feat: single sign on (#1305)

* feat: single sign on

Signed-off-by: bhavanakarwade <[email protected]>

* fix: rabbit suggestions

Signed-off-by: bhavanakarwade <[email protected]>

* update: send verification mail template

Signed-off-by: bhavanakarwade <[email protected]>

---------

Signed-off-by: bhavanakarwade <[email protected]>

Author: bhavanakarwade

.env.demo

@@ -155,4 +155,26 @@ OTEL_TRACES_OTLP_ENDPOINT='http://localhost:4318/v1/traces'
 OTEL_LOGS_OTLP_ENDPOINT='http://localhost:4318/v1/logs'
 OTEL_HEADERS_KEY=88ca6b1XXXXXXXXXXXXXXXXXXXXXXXXXXX
 OTEL_LOGGER_NAME='credebl-platform-logger'
-HOSTNAME='localhost'
+HOSTNAME='localhost'
+
+# SSO
+# To add more clients, simply add comma separated values of client names
+SUPPORTED_SSO_CLIENTS=CREDEBL
+
+# To add more client add the following variables for each additional client.
+# Replace the `CLIENT-NAME` with the appropriate client name as added in `SUPPORTED_SSO_CLIENTS`
+# Default client will not need the following details
+
+# CLIENT-NAME_CLIENT_ALIAS=VERIFIER
+    # # Domain represents the redirection url once the client logs-in
+    # # TODO: Can be taken from keycloak instead
+# CLIENT-NAME_DOMAIN=https://VERIFIER-domain.com
+    # # Encrypted client credentials using the `CRYPTO_PRIVATE_KEY`
+# CLIENT-NAME_KEYCLOAK_MANAGEMENT_CLIENT_ID=
+# CLIENT-NAME_KEYCLOAK_MANAGEMENT_CLIENT_SECRET=
+
+# Sample values:
+# VERIFIER_CLIENT_ALIAS=VERIFIER
+# VERIFIER_DOMAIN=https://VERIFIER-domain.com
+# VERIFIER_KEYCLOAK_MANAGEMENT_CLIENT_ID=encryptedKeyCloakClientId
+# VERIFIER_KEYCLOAK_MANAGEMENT_CLIENT_SECRET=encryptedKeyCloakClientSecret

.env.sample

@@ -176,3 +176,25 @@ OTEL_LOGS_OTLP_ENDPOINT='http://localhost:4318/v1/logs'      # Endpoint where lo
 OTEL_HEADERS_KEY=88ca6b1XXXXXXXXXXXXXXXXXXXXXXXXXXX          # API key or token used for authenticating with the OTel collector (e.g., SigNoz)
 OTEL_LOGGER_NAME='credebl-platform-logger'       # Name of the logger used for OpenTelemetry log records
 HOSTNAME='localhost'                             # Hostname or unique identifier for the service instance
+
+# SSO
+# To add more clients, simply add comma separated values of client names
+SUPPORTED_SSO_CLIENTS=CREDEBL
+
+# To add more client add the following variables for each additional client.
+# Replace the `CLIENT-NAME` with the appropriate client name as added in `SUPPORTED_SSO_CLIENTS`
+# Default client will not need the following details
+
+# CLIENT-NAME_CLIENT_ALIAS=MYAPP
+    # # Domain represents the redirection url once the client logs-in
+    # # TODO: Can be taken from keycloak instead
+# CLIENT-NAME_DOMAIN=https://myapp.com
+    # # Encrypted client credentials using the `CRYPTO_PRIVATE_KEY`
+# CLIENT-NAME_KEYCLOAK_MANAGEMENT_CLIENT_ID=
+# CLIENT-NAME_KEYCLOAK_MANAGEMENT_CLIENT_SECRET
+
+# Sample values:
+# VERIFIER_CLIENT_ALIAS=VERIFIER
+# VERIFIER_DOMAIN=https://VERIFIER-domain.com
+# VERIFIER_KEYCLOAK_MANAGEMENT_CLIENT_ID=encryptedKeyCloakClientId
+# VERIFIER_KEYCLOAK_MANAGEMENT_CLIENT_SECRET=encryptedKeyCloakClientSecret

apps/api-gateway/src/authz/authz.controller.ts

@@ -13,7 +13,7 @@ import {
 } from '@nestjs/common';
 import { AuthzService } from './authz.service';
 import { CommonService } from '../../../../libs/common/src/common.service';
-import { ApiBody, ApiOperation, ApiResponse, ApiTags } from '@nestjs/swagger';
+import { ApiBody, ApiOperation, ApiQuery, ApiResponse, ApiTags } from '@nestjs/swagger';
 import { ApiResponseDto } from '../dtos/apiResponse.dto';
 import { UserEmailVerificationDto } from '../user/dto/create-user.dto';
 import IResponseType from '@credebl/common/interfaces/response.interface';
@@ -28,27 +28,55 @@ import { ResetPasswordDto } from './dtos/reset-password.dto';
 import { ForgotPasswordDto } from './dtos/forgot-password.dto';
 import { ResetTokenPasswordDto } from './dtos/reset-token-password';
 import { RefreshTokenDto } from './dtos/refresh-token.dto';
-
+import { getDefaultClient } from '../user/utils';
+import { ClientAliasValidationPipe } from './decorators/user-auth-client';
 
 @Controller('auth')
 @ApiTags('auth')
 @UseFilters(CustomExceptionFilter)
 export class AuthzController {
   private logger = new Logger('AuthzController');
 
-  constructor(private readonly authzService: AuthzService,
-    private readonly commonService: CommonService) { }
+  constructor(
+    private readonly authzService: AuthzService,
+    private readonly commonService: CommonService
+  ) {}
+
+  /**
+   * Fetch client aliase.
+   *
+   * @returns Returns client alias and its url.
+   */
+  @Get('/clientAliases')
+  @ApiResponse({ status: HttpStatus.OK, description: 'Success', type: ApiResponseDto })
+  @ApiOperation({
+    summary: 'Get client aliases',
+    description: 'Fetch client aliases and itr url'
+  })
+  async getClientAlias(@Res() res: Response): Promise<Response> {
+    const clientAliases = await this.authzService.getClientAlias();
+    const finalResponse: IResponseType = {
+      statusCode: HttpStatus.OK,
+      message: ResponseMessages.user.success.fetchClientAliases,
+      data: clientAliases
+    };
+
+    return res.status(HttpStatus.OK).json(finalResponse);
+  }
 
   /**
    * Verify user’s email address.
-   * 
+   *
    * @param email  The email address of the user.
    * @param verificationcode The verification code sent to the user's email.
-   * @returns Returns the email verification status. 
+   * @returns Returns the email verification status.
    */
   @Get('/verify')
   @ApiResponse({ status: HttpStatus.OK, description: 'Success', type: ApiResponseDto })
-  @ApiOperation({ summary: 'Verify user’s email', description: 'Checks if the provided verification code is valid for the given email.' })
+  @ApiOperation({
+    summary: 'Verify user’s email',
+    description: 'Checks if the provided verification code is valid for the given email.'
+  })
   async verifyEmail(@Query() query: EmailVerificationDto, @Res() res: Response): Promise<Response> {
     await this.authzService.verifyEmail(query);
     const finalResponse: IResponseType = {
@@ -60,15 +88,28 @@ export class AuthzController {
   }
 
   /**
- * Sends a verification email to the user.
- * 
- * @body UserEmailVerificationDto.
- * @returns The status of the verification email.
- */
+   * Sends a verification email to the user.
+   *
+   * @body UserEmailVerificationDto.
+   * @returns The status of the verification email.
+   */
   @Post('/verification-mail')
   @ApiResponse({ status: HttpStatus.CREATED, description: 'Created', type: ApiResponseDto })
+  @ApiQuery({
+    name: 'clientAlias',
+    required: false,
+    enum: (process.env.SUPPORTED_SSO_CLIENTS || '')
+      .split(',')
+      .map((alias) => alias.trim()?.toUpperCase())
+      .filter(Boolean)
+  })
   @ApiOperation({ summary: 'Send verification email', description: 'Send verification email to new user' })
-  async create(@Body() userEmailVerification: UserEmailVerificationDto, @Res() res: Response): Promise<Response> {
+  async create(
+    @Query('clientAlias', ClientAliasValidationPipe) clientAlias: string,
+    @Body() userEmailVerification: UserEmailVerificationDto,
+    @Res() res: Response
+  ): Promise<Response> {
+    userEmailVerification.clientAlias = clientAlias ?? (await getDefaultClient()).alias;
     await this.authzService.sendVerificationMail(userEmailVerification);
     const finalResponse: IResponseType = {
       statusCode: HttpStatus.CREATED,
@@ -78,30 +119,32 @@ export class AuthzController {
   }
 
   /**
-  * Registers a new user on the platform.
-  * 
-  * @body AddUserDetailsDto
-  * @returns User's registration status and user details
-  */
+   * Registers a new user on the platform.
+   *
+   * @body AddUserDetailsDto
+   * @returns User's registration status and user details
+   */
   @Post('/signup')
   @ApiResponse({ status: HttpStatus.CREATED, description: 'Created', type: ApiResponseDto })
-  @ApiOperation({ summary: 'Register new user to platform', description: 'Register new user to platform with the provided details.' })
+  @ApiOperation({
+    summary: 'Register new user to platform',
+    description: 'Register new user to platform with the provided details.'
+  })
   async addUserDetails(@Body() userInfo: AddUserDetailsDto, @Res() res: Response): Promise<Response> {
     const userData = await this.authzService.addUserDetails(userInfo);
-      const finalResponse = {
-        statusCode: HttpStatus.CREATED,
-        message: ResponseMessages.user.success.create,
-        data: userData
-      };
+    const finalResponse = {
+      statusCode: HttpStatus.CREATED,
+      message: ResponseMessages.user.success.create,
+      data: userData
+    };
     return res.status(HttpStatus.CREATED).json(finalResponse);
-
   }
   /**
-  * Authenticates a user and returns an access token. 
-  * 
-  * @body LoginUserDto
-  * @returns User's access token details
-  */
+   * Authenticates a user and returns an access token.
+   *
+   * @body LoginUserDto
+   * @returns User's access token details
+   */
   @Post('/signin')
   @ApiOperation({
     summary: 'Authenticate the user for the access',
@@ -110,7 +153,6 @@ export class AuthzController {
   @ApiResponse({ status: HttpStatus.OK, description: 'Success', type: AuthTokenResponse })
   @ApiBody({ type: LoginUserDto })
   async login(@Body() loginUserDto: LoginUserDto, @Res() res: Response): Promise<Response> {
-
     if (loginUserDto.email) {
       const userData = await this.authzService.login(loginUserDto.email, loginUserDto.password);
 
@@ -126,60 +168,58 @@ export class AuthzController {
     }
   }
 
-
   /**
- * Resets user's password.
- * 
- * @body ResetPasswordDto
- * @returns The password reset status.
- */
+   * Resets user's password.
+   *
+   * @body ResetPasswordDto
+   * @returns The password reset status.
+   */
   @Post('/reset-password')
   @ApiOperation({
     summary: 'Reset password',
     description: 'Allows users to reset a new password which should be different form existing password.'
-  }) 
+  })
   @ApiResponse({ status: HttpStatus.OK, description: 'Success', type: ApiResponseDto })
   async resetPassword(@Body() resetPasswordDto: ResetPasswordDto, @Res() res: Response): Promise<Response> {
-
-      const userData = await this.authzService.resetPassword(resetPasswordDto);
-      const finalResponse: IResponseType = {
-        statusCode: HttpStatus.OK,
-        message: ResponseMessages.user.success.resetPassword,
-        data: userData
-      };
-      return res.status(HttpStatus.OK).json(finalResponse);
+    const userData = await this.authzService.resetPassword(resetPasswordDto);
+    const finalResponse: IResponseType = {
+      statusCode: HttpStatus.OK,
+      message: ResponseMessages.user.success.resetPassword,
+      data: userData
+    };
+    return res.status(HttpStatus.OK).json(finalResponse);
   }
 
-/**
- * Initiates the password reset process by sending a reset link to the user's email.
- *
- * @body ForgotPasswordDto
- * @returns Status message indicating whether the reset link was sent successfully.
- */
+  /**
+   * Initiates the password reset process by sending a reset link to the user's email.
+   *
+   * @body ForgotPasswordDto
+   * @returns Status message indicating whether the reset link was sent successfully.
+   */
   @Post('/forgot-password')
   @ApiOperation({
     summary: 'Forgot password',
     description: 'Sends a password reset link to the user’s email.'
   })
   @ApiResponse({ status: HttpStatus.OK, description: 'Success', type: ApiResponseDto })
   async forgotPassword(@Body() forgotPasswordDto: ForgotPasswordDto, @Res() res: Response): Promise<Response> {
-      const userData = await this.authzService.forgotPassword(forgotPasswordDto);
-      const finalResponse: IResponseType = {
-        statusCode: HttpStatus.OK,
-        message: ResponseMessages.user.success.resetPasswordLink,
-        data: userData
-      };
+    const userData = await this.authzService.forgotPassword(forgotPasswordDto);
+    const finalResponse: IResponseType = {
+      statusCode: HttpStatus.OK,
+      message: ResponseMessages.user.success.resetPasswordLink,
+      data: userData
+    };
 
-      return res.status(HttpStatus.OK).json(finalResponse);
+    return res.status(HttpStatus.OK).json(finalResponse);
   }
 
-/**
- * Resets the user's password using a verification token.
- *
- * @param email The email address of the user.
- * @body ResetTokenPasswordDto
- * @returns Status message indicating whether the password reset was successful.
- */
+  /**
+   * Resets the user's password using a verification token.
+   *
+   * @param email The email address of the user.
+   * @body ResetTokenPasswordDto
+   * @returns Status message indicating whether the password reset was successful.
+   */
   @Post('/password-reset/:email')
   @ApiOperation({
     summary: 'Reset password with verification token',
@@ -189,41 +229,38 @@ export class AuthzController {
   async resetNewPassword(
     @Param('email') email: string,
     @Body() resetTokenPasswordDto: ResetTokenPasswordDto,
-    @Res() res: Response): Promise<Response> {      
-      resetTokenPasswordDto.email = email.trim();
-      const userData = await this.authzService.resetNewPassword(resetTokenPasswordDto);
-      const finalResponse: IResponseType = {
-        statusCode: HttpStatus.OK,
-        message: ResponseMessages.user.success.resetPassword,
-        data: userData
-      };
-      return res.status(HttpStatus.OK).json(finalResponse);
+    @Res() res: Response
+  ): Promise<Response> {
+    resetTokenPasswordDto.email = email.trim();
+    const userData = await this.authzService.resetNewPassword(resetTokenPasswordDto);
+    const finalResponse: IResponseType = {
+      statusCode: HttpStatus.OK,
+      message: ResponseMessages.user.success.resetPassword,
+      data: userData
+    };
+    return res.status(HttpStatus.OK).json(finalResponse);
   }
 
-/**
- * Generates a new access token using a refresh token.
- *
- * @body RefreshTokenDto
- * @returns New access token and its details.
- */
+  /**
+   * Generates a new access token using a refresh token.
+   *
+   * @body RefreshTokenDto
+   * @returns New access token and its details.
+   */
   @Post('/refresh-token')
   @ApiOperation({
     summary: 'Token from refresh token',
     description: 'Generates a new access token using a refresh token.'
   })
   @ApiResponse({ status: HttpStatus.OK, description: 'Success', type: ApiResponseDto })
-  async refreshToken(
-    @Body() refreshTokenDto: RefreshTokenDto,
-    @Res() res: Response): Promise<Response> {      
-      const tokenData = await this.authzService.refreshToken(refreshTokenDto.refreshToken);
-      const finalResponse: IResponseType = {
-        statusCode: HttpStatus.OK,
-        message: ResponseMessages.user.success.refreshToken,
-        data: tokenData
-      };
+  async refreshToken(@Body() refreshTokenDto: RefreshTokenDto, @Res() res: Response): Promise<Response> {
+    const tokenData = await this.authzService.refreshToken(refreshTokenDto.refreshToken);
+    const finalResponse: IResponseType = {
+      statusCode: HttpStatus.OK,
+      message: ResponseMessages.user.success.refreshToken,
+      data: tokenData
+    };
 
-      return res.status(HttpStatus.OK).json(finalResponse);
-   
+    return res.status(HttpStatus.OK).json(finalResponse);
   }
-
-}
+}