backend/src/auth/auth.service.ts

import {
  BadRequestException,
  ForbiddenException,
  Injectable,
  UnauthorizedException,
} from "@nestjs/common";
import { JwtService } from "@nestjs/jwt";
import { User } from "@prisma/client";
import { PrismaClientKnownRequestError } from "@prisma/client/runtime";
import * as argon from "argon2";
import * as moment from "moment";
import { ConfigService } from "src/config/config.service";
import { PrismaService } from "src/prisma/prisma.service";
import { AuthRegisterDTO } from "./dto/authRegister.dto";
import { AuthSignInDTO } from "./dto/authSignIn.dto";

@Injectable()
export class AuthService {
  constructor(
    private prisma: PrismaService,
    private jwtService: JwtService,
    private config: ConfigService
  ) {}

  async signUp(dto: AuthRegisterDTO) {
    const isFirstUser = this.config.get("SETUP_STATUS") == "STARTED";

    const hash = await argon.hash(dto.password);
    try {
      const user = await this.prisma.user.create({
        data: {
          email: dto.email,
          username: dto.username,
          password: hash,
          isAdmin: isFirstUser,
        },
      });

      if (isFirstUser) {
        await this.config.changeSetupStatus("REGISTERED");
      }

      const { refreshToken, refreshTokenId } = await this.createRefreshToken(
        user.id
      );
      const accessToken = await this.createAccessToken(user, refreshTokenId);

      return { accessToken, refreshToken };
    } catch (e) {
      if (e instanceof PrismaClientKnownRequestError) {
        if (e.code == "P2002") {
          const duplicatedField: string = e.meta.target[0];
          throw new BadRequestException(
            `A user with this ${duplicatedField} already exists`
          );
        }
      }
    }
  }

  async signIn(dto: AuthSignInDTO) {
    if (!dto.email && !dto.username)
      throw new BadRequestException("Email or username is required");

    const user = await this.prisma.user.findFirst({
      where: {
        OR: [{ email: dto.email }, { username: dto.username }],
      },
    });

    if (!user || !(await argon.verify(user.password, dto.password)))
      throw new UnauthorizedException("Wrong email or password");

    // TODO: Make all old loginTokens invalid when a new one is created
    // Check if the user has TOTP enabled
    if (user.totpVerified) {
      const loginToken = await this.createLoginToken(user.id);

      return { loginToken };
    }

    const { refreshToken, refreshTokenId } = await this.createRefreshToken(
      user.id
    );
    const accessToken = await this.createAccessToken(user, refreshTokenId);

    return { accessToken, refreshToken };
  }

  async updatePassword(user: User, oldPassword: string, newPassword: string) {
    if (!(await argon.verify(user.password, oldPassword)))
      throw new ForbiddenException("Invalid password");

    const hash = await argon.hash(newPassword);

    await this.prisma.refreshToken.deleteMany({
      where: { userId: user.id },
    });

    await this.prisma.user.update({
      where: { id: user.id },
      data: { password: hash },
    });

    return this.createRefreshToken(user.id);
  }

  async createAccessToken(user: User, refreshTokenId: string) {
    return this.jwtService.sign(
      {
        sub: user.id,
        email: user.email,
        isAdmin: user.isAdmin,
        refreshTokenId,
      },
      {
        expiresIn: "15min",
        secret: this.config.get("JWT_SECRET"),
      }
    );
  }

  async signOut(accessToken: string) {
    const { refreshTokenId } =
      (this.jwtService.decode(accessToken) as {
        refreshTokenId: string;
      }) || {};

    if (refreshTokenId) {
      await this.prisma.refreshToken
        .delete({ where: { id: refreshTokenId } })
        .catch((e) => {
          // Ignore error if refresh token doesn't exist
          if (e.code != "P2025") throw e;
        });
    }
  }

  async refreshAccessToken(refreshToken: string) {
    const refreshTokenMetaData = await this.prisma.refreshToken.findUnique({
      where: { token: refreshToken },
      include: { user: true },
    });

    if (!refreshTokenMetaData || refreshTokenMetaData.expiresAt < new Date())
      throw new UnauthorizedException();

    return this.createAccessToken(
      refreshTokenMetaData.user,
      refreshTokenMetaData.id
    );
  }

  async createRefreshToken(userId: string) {
    const { id, token } = await this.prisma.refreshToken.create({
      data: { userId, expiresAt: moment().add(3, "months").toDate() },
    });

    return { refreshTokenId: id, refreshToken: token };
  }

  async createLoginToken(userId: string) {
    const loginToken = (
      await this.prisma.loginToken.create({
        data: { userId, expiresAt: moment().add(5, "minutes").toDate() },
      })
    ).token;

    return loginToken;
  }
}
feat: remove appwrite and add nextjs backend 2022-10-09 22:30:32 +02:00			`import {`
			`BadRequestException,`
feat: add user management 2022-12-05 15:53:24 +01:00			`ForbiddenException,`
feat: remove appwrite and add nextjs backend 2022-10-09 22:30:32 +02:00			`Injectable,`
			`UnauthorizedException,`
			`} from "@nestjs/common";`
			`import { JwtService } from "@nestjs/jwt";`
			`import { User } from "@prisma/client";`
			`import { PrismaClientKnownRequestError } from "@prisma/client/runtime";`
			`import * as argon from "argon2";`
feat: remove postgres & use a single docker container 2022-10-11 22:30:06 +02:00			`import * as moment from "moment";`
feat: add new config strategy to backend 2022-11-28 15:04:32 +01:00			`import { ConfigService } from "src/config/config.service";`
feat: remove appwrite and add nextjs backend 2022-10-09 22:30:32 +02:00			`import { PrismaService } from "src/prisma/prisma.service";`
			`import { AuthRegisterDTO } from "./dto/authRegister.dto";`
fix: dto returns 2022-10-10 17:58:42 +02:00			`import { AuthSignInDTO } from "./dto/authSignIn.dto";`
feat: remove appwrite and add nextjs backend 2022-10-09 22:30:32 +02:00
			`@Injectable()`
			`export class AuthService {`
			`constructor(`
			`private prisma: PrismaService,`
			`private jwtService: JwtService,`
			`private config: ConfigService`
			`) {}`

			`async signUp(dto: AuthRegisterDTO) {`
fix: admin users were created while the setup wizard wasn't finished 2023-01-26 15:43:13 +01:00			`const isFirstUser = this.config.get("SETUP_STATUS") == "STARTED";`

feat: remove appwrite and add nextjs backend 2022-10-09 22:30:32 +02:00			`const hash = await argon.hash(dto.password);`
			`try {`
			`const user = await this.prisma.user.create({`
			`data: {`
			`email: dto.email,`
feat: add setup wizard 2022-12-01 23:07:49 +01:00			`username: dto.username,`
feat: remove appwrite and add nextjs backend 2022-10-09 22:30:32 +02:00			`password: hash,`
fix: admin users were created while the setup wizard wasn't finished 2023-01-26 15:43:13 +01:00			`isAdmin: isFirstUser,`
feat: remove appwrite and add nextjs backend 2022-10-09 22:30:32 +02:00			`},`
			`});`

fix: admin users were created while the setup wizard wasn't finished 2023-01-26 15:43:13 +01:00			`if (isFirstUser) {`
			`await this.config.changeSetupStatus("REGISTERED");`
			`}`

feat: use cookies for authentication 2023-01-04 11:54:28 +01:00			`const { refreshToken, refreshTokenId } = await this.createRefreshToken(`
			`user.id`
			`);`
			`const accessToken = await this.createAccessToken(user, refreshTokenId);`
feat: remove appwrite and add nextjs backend 2022-10-09 22:30:32 +02:00
			`return { accessToken, refreshToken };`
			`} catch (e) {`
			`if (e instanceof PrismaClientKnownRequestError) {`
			`if (e.code == "P2002") {`
feat: add setup wizard 2022-12-01 23:07:49 +01:00			`const duplicatedField: string = e.meta.target[0];`
			`throw new BadRequestException(`
			`A user with this ${duplicatedField} already exists`
			`);`
feat: remove appwrite and add nextjs backend 2022-10-09 22:30:32 +02:00			`}`
			`}`
			`}`
			`}`

fix: dto returns 2022-10-10 17:58:42 +02:00			`async signIn(dto: AuthSignInDTO) {`
feat: add setup wizard 2022-12-01 23:07:49 +01:00			`if (!dto.email && !dto.username)`
			`throw new BadRequestException("Email or username is required");`

			`const user = await this.prisma.user.findFirst({`
feat: remove appwrite and add nextjs backend 2022-10-09 22:30:32 +02:00			`where: {`
feat: add setup wizard 2022-12-01 23:07:49 +01:00			`OR: [{ email: dto.email }, { username: dto.username }],`
feat: remove appwrite and add nextjs backend 2022-10-09 22:30:32 +02:00			`},`
			`});`

			`if (!user \|\| !(await argon.verify(user.password, dto.password)))`
			`throw new UnauthorizedException("Wrong email or password");`

feat: TOTP (two-factor) Authentication (#55) * Working on some initial prototype stuff for TOTP * Fixed a bug that prevented the change password menu from working * Enable/disable totp working * Added the new login procedure including TOTP! :) * misc: Changed bad description for the TOTP_SECRET env var * I forgot to include the migration for the new prisma stuff * fix: refresh user context instead refreshing the page * refactor: simplify totp error handling * Removed U2F tab + format schema * fix: tokens not saved in cookies * refactor: deleted commented out code * refactor: move password text to input description * refactor: remove tabler icon package Co-authored-by: Elias Schneider <login@eliasschneider.com> Co-authored-by: Elias Schneider <58886915+stonith404@users.noreply.github.com> 2022-12-21 11:58:37 -05:00			`// TODO: Make all old loginTokens invalid when a new one is created`
			`// Check if the user has TOTP enabled`
			`if (user.totpVerified) {`
			`const loginToken = await this.createLoginToken(user.id);`

			`return { loginToken };`
			`}`

feat: use cookies for authentication 2023-01-04 11:54:28 +01:00			`const { refreshToken, refreshTokenId } = await this.createRefreshToken(`
			`user.id`
			`);`
			`const accessToken = await this.createAccessToken(user, refreshTokenId);`
feat: TOTP (two-factor) Authentication (#55) * Working on some initial prototype stuff for TOTP * Fixed a bug that prevented the change password menu from working * Enable/disable totp working * Added the new login procedure including TOTP! :) * misc: Changed bad description for the TOTP_SECRET env var * I forgot to include the migration for the new prisma stuff * fix: refresh user context instead refreshing the page * refactor: simplify totp error handling * Removed U2F tab + format schema * fix: tokens not saved in cookies * refactor: deleted commented out code * refactor: move password text to input description * refactor: remove tabler icon package Co-authored-by: Elias Schneider <login@eliasschneider.com> Co-authored-by: Elias Schneider <58886915+stonith404@users.noreply.github.com> 2022-12-21 11:58:37 -05:00
			`return { accessToken, refreshToken };`
			`}`

feat: add user management 2022-12-05 15:53:24 +01:00			`async updatePassword(user: User, oldPassword: string, newPassword: string) {`
feat: TOTP (two-factor) Authentication (#55) * Working on some initial prototype stuff for TOTP * Fixed a bug that prevented the change password menu from working * Enable/disable totp working * Added the new login procedure including TOTP! :) * misc: Changed bad description for the TOTP_SECRET env var * I forgot to include the migration for the new prisma stuff * fix: refresh user context instead refreshing the page * refactor: simplify totp error handling * Removed U2F tab + format schema * fix: tokens not saved in cookies * refactor: deleted commented out code * refactor: move password text to input description * refactor: remove tabler icon package Co-authored-by: Elias Schneider <login@eliasschneider.com> Co-authored-by: Elias Schneider <58886915+stonith404@users.noreply.github.com> 2022-12-21 11:58:37 -05:00			`if (!(await argon.verify(user.password, oldPassword)))`
feat: add user management 2022-12-05 15:53:24 +01:00			`throw new ForbiddenException("Invalid password");`

			`const hash = await argon.hash(newPassword);`
refactor: convert config variables to upper case 2022-12-05 16:53:52 +01:00
feat: delete all sessions if password was changed 2023-01-10 13:32:37 +01:00			`await this.prisma.refreshToken.deleteMany({`
			`where: { userId: user.id },`
			`});`

			`await this.prisma.user.update({`
feat: add user management 2022-12-05 15:53:24 +01:00			`where: { id: user.id },`
			`data: { password: hash },`
			`});`
feat: delete all sessions if password was changed 2023-01-10 13:32:37 +01:00
			`return this.createRefreshToken(user.id);`
feat: add user management 2022-12-05 15:53:24 +01:00			`}`

feat: use cookies for authentication 2023-01-04 11:54:28 +01:00			`async createAccessToken(user: User, refreshTokenId: string) {`
feat: remove appwrite and add nextjs backend 2022-10-09 22:30:32 +02:00			`return this.jwtService.sign(`
			`{`
			`sub: user.id,`
			`email: user.email,`
refactor: handle authentication state in middleware 2023-02-04 18:12:49 +01:00			`isAdmin: user.isAdmin,`
feat: use cookies for authentication 2023-01-04 11:54:28 +01:00			`refreshTokenId,`
feat: remove appwrite and add nextjs backend 2022-10-09 22:30:32 +02:00			`},`
			`{`
fix: invalid redirection after jwt expiry 2023-02-06 11:15:46 +01:00			`expiresIn: "15min",`
refactor: convert config variables to upper case 2022-12-05 16:53:52 +01:00			`secret: this.config.get("JWT_SECRET"),`
feat: remove appwrite and add nextjs backend 2022-10-09 22:30:32 +02:00			`}`
			`);`
			`}`

feat: use cookies for authentication 2023-01-04 11:54:28 +01:00			`async signOut(accessToken: string) {`
refactor: handle authentication state in middleware 2023-02-04 18:12:49 +01:00			`const { refreshTokenId } =`
			`(this.jwtService.decode(accessToken) as {`
			`refreshTokenId: string;`
			`}) \|\| {};`

			`if (refreshTokenId) {`
			`await this.prisma.refreshToken`
			`.delete({ where: { id: refreshTokenId } })`
			`.catch((e) => {`
			`// Ignore error if refresh token doesn't exist`
			`if (e.code != "P2025") throw e;`
			`});`
			`}`
feat: use cookies for authentication 2023-01-04 11:54:28 +01:00			`}`

feat: remove appwrite and add nextjs backend 2022-10-09 22:30:32 +02:00			`async refreshAccessToken(refreshToken: string) {`
			`const refreshTokenMetaData = await this.prisma.refreshToken.findUnique({`
			`where: { token: refreshToken },`
			`include: { user: true },`
			`});`

			`if (!refreshTokenMetaData \|\| refreshTokenMetaData.expiresAt < new Date())`
			`throw new UnauthorizedException();`

feat: use cookies for authentication 2023-01-04 11:54:28 +01:00			`return this.createAccessToken(`
			`refreshTokenMetaData.user,`
			`refreshTokenMetaData.id`
			`);`
feat: remove appwrite and add nextjs backend 2022-10-09 22:30:32 +02:00			`}`

			`async createRefreshToken(userId: string) {`
feat: use cookies for authentication 2023-01-04 11:54:28 +01:00			`const { id, token } = await this.prisma.refreshToken.create({`
			`data: { userId, expiresAt: moment().add(3, "months").toDate() },`
			`});`
feat: remove appwrite and add nextjs backend 2022-10-09 22:30:32 +02:00
feat: use cookies for authentication 2023-01-04 11:54:28 +01:00			`return { refreshTokenId: id, refreshToken: token };`
feat: remove appwrite and add nextjs backend 2022-10-09 22:30:32 +02:00			`}`
feat: TOTP (two-factor) Authentication (#55) * Working on some initial prototype stuff for TOTP * Fixed a bug that prevented the change password menu from working * Enable/disable totp working * Added the new login procedure including TOTP! :) * misc: Changed bad description for the TOTP_SECRET env var * I forgot to include the migration for the new prisma stuff * fix: refresh user context instead refreshing the page * refactor: simplify totp error handling * Removed U2F tab + format schema * fix: tokens not saved in cookies * refactor: deleted commented out code * refactor: move password text to input description * refactor: remove tabler icon package Co-authored-by: Elias Schneider <login@eliasschneider.com> Co-authored-by: Elias Schneider <58886915+stonith404@users.noreply.github.com> 2022-12-21 11:58:37 -05:00
			`async createLoginToken(userId: string) {`
			`const loginToken = (`
			`await this.prisma.loginToken.create({`
			`data: { userId, expiresAt: moment().add(5, "minutes").toDate() },`
			`})`
			`).token;`

			`return loginToken;`
			`}`
feat: remove appwrite and add nextjs backend 2022-10-09 22:30:32 +02:00			`}`