -49,26 +55,25 @@ export class JwtStrategy extends PassportStrategy(Strategy) {
         });
       },
       algorithms: ['RS256']
-    });  
+    });
   }
 
   async validate(payload: JwtPayload): Promise<object> {
-
     let userDetails = null;
     let userInfo;
 
     if (payload?.email) {
       userInfo = await this.usersService.getUserByUserIdInKeycloak(payload?.email);
     }
-    
+
     if (payload.hasOwnProperty('client_id')) {
       const orgDetails: IOrganization = await this.organizationService.findOrganizationOwner(payload['client_id']);
-      
+
       this.logger.log('Organization details fetched');
       if (!orgDetails) {
         throw new NotFoundException(ResponseMessages.organisation.error.orgNotFound);
       }
-  
+
       // eslint-disable-next-line prefer-destructuring
       const userOrgDetails = 0 < orgDetails.userOrgRoles.length && orgDetails.userOrgRoles[0];
 
@@ -83,11 +88,10 @@ export class JwtStrategy extends PassportStrategy(Strategy) {
       });
 
       this.logger.log('User details set');
-
     } else {
       userDetails = await this.usersService.findUserinKeycloak(payload.sub);
     }
-    
+
     if (!userDetails) {
       throw new NotFoundException(ResponseMessages.user.error.notFound);
     }

apps/api-gateway/src/organization/organization.controller.ts

@@ -559,7 +559,7 @@ export class OrganizationController {
     res.cookie('session_id', orgCredentials.sessionId, {
       httpOnly: true,
       sameSite: 'none',
-      secure: 'http' !== process.env.NEXTAUTH_PROTOCOL
+      secure: 'http' !== process.env.APP_PROTOCOL
     });
 
     return res.status(HttpStatus.OK).json(finalResponse);

apps/organization/src/organization.service.ts

@@ -726,24 +726,14 @@ export class OrganizationService {
     // Otherwise, create a new account and also create the new session
     const fetchAccountDetails = await this.userRepository.checkAccountDetails(orgRoleDetails['user'].id);
     if (fetchAccountDetails) {
-      const accountData = {
-        sessionToken: authenticationResult?.access_token,
-        userId: orgRoleDetails['user'].id,
-        expires: authenticationResult?.expires_in
-      };
-
-      await this.userRepository.updateAccountDetails(accountData).then(async (response) => {
-        const finalSessionData = { ...sessionData, accountId: response.id };
-        addSessionDetails = await this.userRepository.createSession(finalSessionData);
-      });
+      const finalSessionData = { ...sessionData, accountId: fetchAccountDetails.id };
+      addSessionDetails = await this.userRepository.createSession(finalSessionData);
     } else {
       // Note:
       // This else block is mostly used for already registered users on the platform to create their account & session in the database.
       // Once all users are migrated or created their accounts and sessions in the DB, this code can be removed.
       const accountData = {
-        sessionToken: authenticationResult?.access_token,
         userId: orgRoleDetails['user'].id,
-        expires: authenticationResult?.expires_in,
         keycloakUserId: orgRoleDetails['user'].keycloakUserId,
         type: TokenType.BEARER_TOKEN
       };

apps/user/interfaces/user.interface.ts

@@ -182,6 +182,7 @@ export interface IUserSignIn {
 }
 
 export interface ISession {
+  id?: string;
   sessionToken?: string;
   userId?: string;
   expires?: number;

apps/user/repositories/user.repository.ts

@@ -1,11 +1,11 @@
+/* eslint-disable camelcase */
 /* eslint-disable prefer-destructuring */
 
 import {
   IOrgUsers,
   ISendVerificationEmail,
   ISession,
   IShareUserCertificate,
-  IUpdateAccountDetails,
   IUserDeletedActivity,
   IUserInformation,
   IUsersProfile,
@@ -17,7 +17,6 @@ import {
   UserRoleMapping
 } from '../interfaces/user.interface';
 import { Injectable, InternalServerErrorException, Logger, NotFoundException } from '@nestjs/common';
-// eslint-disable-next-line camelcase
 import {
   Prisma,
   RecordType,
@@ -682,6 +681,7 @@ export class UserRepository {
       const { sessionToken, userId, expires, refreshToken, accountId, sessionType } = tokenDetails;
       const sessionResponse = await this.prisma.session.create({
         data: {
+          id: tokenDetails.id,
           sessionToken,
           expires,
           userId,
@@ -725,67 +725,13 @@ export class UserRepository {
     }
   }
 
-  async fetchAccountByRefreshToken(userId: string, refreshToken: string): Promise<account> {
-    try {
-      return await this.prisma.account.findUnique({
-        where: {
-          userId,
-          refreshToken
-        }
-      });
-    } catch (error) {
-      this.logger.error(`Error in getting account details: ${error.message} `);
-      throw error;
-    }
-  }
-
-  async updateAccountDetailsById(accountDetails: IUpdateAccountDetails): Promise<account> {
-    try {
-      return await this.prisma.account.update({
-        where: {
-          id: accountDetails.accountId
-        },
-        data: {
-          accessToken: accountDetails.accessToken,
-          refreshToken: accountDetails.refreshToken,
-          expiresAt: accountDetails.expiresAt
-        }
-      });
-    } catch (error) {
-      this.logger.error(`Error in getting account details: ${error.message} `);
-      throw error;
-    }
-  }
-
-  async updateAccountDetails(accountDetails: ISession): Promise<account> {
-    try {
-      const userAccountDetails = await this.prisma.account.update({
-        where: {
-          userId: accountDetails.userId
-        },
-        data: {
-          accessToken: accountDetails.sessionToken,
-          refreshToken: accountDetails.refreshToken,
-          expiresAt: accountDetails.expires
-        }
-      });
-      return userAccountDetails;
-    } catch (error) {
-      this.logger.error(`Error in updateAccountDetails: ${error.message}`);
-      throw error;
-    }
-  }
-
   async addAccountDetails(accountDetails: ISession): Promise<account> {
     try {
       const userAccountDetails = await this.prisma.account.create({
         data: {
           userId: accountDetails.userId,
           provider: ProviderType.KEYCLOAK,
           providerAccountId: accountDetails.keycloakUserId,
-          accessToken: accountDetails.sessionToken,
-          refreshToken: accountDetails.refreshToken,
-          expiresAt: accountDetails.expires,
           tokenType: accountDetails.type
         }
       });
@@ -1014,11 +960,11 @@ export class UserRepository {
     }
   }
 
-  async deleteSessionRecordByRefreshToken(refreshToken: string): Promise<session> {
+  async deleteSession(sessionId: string): Promise<session> {
     try {
       const userSession = await this.prisma.session.delete({
         where: {
-          refreshToken
+          id: sessionId
         }
       });
       return userSession;
@@ -1027,4 +973,18 @@ export class UserRepository {
       throw error;
     }
   }
+
+  async fetchSessionByRefreshToken(refreshToken: string): Promise<session> {
+    try {
+      const sessionDetails = await this.prisma.session.findFirst({
+        where: {
+          refreshToken
+        }
+      });
+      return sessionDetails;
+    } catch (error) {
+      this.logger.error(`Error in fetching session details::${error.message}`);
+      throw error;
+    }
+  }
 }

apps/user/src/user.service.ts

@@ -449,9 +449,7 @@ export class UserService {
     try {
       this.validateEmail(email.toLowerCase());
       const userData = await this.userRepository.checkUserExist(email.toLowerCase());
-
       const userSessionDetails = await this.userRepository.fetchUserSessions(userData?.id);
-
       if (Number(process.env.SESSIONS_LIMIT) <= userSessionDetails?.length) {
         throw new BadRequestException(ResponseMessages.user.error.sessionLimitReached);
       }
@@ -475,8 +473,10 @@ export class UserService {
       } else {
         const decryptedPassword = await this.commonService.decryptPassword(password);
         const tokenDetails = await this.generateToken(email.toLowerCase(), decryptedPassword, userData);
-
+        // eslint-disable-next-line @typescript-eslint/no-explicit-any
+        const decodedToken: any = jwt.decode(tokenDetails?.access_token);
         const sessionData = {
+          id: decodedToken.sid,
           sessionToken: tokenDetails?.access_token,
           userId: userData?.id,
           expires: tokenDetails?.expires_in,
@@ -489,10 +489,7 @@ export class UserService {
         let accountData;
         if (null === fetchAccountDetails) {
           accountData = {
-            sessionToken: tokenDetails?.access_token,
             userId: userData?.id,
-            expires: tokenDetails?.expires_in,
-            refreshToken: tokenDetails?.refresh_token,
             keycloakUserId: userData?.keycloakUserId,
             type: TokenType.BEARER_TOKEN
           };
@@ -502,17 +499,8 @@ export class UserService {
             addSessionDetails = await this.userRepository.createSession(finalSessionData);
           });
         } else {
-          accountData = {
-            sessionToken: tokenDetails?.access_token,
-            userId: userData?.id,
-            expires: tokenDetails?.expires_in,
-            refreshToken: tokenDetails?.refresh_token
-          };
-
-          await this.userRepository.updateAccountDetails(accountData).then(async (response) => {
-            const finalSessionData = { ...sessionData, accountId: response.id };
-            addSessionDetails = await this.userRepository.createSession(finalSessionData);
-          });
+          const finalSessionData = { ...sessionData, accountId: fetchAccountDetails.id };
+          addSessionDetails = await this.userRepository.createSession(finalSessionData);
         }
 
         const finalResponse = {
@@ -554,26 +542,18 @@ export class UserService {
         );
         this.logger.debug(`tokenResponse::::${JSON.stringify(tokenResponse)}`);
         // Fetch the details from account table based on userid and refresh token
-        const userAccountDetails = await this.userRepository.fetchAccountByRefreshToken(
-          userByKeycloakId?.['id'],
-          refreshToken
-        );
+        const userAccountDetails = await this.userRepository.checkAccountDetails(userByKeycloakId?.['id']);
         // Update the account details with latest access token, refresh token and exp date
         if (!userAccountDetails) {
           throw new NotFoundException(ResponseMessages.user.error.userAccountNotFound);
         }
-        const updateAccountDetails: IUpdateAccountDetails = {
-          accessToken: tokenResponse.access_token,
-          refreshToken: tokenResponse.refresh_token,
-          expiresAt: tokenResponse.expires_in,
-          accountId: userAccountDetails.id
-        };
-        const updateAccountDetailsResponse = await this.userRepository.updateAccountDetailsById(updateAccountDetails);
-        // Delete the preveious session record and create new one
-        if (!updateAccountDetailsResponse) {
-          throw new InternalServerErrorException(ResponseMessages.user.error.errorInUpdateAccountDetails);
+        // Fetch session details
+        const sessionDetails = await this.userRepository.fetchSessionByRefreshToken(refreshToken);
+        if (!sessionDetails) {
+          throw new NotFoundException(ResponseMessages.user.error.userSeesionNotFound);
         }
-        const deletePreviousSession = await this.userRepository.deleteSessionRecordByRefreshToken(refreshToken);
+        // Delete previous session
+        const deletePreviousSession = await this.userRepository.deleteSession(sessionDetails.id);
         if (!deletePreviousSession) {
           throw new InternalServerErrorException(ResponseMessages.user.error.errorInDeleteSession);
         }
@@ -583,7 +563,7 @@ export class UserService {
           expires: tokenResponse.expires_in,
           refreshToken: tokenResponse.refresh_token,
           sessionType: SessionType.USER_SESSION,
-          accountId: updateAccountDetailsResponse.id
+          accountId: userAccountDetails.id
         };
         const addSessionDetails = await this.userRepository.createSession(sessionData);
         if (!addSessionDetails) {