-
Notifications
You must be signed in to change notification settings - Fork 0
PM-1437 - Use canActivate for tools #2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
vas3a
wants to merge
2
commits into
feat/auth
Choose a base branch
from
PM-1437_use-canActivate
base: feat/auth
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
Open
Changes from all commits
Commits
Show all changes
2 commits
Select commit
Hold shift + click to select a range
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,4 +1,5 @@ | ||
export enum Role { | ||
Admin = 'administrator', | ||
User = 'Topcoder User', | ||
} | ||
|
||
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,17 +1,16 @@ | ||
import { CanActivate, ExecutionContext, Injectable } from '@nestjs/common'; | ||
import { Reflector } from '@nestjs/core'; | ||
import { Logger } from 'src/shared/global'; | ||
import { Request } from 'express'; | ||
import { decodeAuthToken } from './guards.utils'; | ||
|
||
@Injectable() | ||
export class AuthGuard implements CanActivate { | ||
private readonly logger = new Logger(AuthGuard.name); | ||
|
||
constructor(private reflector: Reflector) {} | ||
|
||
canActivate(context: ExecutionContext): boolean { | ||
this.logger.log('AuthGuard canActivate called...'); | ||
// Check if the route is marked as public... | ||
|
||
return true; | ||
/** | ||
* Auth guard function to validate the authorization token from the request headers. | ||
* | ||
* @param req - The incoming HTTP request object. | ||
* @returns A promise that resolves to `true` if the authorization token is valid, otherwise `false`. | ||
*/ | ||
export const authGuard = async (req: Request) => { | ||
vas3a marked this conversation as resolved.
Show resolved
Hide resolved
|
||
if (!(await decodeAuthToken(req.headers.authorization ?? ''))) { | ||
return false; | ||
} | ||
} | ||
|
||
return true; | ||
}; |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,35 @@ | ||
import * as jwt from 'jsonwebtoken'; | ||
import { Logger } from 'src/shared/global'; | ||
import { getSigningKey } from '../jwt'; | ||
|
||
const logger = new Logger('guards.utils()'); | ||
|
||
/** | ||
* Decodes and verifies a JWT token from the provided authorization header. | ||
* | ||
* @param authHeader - The authorization header containing the token, expected in the format "Bearer <token>". | ||
* @returns A promise that resolves to the decoded JWT payload if the token is valid, | ||
* a string if the payload is a string, or `false` if the token is invalid or the header is improperly formatted. | ||
* | ||
* @throws This function does not throw directly but will return `false` if an error occurs during verification. | ||
*/ | ||
export const decodeAuthToken = async ( | ||
authHeader: string, | ||
): Promise<boolean | jwt.JwtPayload | string> => { | ||
const [type, idToken] = authHeader?.split(' ') ?? []; | ||
vas3a marked this conversation as resolved.
Show resolved
Hide resolved
|
||
|
||
if (type !== 'Bearer' || !idToken) { | ||
return false; | ||
vas3a marked this conversation as resolved.
Show resolved
Hide resolved
|
||
} | ||
|
||
let decoded: jwt.JwtPayload | string; | ||
try { | ||
const signingKey = await getSigningKey(idToken); | ||
vas3a marked this conversation as resolved.
Show resolved
Hide resolved
|
||
decoded = jwt.verify(idToken, signingKey); | ||
} catch (error) { | ||
logger.error('Error verifying JWT', error); | ||
return false; | ||
vas3a marked this conversation as resolved.
Show resolved
Hide resolved
|
||
} | ||
|
||
return decoded; | ||
}; |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1 +1,3 @@ | ||
export * from './auth.guard'; | ||
export * from './m2m-scope.guard'; | ||
export * from './role.guard'; |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
import { Request } from 'express'; | ||
import { decodeAuthToken } from './guards.utils'; | ||
vas3a marked this conversation as resolved.
Show resolved
Hide resolved
|
||
import { JwtPayload } from 'jsonwebtoken'; | ||
import { M2mScope } from '../auth.constants'; | ||
|
||
/** | ||
* A utility function to check if the required M2M (Machine-to-Machine) scopes are present | ||
* in the authorization token provided in the request headers. | ||
* | ||
* @param {...M2mScope[]} requiredM2mScopes - The list of required M2M scopes to validate against. | ||
* @returns {Promise<(req: Request) => boolean>} A function that takes an Express `Request` object | ||
* and returns a boolean indicating whether the required scopes are present. | ||
* | ||
* The function decodes the authorization token from the request headers and checks if | ||
* the required scopes are included in the token's scope claim. | ||
*/ | ||
export const checkM2MScope = | ||
(...requiredM2mScopes: M2mScope[]) => | ||
async (req: Request) => { | ||
const decodedAuth = await decodeAuthToken(req.headers.authorization ?? ''); | ||
|
||
const authorizedScopes = ((decodedAuth as JwtPayload).scope ?? '').split( | ||
vas3a marked this conversation as resolved.
Show resolved
Hide resolved
|
||
' ', | ||
); | ||
if (!requiredM2mScopes.some((scope) => authorizedScopes.includes(scope))) { | ||
return false; | ||
} | ||
|
||
return true; | ||
}; |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,34 @@ | ||
import { Request } from 'express'; | ||
import { decodeAuthToken } from './guards.utils'; | ||
import { Role } from '../auth.constants'; | ||
|
||
/** | ||
* A utility function to check if the required user role are present | ||
* in the authorization token provided in the request headers. | ||
* | ||
* @param {...Role[]} requiredUserRoles - The list of required user roles to validate against. | ||
* @returns {Promise<(req: Request) => boolean>} A function that takes an Express `Request` object | ||
* and returns a boolean indicating whether the required scopes are present. | ||
* | ||
* The function decodes the authorization token from the request headers and checks if | ||
* the required user roles are included in the token's scope claim. | ||
*/ | ||
export const checkHasUserRole = | ||
(...requiredUserRoles: Role[]) => | ||
async (req: Request) => { | ||
vas3a marked this conversation as resolved.
Show resolved
Hide resolved
|
||
const decodedAuth = await decodeAuthToken(req.headers.authorization ?? ''); | ||
|
||
const decodedUserRoles = Object.keys(decodedAuth).reduce((roles, key) => { | ||
vas3a marked this conversation as resolved.
Show resolved
Hide resolved
|
||
if (key.match(/claims\/roles$/gi)) { | ||
return decodedAuth[key] as string[]; | ||
vas3a marked this conversation as resolved.
Show resolved
Hide resolved
|
||
} | ||
|
||
return roles; | ||
}, []); | ||
|
||
if (!requiredUserRoles.some((role) => decodedUserRoles.includes(role))) { | ||
return false; | ||
} | ||
|
||
return true; | ||
}; |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.