Listory/src/auth/auth.service.ts

import { ForbiddenException, Injectable } from "@nestjs/common";
import { ConfigService } from "@nestjs/config";
import { JwtService } from "@nestjs/jwt";
import { randomBytes } from "crypto";
import { User } from "../users/user.entity";
import { UsersService } from "../users/users.service";
import { ApiToken } from "./api-token.entity";
import { ApiTokenRepository } from "./api-token.repository";
import { AuthSession } from "./auth-session.entity";
import { AuthSessionRepository } from "./auth-session.repository";
import { LoginDto } from "./dto/login.dto";

@Injectable()
export class AuthService {
  private readonly userFilter: null | string;
  private readonly sessionExpirationTime: string;

  constructor(
    private readonly config: ConfigService,
    private readonly usersService: UsersService,
    private readonly jwtService: JwtService,
    private readonly authSessionRepository: AuthSessionRepository,
    private readonly apiTokenRepository: ApiTokenRepository
  ) {
    this.userFilter = this.config.get<string>("SPOTIFY_USER_FILTER");
    this.sessionExpirationTime = this.config.get<string>(
      "SESSION_EXPIRATION_TIME"
    );
  }

  async spotifyLogin({
    accessToken,
    refreshToken,
    profile,
  }: LoginDto): Promise<User> {
    if (!this.allowedByUserFilter(profile.id)) {
      throw new ForbiddenException("UserNotInUserFilter");
    }

    const user = await this.usersService.createOrUpdate({
      displayName: profile.displayName,
      photo: profile.photos.length > 0 ? profile.photos[0].value : null,
      spotify: {
        id: profile.id,
        accessToken,
        refreshToken,
      },
    });

    return user;
  }

  async createSession(user: User): Promise<{
    session: AuthSession;
    refreshToken: string;
  }> {
    const session = this.authSessionRepository.create();

    session.user = user;
    await this.authSessionRepository.save(session);

    const { refreshToken } = await this.createRefreshToken(session);

    return { session, refreshToken };
  }

  /**
   * createRefreshToken should only be used while creating a new session.
   * @param session
   */
  private async createRefreshToken(
    session: AuthSession
  ): Promise<{ refreshToken: string }> {
    const payload = {
      sub: session.user.id,
      name: session.user.displayName,
    };

    const token = await this.jwtService.signAsync(payload, {
      jwtid: session.id,
      // jwtService uses the shorter access token time as a default
      expiresIn: this.sessionExpirationTime,
    });

    return { refreshToken: token };
  }

  async createAccessToken(
    session: AuthSession
  ): Promise<{ accessToken: string }> {
    if (session.revokedAt) {
      throw new ForbiddenException("SessionIsRevoked");
    }

    const payload = {
      sub: session.user.id,
      name: session.user.displayName,
      picture: session.user.photo,
    };

    const token = await this.jwtService.signAsync(payload);

    return { accessToken: token };
  }

  async findSession(id: string): Promise<AuthSession> {
    return this.authSessionRepository.findOneBy({ id });
  }

  async createApiToken(user: User, description: string): Promise<ApiToken> {
    console.log("createApiToken");
    const apiToken = this.apiTokenRepository.create();

    apiToken.user = user;
    apiToken.description = description;

    // TODO demagic 20
    const tokenBuffer = await new Promise<Buffer>((resolve, reject) =>
      randomBytes(20, (err, buf) => (err ? reject(err) : resolve(buf)))
    );
    apiToken.token = `lis${tokenBuffer.toString("hex")}`;

    await this.apiTokenRepository.save(apiToken);

    return apiToken;
  }

  async listApiTokens(user: User): Promise<ApiToken[]> {
    return this.apiTokenRepository.scoped.byUser(user).getMany();
  }

  async revokeApiToken(user: User, id: string): Promise<void> {
    const apiToken = await this.apiTokenRepository.findOneBy({ user, id });

    if (apiToken && apiToken.revokedAt == null) {
      apiToken.revokedAt = new Date();
      await this.apiTokenRepository.save(apiToken);
    }

    return;
  }

  async findApiToken(token: string): Promise<ApiToken> {
    return this.apiTokenRepository.findOneBy({ token });
  }

  async findUser(id: string): Promise<User> {
    return this.usersService.findById(id);
  }

  allowedByUserFilter(spotifyID: string) {
    if (!this.userFilter) {
      return true;
    }

    const whitelistedIDs = this.userFilter.split(",");

    return whitelistedIDs.includes(spotifyID);
  }
}
feat: implement long-lived sessions 2020-09-05 23:35:53 +02:00			`import { ForbiddenException, Injectable } from "@nestjs/common";`
feat(api): add optional spotify user whitelist 2020-05-03 20:18:57 +02:00			`import { ConfigService } from "@nestjs/config";`
			`import { JwtService } from "@nestjs/jwt";`
feat(frontend): manage API tokens in Frontend 2023-02-20 23:50:57 +01:00			`import { randomBytes } from "crypto";`
feat(api): user authentication 2020-02-01 16:11:48 +01:00			`import { User } from "../users/user.entity";`
			`import { UsersService } from "../users/users.service";`
feat(api): API tokens for authentication Create and managed simple API tokens for access to the API from external tools. 2023-02-19 16:16:34 +01:00			`import { ApiToken } from "./api-token.entity";`
			`import { ApiTokenRepository } from "./api-token.repository";`
feat: implement long-lived sessions 2020-09-05 23:35:53 +02:00			`import { AuthSession } from "./auth-session.entity";`
			`import { AuthSessionRepository } from "./auth-session.repository";`
feat(api): user authentication 2020-02-01 16:11:48 +01:00			`import { LoginDto } from "./dto/login.dto";`

			`@Injectable()`
			`export class AuthService {`
feat(api): add optional spotify user whitelist 2020-05-03 20:18:57 +02:00			`private readonly userFilter: null \| string;`
feat: implement long-lived sessions 2020-09-05 23:35:53 +02:00			`private readonly sessionExpirationTime: string;`

feat(api): user authentication 2020-02-01 16:11:48 +01:00			`constructor(`
feat(api): add optional spotify user whitelist 2020-05-03 20:18:57 +02:00			`private readonly config: ConfigService,`
feat(api): user authentication 2020-02-01 16:11:48 +01:00			`private readonly usersService: UsersService,`
feat: implement long-lived sessions 2020-09-05 23:35:53 +02:00			`private readonly jwtService: JwtService,`
feat(api): API tokens for authentication Create and managed simple API tokens for access to the API from external tools. 2023-02-19 16:16:34 +01:00			`private readonly authSessionRepository: AuthSessionRepository,`
			`private readonly apiTokenRepository: ApiTokenRepository`
feat(api): add optional spotify user whitelist 2020-05-03 20:18:57 +02:00			`) {`
			`this.userFilter = this.config.get<string>("SPOTIFY_USER_FILTER");`
feat: implement long-lived sessions 2020-09-05 23:35:53 +02:00			`this.sessionExpirationTime = this.config.get<string>(`
			`"SESSION_EXPIRATION_TIME"`
			`);`
feat(api): add optional spotify user whitelist 2020-05-03 20:18:57 +02:00			`}`
feat(api): user authentication 2020-02-01 16:11:48 +01:00
			`async spotifyLogin({`
			`accessToken,`
			`refreshToken,`
chore(api): update dependencies 2020-05-02 17:17:20 +02:00			`profile,`
feat(api): user authentication 2020-02-01 16:11:48 +01:00			`}: LoginDto): Promise<User> {`
feat(api): add optional spotify user whitelist 2020-05-03 20:18:57 +02:00			`if (!this.allowedByUserFilter(profile.id)) {`
refactor(api): remove deprecated function and rename exception 2021-06-22 20:34:55 +02:00			`throw new ForbiddenException("UserNotInUserFilter");`
feat(api): add optional spotify user whitelist 2020-05-03 20:18:57 +02:00			`}`

feat(api): user authentication 2020-02-01 16:11:48 +01:00			`const user = await this.usersService.createOrUpdate({`
			`displayName: profile.displayName,`
chore(deps): update dependency passport-spotify to v2 2021-08-14 17:30:38 +00:00			`photo: profile.photos.length > 0 ? profile.photos[0].value : null,`
feat(api): user authentication 2020-02-01 16:11:48 +01:00			`spotify: {`
			`id: profile.id,`
			`accessToken,`
chore(api): update dependencies 2020-05-02 17:17:20 +02:00			`refreshToken,`
			`},`
feat(api): user authentication 2020-02-01 16:11:48 +01:00			`});`

			`return user;`
			`}`

chore: run prettier format 2021-05-25 16:01:55 +02:00			`async createSession(user: User): Promise<{`
feat: implement long-lived sessions 2020-09-05 23:35:53 +02:00			`session: AuthSession;`
			`refreshToken: string;`
			`}> {`
			`const session = this.authSessionRepository.create();`

			`session.user = user;`
			`await this.authSessionRepository.save(session);`

refactor(api): remove deprecated function and rename exception 2021-06-22 20:34:55 +02:00			`const { refreshToken } = await this.createRefreshToken(session);`
feat: implement long-lived sessions 2020-09-05 23:35:53 +02:00
			`return { session, refreshToken };`
			`}`

			`/**`
			`* createRefreshToken should only be used while creating a new session.`
			`* @param session`
			`*/`
			`private async createRefreshToken(`
			`session: AuthSession`
feat(api): API tokens for authentication Create and managed simple API tokens for access to the API from external tools. 2023-02-19 16:16:34 +01:00			`): Promise<{ refreshToken: string }> {`
feat: implement long-lived sessions 2020-09-05 23:35:53 +02:00			`const payload = {`
			`sub: session.user.id,`
			`name: session.user.displayName,`
			`};`

			`const token = await this.jwtService.signAsync(payload, {`
			`jwtid: session.id,`
			`// jwtService uses the shorter access token time as a default`
			`expiresIn: this.sessionExpirationTime,`
			`});`

			`return { refreshToken: token };`
			`}`

feat(api): API tokens for authentication Create and managed simple API tokens for access to the API from external tools. 2023-02-19 16:16:34 +01:00			`async createAccessToken(`
			`session: AuthSession`
			`): Promise<{ accessToken: string }> {`
feat: implement long-lived sessions 2020-09-05 23:35:53 +02:00			`if (session.revokedAt) {`
			`throw new ForbiddenException("SessionIsRevoked");`
			`}`

			`const payload = {`
			`sub: session.user.id,`
			`name: session.user.displayName,`
			`picture: session.user.photo,`
			`};`

			`const token = await this.jwtService.signAsync(payload);`

			`return { accessToken: token };`
			`}`

			`async findSession(id: string): Promise<AuthSession> {`
chore(deps): update typeorm 2022-06-25 13:48:25 +00:00			`return this.authSessionRepository.findOneBy({ id });`
feat: implement long-lived sessions 2020-09-05 23:35:53 +02:00			`}`

feat(api): API tokens for authentication Create and managed simple API tokens for access to the API from external tools. 2023-02-19 16:16:34 +01:00			`async createApiToken(user: User, description: string): Promise<ApiToken> {`
			`console.log("createApiToken");`
			`const apiToken = this.apiTokenRepository.create();`

			`apiToken.user = user;`
			`apiToken.description = description;`

			`// TODO demagic 20`
			`const tokenBuffer = await new Promise<Buffer>((resolve, reject) =>`
			`randomBytes(20, (err, buf) => (err ? reject(err) : resolve(buf)))`
			`);`
			apiToken.token = `lis${tokenBuffer.toString("hex")}`;

			`await this.apiTokenRepository.save(apiToken);`

			`return apiToken;`
			`}`

			`async listApiTokens(user: User): Promise<ApiToken[]> {`
			`return this.apiTokenRepository.scoped.byUser(user).getMany();`
			`}`

feat(frontend): manage API tokens in Frontend 2023-02-20 23:50:57 +01:00			`async revokeApiToken(user: User, id: string): Promise<void> {`
			`const apiToken = await this.apiTokenRepository.findOneBy({ user, id });`
feat(api): API tokens for authentication Create and managed simple API tokens for access to the API from external tools. 2023-02-19 16:16:34 +01:00
feat(frontend): manage API tokens in Frontend 2023-02-20 23:50:57 +01:00			`if (apiToken && apiToken.revokedAt == null) {`
			`apiToken.revokedAt = new Date();`
			`await this.apiTokenRepository.save(apiToken);`
			`}`
feat(api): API tokens for authentication Create and managed simple API tokens for access to the API from external tools. 2023-02-19 16:16:34 +01:00
			`return;`
			`}`

			`async findApiToken(token: string): Promise<ApiToken> {`
			`return this.apiTokenRepository.findOneBy({ token });`
			`}`

feat(api): user authentication 2020-02-01 16:11:48 +01:00			`async findUser(id: string): Promise<User> {`
			`return this.usersService.findById(id);`
			`}`
feat(api): add optional spotify user whitelist 2020-05-03 20:18:57 +02:00
			`allowedByUserFilter(spotifyID: string) {`
			`if (!this.userFilter) {`
			`return true;`
			`}`

			`const whitelistedIDs = this.userFilter.split(",");`

			`return whitelistedIDs.includes(spotifyID);`
			`}`
feat(api): user authentication 2020-02-01 16:11:48 +01:00			`}`