refactor(oauth2): make token endpoint private

Author: tugascript

src/auth/auth.controller.ts

@@ -163,8 +163,9 @@ export class AuthController {
   public async logout(
     @Req() req: FastifyRequest,
     @Res() res: FastifyReply,
+    @Body() refreshAccessDto?: RefreshAccessDto,
   ): Promise<void> {
-    const token = this.refreshTokenFromReq(req);
+    const token = this.refreshTokenFromReq(req, refreshAccessDto);
     const message = await this.authService.logout(token);
     res
       .clearCookie(this.cookieName, { path: this.cookiePath })

src/oauth2/dtos/token.dto.ts

@@ -16,7 +16,7 @@
 */
 
 import { ApiProperty } from '@nestjs/swagger';
-import { IsString, Length } from 'class-validator';
+import { IsString, IsUrl, Length } from 'class-validator';
 
 export abstract class TokenDto {
   @ApiProperty({
@@ -29,4 +29,13 @@ export abstract class TokenDto {
   @IsString()
   @Length(1, 22)
   public code: string;
+
+  @ApiProperty({
+    description: 'Redirect URI that was used to get the token',
+    example: 'https://example.com/auth/callback',
+    type: String,
+  })
+  @IsString()
+  @IsUrl()
+  public redirectUri: string;
 }

src/oauth2/interfaces/callback-result.interface.ts

@@ -0,0 +1,22 @@
+/*
+ Copyright (C) 2024 Afonso Barracha
+
+ Nest OAuth is free software: you can redistribute it and/or modify
+ it under the terms of the GNU Lesser General Public License as published by
+ the Free Software Foundation, either version 3 of the License, or
+ (at your option) any later version.
+
+ Nest OAuth is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ GNU Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public License
+ along with Nest OAuth.  If not, see <https://www.gnu.org/licenses/>.
+*/
+
+export interface ICallbackResult {
+  readonly code: string;
+  readonly accessToken: string;
+  readonly expiresIn: number;
+}

src/oauth2/oauth2.controller.ts

@@ -23,6 +23,7 @@ import {
   Post,
   Query,
   Res,
+  UnauthorizedException,
   UseGuards,
 } from '@nestjs/common';
 import { ConfigService } from '@nestjs/config';
@@ -47,6 +48,7 @@ import {
   IMicrosoftUser,
 } from './interfaces/user-response.interface';
 import { Oauth2Service } from './oauth2.service';
+import { CurrentUser } from '../auth/decorators/current-user.decorator';
 
 @ApiTags('Oauth2')
 @Controller('api/auth/ext')
@@ -210,7 +212,6 @@ export class Oauth2Controller {
     return this.callbackAndRedirect(res, provider, email, name);
   }
 
-  @Public()
   @Post('token')
   @ApiResponse({
     description: "Returns the user's OAuth 2 response",
@@ -220,10 +221,15 @@ export class Oauth2Controller {
     description: 'Code or state is invalid',
   })
   public async token(
+    @CurrentUser() userId: number,
     @Body() tokenDto: TokenDto,
     @Res() res: FastifyReply,
   ): Promise<void> {
-    const result = await this.oauth2Service.token(tokenDto.code);
+    if (tokenDto.redirectUri !== this.url + '/auth/callback') {
+      throw new UnauthorizedException();
+    }
+
+    const result = await this.oauth2Service.token(tokenDto.code, userId);
     return res
       .cookie(this.cookieName, result.refreshToken, {
         secure: !this.testing,
@@ -252,9 +258,20 @@ export class Oauth2Controller {
     email: string,
     name: string,
   ): Promise<FastifyReply> {
-    const code = await this.oauth2Service.callback(provider, email, name);
+    const { code, accessToken, expiresIn } = await this.oauth2Service.callback(
+      provider,
+      email,
+      name,
+    );
+    const urlSearchParams = new URLSearchParams({
+      code,
+      accessToken,
+      tokenType: 'Bearer',
+      expiresIn: expiresIn.toString(),
+    });
+
     return res
       .status(HttpStatus.ACCEPTED)
-      .redirect(`${this.url}/callback?code=${code}`);
+      .redirect(`${this.url}/auth/callback?${urlSearchParams.toString()}`);
   }
 }

src/oauth2/oauth2.service.ts

@@ -38,6 +38,8 @@ import { UsersService } from '../users/users.service';
 import { OAuthClass } from './classes/oauth.class';
 import { ICallbackQuery } from './interfaces/callback-query.interface';
 import { IClient } from './interfaces/client.interface';
+import { TokenTypeEnum } from '../jwt/enums/token-type.enum';
+import { ICallbackResult } from './interfaces/callback-result.interface';
 
 @Injectable()
 export class Oauth2Service {
@@ -165,7 +167,7 @@ export class Oauth2Service {
     provider: OAuthProvidersEnum,
     email: string,
     name: string,
-  ): Promise<string> {
+  ): Promise<ICallbackResult> {
     const user = await this.usersService.findOrCreate(provider, email, name);
 
     const code = Oauth2Service.generateCode();
@@ -177,22 +179,34 @@ export class Oauth2Service {
       ),
     );
 
-    return code;
+    const accessToken = await this.jwtService.generateToken(
+      user,
+      TokenTypeEnum.ACCESS,
+    );
+    return {
+      code,
+      accessToken,
+      expiresIn: this.jwtService.accessTime,
+    };
   }
 
-  public async token(code: string): Promise<IAuthResult> {
+  public async token(code: string, userId: number): Promise<IAuthResult> {
     const codeKey = Oauth2Service.getOAuthCodeKey(code);
     const email = await this.commonService.throwInternalError(
       this.cacheManager.get<string>(codeKey),
     );
 
     if (!email) {
-      throw new UnauthorizedException('Code is invalid or expired');
+      throw new UnauthorizedException();
     }
 
     await this.commonService.throwInternalError(this.cacheManager.del(codeKey));
-
     const user = await this.usersService.findOneByEmail(email);
+
+    if (user.id !== userId) {
+      throw new UnauthorizedException();
+    }
+
     const [accessToken, refreshToken] =
       await this.jwtService.generateAuthTokens(user);
     return {

src/oauth2/tests/oauth2.service.spec.ts

@@ -34,6 +34,7 @@ import { OAuthProvidersEnum } from '../../users/enums/oauth-providers.enum';
 import { UsersModule } from '../../users/users.module';
 import { UsersService } from '../../users/users.service';
 import { Oauth2Service } from '../oauth2.service';
+import { isJWT } from 'class-validator';
 
 describe('Oauth2Service', () => {
   let module: TestingModule,
@@ -121,14 +122,19 @@ describe('Oauth2Service', () => {
     it('should create a new user', async () => {
       const email = faker.internet.email();
       const name = faker.person.fullName();
-      const code = await oauth2Service.callback(
+      const result = await oauth2Service.callback(
         OAuthProvidersEnum.GOOGLE,
         email,
         name,
       );
 
-      expect(code).toBeDefined();
-      expect(code.length).toBe(22);
+      expect(result).toMatchObject({
+        accessToken: expect.any(String),
+        code: expect.any(String),
+        expiresIn: expect.any(Number),
+      });
+      expect(isJWT(result.accessToken)).toBe(true);
+      expect(result.code).toHaveLength(22);
 
       const user = await usersService.findOneByEmail(email);
       expect(user).toBeDefined();
@@ -144,14 +150,19 @@ describe('Oauth2Service', () => {
       const email = faker.internet.email();
       const name = faker.person.fullName();
       await usersService.create(OAuthProvidersEnum.GOOGLE, email, name);
-      const code = await oauth2Service.callback(
+      const result = await oauth2Service.callback(
         OAuthProvidersEnum.MICROSOFT,
         email,
         name,
       );
 
-      expect(code).toBeDefined();
-      expect(code.length).toBe(22);
+      expect(result).toMatchObject({
+        accessToken: expect.any(String),
+        code: expect.any(String),
+        expiresIn: expect.any(Number),
+      });
+      expect(isJWT(result.accessToken)).toBe(true);
+      expect(result.code).toHaveLength(22);
 
       const user = await usersService.findOneByEmail(email);
       expect(user).toBeDefined();
@@ -166,15 +177,16 @@ describe('Oauth2Service', () => {
 
   describe('token', () => {
     it('should return access and refresh tokens from callback code', async () => {
-      const email = faker.internet.email();
+      const email = faker.internet.email().toLowerCase();
       const name = faker.person.fullName();
-      const code = await oauth2Service.callback(
-        OAuthProvidersEnum.MICROSOFT,
+      const { code } = await oauth2Service.callback(
+        OAuthProvidersEnum.GOOGLE,
         email,
         name,
       );
+      const user = await usersService.findOneByEmail(email);
 
-      const result = await oauth2Service.token(code);
+      const result = await oauth2Service.token(code, user.id);
 
       expect(result).toMatchObject({
         user: expect.any(UserEntity),
@@ -184,11 +196,14 @@ describe('Oauth2Service', () => {
     });
 
     it('should throw an unauthorized exception for invalid callback code', async () => {
-      const code = '7IHq0AGB7FOL25kt8WejRz';
+      const email = faker.internet.email().toLowerCase();
+      const name = faker.person.fullName();
+      await oauth2Service.callback(OAuthProvidersEnum.MICROSOFT, email, name);
+      const user = await usersService.findOneByEmail(email);
 
-      await expect(oauth2Service.token(code)).rejects.toThrow(
-        new UnauthorizedException('Code is invalid or expired'),
-      );
+      await expect(
+        oauth2Service.token('7IHq0AGB7FOL25kt8WejRz', user.id),
+      ).rejects.toThrow(new UnauthorizedException());
     });
   });
 

test/app.e2e-spec.ts

@@ -366,7 +366,7 @@ describe('AppController (e2e)', () => {
           .expect(HttpStatus.OK);
       });
 
-      it('should logout the user with refresh bodie', async () => {
+      it('should logout the user with refresh body', async () => {
         const user = await usersService.findOneByEmail(email);
         const [accessToken, refreshToken] =
           await jwtService.generateAuthTokens(user);
@@ -554,6 +554,75 @@ describe('AppController (e2e)', () => {
         });
       });
     });
+
+    describe('refresh-access', () => {
+      const refreshPath = `${baseUrl}/refresh-access`;
+
+      it('should return 200 OK with auth response with the refresh token in the cookies', async () => {
+        const signInRes = await request(app.getHttpServer())
+          .post(`${baseUrl}/sign-in`)
+          .send({
+            emailOrUsername: email,
+            password,
+          })
+          .expect(HttpStatus.OK);
+
+        return request(app.getHttpServer())
+          .post(refreshPath)
+          .set('Authorization', `Bearer ${signInRes.body.accessToken}`)
+          .set('Cookie', signInRes.header['set-cookie'])
+          .expect(HttpStatus.OK)
+          .expect((res) => {
+            expect(res.body).toMatchObject({
+              accessToken: expect.any(String),
+              refreshToken: expect.any(String),
+              expiresIn: expect.any(Number),
+              tokenType: 'Bearer',
+              user: {
+                id: expect.any(Number),
+                name: commonService.formatName(name),
+                username: commonService.generatePointSlug(name),
+                email,
+              },
+            });
+          });
+      });
+
+      it('should return 200 OK with auth response with the refresh token in the body', async () => {
+        const user = await usersService.findOneByEmail(email);
+        const [accessToken, refreshToken] =
+          await jwtService.generateAuthTokens(user);
+        return request(app.getHttpServer())
+          .post(refreshPath)
+          .set('Authorization', `Bearer ${accessToken}`)
+          .send({ refreshToken })
+          .expect(HttpStatus.OK)
+          .expect((res) => {
+            expect(res.body).toMatchObject({
+              accessToken: expect.any(String),
+              refreshToken: expect.any(String),
+              expiresIn: expect.any(Number),
+              tokenType: 'Bearer',
+              user: {
+                id: expect.any(Number),
+                name: commonService.formatName(name),
+                username: commonService.generatePointSlug(name),
+                email,
+              },
+            });
+          });
+      });
+
+      it('should return 401 UNAUTHORIZED when refresh token is not passed', async () => {
+        const user = await usersService.findOneByEmail(email);
+        const [accessToken] = await jwtService.generateAuthTokens(user);
+
+        return request(app.getHttpServer())
+          .post(refreshPath)
+          .set('Authorization', `Bearer ${accessToken}`)
+          .expect(HttpStatus.UNAUTHORIZED);
+      });
+    });
   });
 
   describe('api/users', () => {