BC-6522 - Move auth guards and decorator to seperate module

apps/server/src/imports-from-feathers.ts

@@ -1,5 +1,6 @@
 /* eslint-disable import/extensions */
 export { BruteForcePrevention } from '../../../src/errors/index.js';
+export { authConfig } from '../../../src/services/authentication/configuration';
 export {
 	addTokenToWhitelist,
 	createRedisIdentifierFromJwtData,

apps/server/src/infra/auth-guard/adapter/index.ts

@@ -0,0 +1 @@
+export { JwtValidationAdapter } from './jwt-validation.adapter';

apps/server/src/infra/auth-guard/adapter/jwt-validation.adapter.spec.ts

@@ -0,0 +1,2 @@
+// isWhitelisted method is currently tested in authentication modul JwtWhitelistAdapter. Test should be moved here after feathers migration and adding of redis adapter in nest
+it('just to have one test', () => {});

apps/server/src/infra/auth-guard/adapter/jwt-validation.adapter.ts

@@ -0,0 +1,15 @@
+import { Injectable } from '@nestjs/common';
+import { ensureTokenIsWhitelisted } from '@src/imports-from-feathers';
+
+@Injectable()
+export class JwtValidationAdapter {
+	/**
+	 * When validating a jwt it must be added to a whitelist, here we check this.
+	 * When the jwt is validated, the expiration time will be extended with this call.
+	 * @param accountId users account id
+	 * @param jti jwt id (here required to make jwt identifiers identical in redis)
+	 */
+	async isWhitelisted(accountId: string, jti: string): Promise<void> {
+		await ensureTokenIsWhitelisted({ accountId, jti, privateDevice: false });
+	}
+}

apps/server/src/infra/auth-guard/auth-guard.module.ts

@@ -0,0 +1,11 @@
+import { Module } from '@nestjs/common';
+import { PassportModule } from '@nestjs/passport';
+import { JwtValidationAdapter } from './adapter';
+import { JwtStrategy, WsJwtStrategy, XApiKeyStrategy } from './strategy';
+
+@Module({
+	imports: [PassportModule],
+	providers: [JwtStrategy, WsJwtStrategy, JwtValidationAdapter, XApiKeyStrategy],
+	exports: [JwtValidationAdapter],
+})
+export class AuthGuardModule {}

apps/server/src/infra/auth-guard/config/auth-config.ts

@@ -0,0 +1,4 @@
+import { authConfig as feathersAuthConfig } from '@src/imports-from-feathers';
+import { AuthConfigMapper } from '../mapper';
+
+export const authConfig = AuthConfigMapper.mapFeathersAuthConfigToAuthConfig(feathersAuthConfig);

apps/server/src/modules/authentication/config/index.ts → apps/server/src/infra/auth-guard/config/index.ts

@@ -1 +1,2 @@
+export * from './auth-config';
 export * from './x-api-key.config';

apps/server/src/infra/auth-guard/decorator/index.ts

@@ -0,0 +1 @@
+export * from './jwt-auth.decorator';

apps/server/src/modules/authentication/decorator/auth.decorator.spec.ts → apps/server/src/infra/auth-guard/decorator/jwt-auth.decorator.spec.ts

@@ -1,13 +1,13 @@
 /* eslint-disable @typescript-eslint/no-unused-vars */
-import { ICurrentUser } from '@modules/authentication';
 import { ServerTestModule } from '@modules/server/server.module';
-import { Controller, ExecutionContext, ForbiddenException, Get, INestApplication } from '@nestjs/common';
+import { Controller, ExecutionContext, Get, INestApplication } from '@nestjs/common';
 import { Test, TestingModule } from '@nestjs/testing';
 import request from 'supertest';
-import { JwtAuthGuard } from '../guard/jwt-auth.guard';
-import { Authenticate, CurrentUser, JWT } from './auth.decorator';
+import { JwtAuthGuard } from '../guard';
+import { ICurrentUser } from '../interface';
+import { CurrentUser, JWT, JwtAuthentication } from './jwt-auth.decorator';
 
-@Authenticate('jwt')
+@JwtAuthentication()
 @Controller('test_decorator_currentUser')
 export class TestDecoratorCurrentUserController {
 	@Get('test')
@@ -16,7 +16,7 @@ export class TestDecoratorCurrentUserController {
 	}
 }
 
-@Authenticate('jwt')
+@JwtAuthentication()
 @Controller('test_decorator_JWT')
 export class TestDecoratorJWTController {
 	@Get('test')
@@ -25,7 +25,7 @@ export class TestDecoratorJWTController {
 	}
 }
 
-describe('auth.decorator', () => {
+describe('Jwt auth decorator', () => {
 	let app: INestApplication;
 	let currentUser: ICurrentUser;
 	let module: TestingModule;
@@ -59,7 +59,7 @@ describe('auth.decorator', () => {
 		await module.close();
 	});
 
-	describe('JWT', () => {
+	describe('JwtAuthentication', () => {
 		it('should throw with UnauthorizedException if no jwt can be extracted from request context', async () => {
 			const response = await request(app.getHttpServer()).get('/test_decorator_JWT/test');
 
@@ -86,12 +86,4 @@ describe('auth.decorator', () => {
 			expect(response.statusCode).toEqual(401);
 		});
 	});
-
-	describe('Authenticate', () => {
-		it('should throw with UnauthorizedException if no jwt user data can be extracted from request context', () => {
-			// @ts-expect-error Testcase
-			const exec = () => Authenticate('bla');
-			expect(exec).toThrowError(new ForbiddenException('jwt strategy required'));
-		});
-	});
 });

apps/server/src/modules/authentication/decorator/auth.decorator.ts → apps/server/src/infra/auth-guard/decorator/jwt-auth.decorator.ts

@@ -2,35 +2,27 @@ import {
 	applyDecorators,
 	createParamDecorator,
 	ExecutionContext,
-	ForbiddenException,
 	UnauthorizedException,
 	UseGuards,
 } from '@nestjs/common';
 import { ApiBearerAuth } from '@nestjs/swagger';
-import { Request } from 'express';
 import { extractJwtFromHeader } from '@shared/common';
-import { JwtAuthGuard } from '../guard/jwt-auth.guard';
-import { ICurrentUser, isICurrentUser } from '../interface/user';
-
-const STRATEGIES = ['jwt'] as const;
-type Strategies = typeof STRATEGIES;
+import { Request } from 'express';
+import { JwtAuthGuard } from '../guard';
+import { ICurrentUser, isICurrentUser } from '../interface';
 
 /**
  * Authentication Decorator taking care of require authentication header to be present, setting up the user context and extending openAPI spec.
- * @param strategies accepted strategies
- * @returns
  */
-export const Authenticate = (...strategies: Strategies) => {
-	if (strategies.includes('jwt')) {
-		const decorators = [
-			// apply jwt authentication
-			UseGuards(JwtAuthGuard),
-			// add jwt authentication to openapi spec
-			ApiBearerAuth(),
-		];
-		return applyDecorators(...decorators);
-	}
-	throw new ForbiddenException('jwt strategy required');
+export const JwtAuthentication = () => {
+	const decorators = [
+		// apply jwt authentication
+		UseGuards(JwtAuthGuard),
+		// add jwt authentication to openapi spec
+		ApiBearerAuth(),
+	];
+
+	return applyDecorators(...decorators);
 };
 
 /**

apps/server/src/infra/auth-guard/guard/index.ts

@@ -0,0 +1,3 @@
+export * from './jwt-auth.guard';
+export * from './ws-jwt-auth.guard';
+export * from './x-api-key-auth.guard';

apps/server/src/infra/auth-guard/guard/jwt-auth.guard.ts

@@ -0,0 +1,6 @@
+import { Injectable } from '@nestjs/common';
+import { AuthGuard } from '@nestjs/passport';
+import { StrategyType } from '../interface';
+
+@Injectable()
+export class JwtAuthGuard extends AuthGuard(StrategyType.JWT) {}

apps/server/src/modules/authentication/guard/ws-jwt-auth.guard.ts → apps/server/src/infra/auth-guard/guard/ws-jwt-auth.guard.ts

@@ -1,7 +1,8 @@
 import { ExecutionContext } from '@nestjs/common';
 import { AuthGuard } from '@nestjs/passport';
+import { StrategyType } from '../interface';
 
-export class WsJwtAuthGuard extends AuthGuard('wsjwt') {
+export class WsJwtAuthGuard extends AuthGuard(StrategyType.WS_JWT) {
 	getRequest(context: ExecutionContext) {
 		// eslint-disable-next-line @typescript-eslint/no-unsafe-return, @typescript-eslint/no-unsafe-member-access
 		return context.switchToWs().getClient().handshake;

apps/server/src/infra/auth-guard/guard/x-api-key-auth.guard.ts

@@ -0,0 +1,6 @@
+import { Injectable } from '@nestjs/common';
+import { AuthGuard } from '@nestjs/passport';
+import { StrategyType } from '../interface';
+
+@Injectable()
+export class ApiKeyGuard extends AuthGuard(StrategyType.API_KEY) {}

apps/server/src/infra/auth-guard/index.ts

@@ -0,0 +1,9 @@
+export { JwtValidationAdapter } from './adapter';
+export { AuthGuardModule } from './auth-guard.module';
+export { XApiKeyConfig, authConfig } from './config';
+export { CurrentUser, JWT, JwtAuthentication } from './decorator';
+// JwtAuthGuard only exported because api tests still overried this guard.
+// Use JwtAuthentication decorator for request validation
+export { ApiKeyGuard, JwtAuthGuard, WsJwtAuthGuard } from './guard';
+export { CreateJwtPayload, ICurrentUser, JwtPayload, StrategyType } from './interface';
+export { CurrentUserMapper } from './mapper';

apps/server/src/infra/auth-guard/interface/index.ts

@@ -0,0 +1,3 @@
+export * from './jwt-payload';
+export * from './strategy-type';
+export * from './user';

apps/server/src/infra/auth-guard/interface/strategy-type.ts

@@ -0,0 +1,5 @@
+export enum StrategyType {
+	JWT = 'jwt',
+	WS_JWT = 'wsjwt',
+	API_KEY = 'api-key',
+}