Feat/12 auth

apps/backend/.env.example

@@ -1 +1,6 @@
-DATABASE_URL="postgresql://postgres:postgres@localhost:5432/mydb?schema=public"
+DATABASE_URL="postgresql://postgres:postgres@localhost:5432/schbody?schema=public"
+AUTHSCH_CLIENT_ID="16873903969434023692"
+AUTHSCH_CLIENT_SECRET="5KhIlDHGhxzLx3FK7L81FJ5CQSuyJTLVrW0hZnbzv4jbdOHU255HuOtBgGZS38V3pHGd4SE78aq4Njze"
+JWT_SECRET="this is a secret"
+FRONTEND_URL="http://localhost:3000"
+BACKEND_PORT=3300

apps/backend/package.json

@@ -14,11 +14,16 @@
     "start:prod": "node dist/main"
   },
   "dependencies": {
+    "@kir-dev/passport-authsch": "^1.0.0",
     "@nestjs/common": "^10.3.8",
     "@nestjs/core": "^10.3.8",
+    "@nestjs/jwt": "^10.2.0",
+    "@nestjs/passport": "^10.0.3",
     "@nestjs/platform-express": "^10.3.8",
     "@prisma/client": "^5.13.0",
     "nestjs-prisma": "^0.23.0",
+    "passport": "^0.7.0",
+    "passport-jwt": "^4.0.1",
     "reflect-metadata": "^0.2.2",
     "rimraf": "^5.0.5",
     "rxjs": "^7.8.1"

apps/backend/prisma/schema.prisma

@@ -28,8 +28,7 @@ enum ApplicationStatus {
 }
 
 model User {
-  id                 Int                 @id @default(autoincrement())
-  authSchId          String              @unique
+  authSchId          String              @id
   fullName           String
   nickName           String
   role               Role                @default(USER)
@@ -56,17 +55,17 @@ model ApplicationPeriod {
   createdAt                DateTime      @default(now())
   updatedAt                DateTime      @updatedAt
   ticketsAreValid          Boolean       @default(false)
-  author                   User          @relation(fields: [authorId], references: [id])
-  authorId                 Int
+  author                   User          @relation(fields: [authorId], references: [authSchId])
+  authorId                 String
   applications             Application[]
 
   @@index([authorId])
 }
 
 model Application {
   id                  Int               @id @default(autoincrement())
-  user                User              @relation(fields: [userId], references: [id])
-  userId              Int
+  user                User              @relation(fields: [userId], references: [authSchId])
+  userId              String
   applicationPeriod   ApplicationPeriod @relation(fields: [applicationPeriodId], references: [id])
   applicationPeriodId Int
   status              ApplicationStatus @default(SUBMITTED)
@@ -82,8 +81,8 @@ model Post {
   content   String
   preview   String
   visible   Boolean  @default(true)
-  author    User     @relation(fields: [authorId], references: [id])
-  authorId  Int
+  author    User     @relation(fields: [authorId], references: [authSchId])
+  authorId  String
   createdAt DateTime @default(now())
   updatedAt DateTime @updatedAt
 

apps/backend/src/app.module.ts

@@ -3,9 +3,11 @@ import { PrismaModule } from 'nestjs-prisma';
 
 import { AppController } from './app.controller';
 import { AppService } from './app.service';
+import { AuthModule } from './auth/auth.module';
+import { UserModule } from './user/user.module';
 
 @Module({
-  imports: [PrismaModule.forRoot({ isGlobal: true })],
+  imports: [PrismaModule.forRoot({ isGlobal: true }), UserModule, AuthModule],
   controllers: [AppController],
   providers: [AppService],
 })

apps/backend/src/auth/auth.controller.ts

@@ -0,0 +1,40 @@
+import { CurrentUser } from '@kir-dev/passport-authsch';
+import { Controller, Get, Redirect, UseGuards } from '@nestjs/common';
+import { AuthGuard } from '@nestjs/passport';
+import { ApiBearerAuth, ApiTags } from '@nestjs/swagger';
+import { User } from '@prisma/client';
+
+import { AuthService } from './auth.service';
+@ApiTags('auth')
+@Controller('auth')
+export class AuthController {
+  constructor(private authService: AuthService) {}
+  /**
+   * Redirects to the authsch login page
+   */
+  @UseGuards(AuthGuard('authsch'))
+  @Get('login')
+  login() {
+    // never called
+  }
+
+  /**
+   * Endpoint for authsch to call after login
+   * Redirects to the frontend with the jwt token
+   */
+  @Get('callback')
+  @UseGuards(AuthGuard('authsch'))
+  @Redirect()
+  oauthRedirect(@CurrentUser() user: User) {
+    const jwt = this.authService.login(user);
+    return {
+      url: `${process.env.FRONTEND_URL}?jwt=${jwt}`,
+    };
+  }
+  @Get('me')
+  @UseGuards(AuthGuard('jwt'))
+  @ApiBearerAuth()
+  me(@CurrentUser() user: User): User {
+    return user;
+  }
+}

apps/backend/src/auth/auth.module.ts

@@ -0,0 +1,15 @@
+import { Module } from '@nestjs/common';
+import { JwtModule } from '@nestjs/jwt';
+import { PassportModule } from '@nestjs/passport';
+
+import { AuthController } from './auth.controller';
+import { AuthService } from './auth.service';
+import { AuthSchStrategy } from './authsch.strategy';
+import { JwtStrategy } from './jwt.strategy';
+
+@Module({
+  controllers: [AuthController],
+  providers: [AuthService, AuthSchStrategy, JwtStrategy],
+  imports: [PassportModule, JwtModule],
+})
+export class AuthModule {}

apps/backend/src/auth/auth.service.ts

@@ -0,0 +1,35 @@
+import { AuthSchProfile } from '@kir-dev/passport-authsch';
+import { Injectable } from '@nestjs/common';
+import { JwtService } from '@nestjs/jwt';
+import { User } from '@prisma/client';
+import { PrismaService } from 'nestjs-prisma';
+
+@Injectable()
+export class AuthService {
+  constructor(
+    private prisma: PrismaService,
+    private jwtService: JwtService
+  ) {}
+
+  async findOrCreateUser(userProfile: AuthSchProfile): Promise<User> {
+    const user = await this.prisma.user.findUnique({ where: { authSchId: userProfile.authSchId } });
+    if (user) return user;
+    return await this.prisma.user.create({
+      data: {
+        authSchId: userProfile.authSchId,
+        fullName: `${userProfile.lastName} ${userProfile.firstName}`, //this is kinda cring...
+        nickName: userProfile.firstName,
+        email: userProfile.email,
+        isSchResident: true,
+        //TODO: Find a solution for only dorm residents. The userProfile.bmeStatus is undefined. Is it an admin enabled info?
+      },
+    });
+  }
+
+  login(user: User): string {
+    return this.jwtService.sign(user, {
+      secret: process.env.JWT_SECRET,
+      expiresIn: '7 days',
+    });
+  }
+}

apps/backend/src/auth/authsch.strategy.ts

@@ -0,0 +1,21 @@
+import { AuthSchProfile, AuthSchScope, Strategy } from '@kir-dev/passport-authsch';
+import { Injectable } from '@nestjs/common';
+import { PassportStrategy } from '@nestjs/passport';
+import { User } from '@prisma/client';
+
+import { AuthService } from './auth.service';
+
+@Injectable()
+export class AuthSchStrategy extends PassportStrategy(Strategy) {
+  constructor(private authService: AuthService) {
+    super({
+      clientId: process.env.AUTHSCH_CLIENT_ID,
+      clientSecret: process.env.AUTHSCH_CLIENT_SECRET,
+      scopes: [AuthSchScope.BASIC, AuthSchScope.FIRST_NAME, AuthSchScope.LAST_NAME, AuthSchScope.EMAIL],
+    });
+  }
+
+  async validate(userProfile: AuthSchProfile): Promise<User> {
+    return await this.authService.findOrCreateUser(userProfile);
+  }
+}

apps/backend/src/auth/decorators/Roles.decorator.ts

@@ -0,0 +1,5 @@
+import { SetMetadata } from '@nestjs/common';
+import { Role } from '@prisma/client';
+
+export const ROLES_KEY = 'roles';
+export const Roles = (...roles: Role[]) => SetMetadata(ROLES_KEY, roles);

apps/backend/src/auth/jwt.strategy.ts

@@ -0,0 +1,19 @@
+import { Injectable } from '@nestjs/common';
+import { PassportStrategy } from '@nestjs/passport';
+import { User } from '@prisma/client';
+import { ExtractJwt, Strategy } from 'passport-jwt';
+
+@Injectable()
+export class JwtStrategy extends PassportStrategy(Strategy) {
+  constructor() {
+    super({
+      jwtFromRequest: ExtractJwt.fromAuthHeaderAsBearerToken(),
+      ignoreExpiration: false,
+      secretOrKey: process.env.JWT_SECRET,
+    });
+  }
+
+  validate(payload: User): User {
+    return payload;
+  }
+}

apps/backend/src/auth/roles.guard.ts

@@ -0,0 +1,22 @@
+import { CanActivate, ExecutionContext, Injectable } from '@nestjs/common';
+import { Reflector } from '@nestjs/core';
+import { Role } from '@prisma/client';
+
+import { ROLES_KEY } from './decorators/Roles.decorator';
+
+@Injectable()
+export class RolesGuard implements CanActivate {
+  constructor(private reflector: Reflector) {}
+
+  canActivate(context: ExecutionContext): boolean {
+    const requiredRoles = this.reflector.getAllAndOverride<Role[]>(ROLES_KEY, [
+      context.getHandler(),
+      context.getClass(),
+    ]);
+    if (!requiredRoles) {
+      return true;
+    }
+    const { user } = context.switchToHttp().getRequest();
+    return requiredRoles.some((role) => user.role === role);
+  }
+}

apps/backend/src/main.ts

@@ -1,9 +1,18 @@
 import { NestFactory } from '@nestjs/core';
+import { DocumentBuilder, SwaggerModule } from '@nestjs/swagger';
 
 import { AppModule } from './app.module';
 
 async function bootstrap() {
   const app = await NestFactory.create(AppModule);
-  await app.listen(3001);
+  app.enableCors({
+    origin: [process.env.FRONTEND_URL, 'http://localhost:3000'],
+    methods: ['GET', 'POST', 'PATCH', 'DELETE', 'PUT'],
+    credentials: true,
+  });
+  const config = new DocumentBuilder().setTitle('SCHBody WEB').setVersion('1.0').addBearerAuth().build();
+  const document = SwaggerModule.createDocument(app, config);
+  SwaggerModule.setup('api', app, document);
+  await app.listen(process.env.PORT || 3300);
 }
 bootstrap();

apps/backend/src/user/user.controller.ts

@@ -0,0 +1,8 @@
+import { Controller } from '@nestjs/common';
+
+import { UserService } from './user.service';
+
+@Controller('user')
+export class UserController {
+  constructor(private readonly userService: UserService) {}
+}

apps/backend/src/user/user.module.ts

@@ -0,0 +1,10 @@
+import { Module } from '@nestjs/common';
+
+import { UserController } from './user.controller';
+import { UserService } from './user.service';
+
+@Module({
+  controllers: [UserController],
+  providers: [UserService],
+})
+export class UserModule {}

apps/backend/src/user/user.service.ts

@@ -0,0 +1,4 @@
+import { Injectable } from '@nestjs/common';
+
+@Injectable()
+export class UserService {}