[SSF-117]: Backend endpoints user gated

.env.example

@@ -2,4 +2,11 @@ DATABASE_HOST=localhost
 DATABASE_PORT=5432
 DATABASE_NAME=securing-safe-food
 DATABASE_USERNAME=postgres
-DATABASE_PASSWORD=PLACEHOLDER_PASSWORD
+DATABASE_PASSWORD=PLACEHOLDER_PASSWORD
+
+AWS_ACCESS_KEY_ID = PLACEHOLDER_AWS_ACCESS_KEY
+AWS_SECRET_ACCESS_KEY = PLACEHOLDER_AWS_SECRET_KEY
+AWS_REGION = PLACEHOLDER_AWS_REGION
+COGNITO_CLIENT_SECRET = PLACEHOLDER_COGNITO_CLIENT_SECRET
+
+AWS_BUCKET_NAME = 'confirm-delivery-photos'

apps/backend/README.md

@@ -25,4 +25,43 @@ You can check that your database connection details are correct by running `nx s
 "LOG 🚀 Application is running on: http://localhost:3000/api"
 ```
 
-Finally, run `yarn run typeorm:migrate` to load all the tables into your database. If everything is set up correctly, you should see "Migration ... has been  executed successfully." in the terminal.
+Finally, run `yarn run typeorm:migrate` to load all the tables into your database. If everything is set up correctly, you should see "Migration ... has been  executed successfully." in the terminal.
+
+# AWS Setup
+
+We have a few environment variables that we utilize to access several AWS services throughout the application. Below is a list of each of them and how to access each after logging in to AWS
+
+1. `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY`:
+   - Click on your username in the top right corner, and navigate to Security Credentials
+   - Scroll down to access keys, and create a new key
+   - Select "Local code" as the purpose for the key, and add an optional description
+   - Replace both the public and secret keys in the .env file to those values. Note that the secret key will not be accessible after you leave this page
+   - Click done
+
+2. `AWS_REGION`:
+This can be found next to your profile name when you login to the main page. Some accounts may be different, but we generally use us-east-1 or us-east-2.
+This is the region that you find on the right side after clicking on the location dropdown, usually saying "United States (*some region*)".
+For example, if we want to use Ohio as the region, we would put `AWS_REGION="us-east2"`
+
+3. `AWS_BUCKET_NAME`:
+This one is already given to you. As of right now, we only use one bucket, confirm-delivery-photos to store photos in a public S3 Bucket. This may be subject to change as we use S3 more in the project.
+
+4. `COGNITO_CLIENT_SECRET`:
+This is used to help authenticate you with AWS Cognito and allow you to properly sign in using proper credential. To find this:
+   - Navigate to AWS Cognito
+   - Make sure you are on "United States (N. Virginia) as your region
+   - Go into User pools and click on the one that says "ssf" (NOTE: You can also validate the User pool id in the `auth/aws_exports.ts` file)
+   - Go to App Clients, and click on 'ssf client w secret'
+   - There, you can validate the information in `auth/aws_exports.ts` (the `userPoolClientId`), as well as copy the client secret into your env file
+
+5. Creating a new user within AWS Cognito
+   There are 2 ways you can create a new user in AWS Cognito. The simplest, is through loading the up, going to the landing page, and creating a new account there. If you choose to do it alternatively through the console, follow these steps:
+   - Navigate to AWS Cognito
+   - Make sure you are on "United States (N. Virginia) as your region
+   - Go into User pools and click on the one that says "ssf"
+   - Go to Users
+   - If you do not already see your email there, create a new User, setting an email in password (this will be what you login with on the frontend)
+   - Click 'Create User'
+   - Load up the app, and go to the landing page
+   - Verify you are able to login with these new credentials you created
+

apps/backend/src/allocations/allocations.module.ts

@@ -1,15 +1,17 @@
-import { Module } from '@nestjs/common';
+import { forwardRef, Module } from '@nestjs/common';
 import { TypeOrmModule } from '@nestjs/typeorm';
 import { Allocation } from './allocations.entity';
 import { AllocationsController } from './allocations.controller';
 import { AllocationsService } from './allocations.service';
-import { AuthService } from '../auth/auth.service';
-import { JwtStrategy } from '../auth/jwt.strategy';
+import { AuthModule } from '../auth/auth.module';
 
 @Module({
-  imports: [TypeOrmModule.forFeature([Allocation])],
+  imports: [
+    TypeOrmModule.forFeature([Allocation]),
+    forwardRef(() => AuthModule),
+  ],
   controllers: [AllocationsController],
-  providers: [AllocationsService, AuthService, JwtStrategy],
+  providers: [AllocationsService],
   exports: [AllocationsService],
 })
 export class AllocationModule {}

apps/backend/src/auth/auth.module.ts

@@ -1,14 +1,17 @@
-import { Module } from '@nestjs/common';
+import { Module, forwardRef } from '@nestjs/common';
 import { PassportModule } from '@nestjs/passport';
-
 import { AuthController } from './auth.controller';
 import { AuthService } from './auth.service';
 import { JwtStrategy } from './jwt.strategy';
 import { UsersModule } from '../users/users.module';
 
 @Module({
-  imports: [UsersModule, PassportModule.register({ defaultStrategy: 'jwt' })],
+  imports: [
+    forwardRef(() => UsersModule),
+    PassportModule.register({ defaultStrategy: 'jwt' }),
+  ],
   controllers: [AuthController],
   providers: [AuthService, JwtStrategy],
+  exports: [AuthService, JwtStrategy],
 })
 export class AuthModule {}

apps/backend/src/auth/auth.service.ts

@@ -2,7 +2,6 @@ import { Injectable } from '@nestjs/common';
 import {
   AdminDeleteUserCommand,
   AdminInitiateAuthCommand,
-  AttributeType,
   CognitoIdentityProviderClient,
   ConfirmForgotPasswordCommand,
   ConfirmSignUpCommand,
@@ -29,8 +28,8 @@ export class AuthService {
     this.providerClient = new CognitoIdentityProviderClient({
       region: CognitoAuthConfig.region,
       credentials: {
-        accessKeyId: process.env.NX_AWS_ACCESS_KEY,
-        secretAccessKey: process.env.NX_AWS_SECRET_ACCESS_KEY,
+        accessKeyId: process.env.AWS_ACCESS_KEY_ID,
+        secretAccessKey: process.env.AWS_SECRET_ACCESS_KEY,
       },
     });
 
@@ -43,28 +42,17 @@ export class AuthService {
   // (see https://docs.aws.amazon.com/cognito/latest/developerguide/signing-up-users-in-your-app.html#cognito-user-pools-computing-secret-hash)
   calculateHash(username: string): string {
     const hmac = createHmac('sha256', this.clientSecret);
-    hmac.update(username + CognitoAuthConfig.clientId);
+    hmac.update(username + CognitoAuthConfig.userPoolClientId);
     return hmac.digest('base64');
   }
 
-  async getUser(userSub: string): Promise<AttributeType[]> {
-    const listUsersCommand = new ListUsersCommand({
-      UserPoolId: CognitoAuthConfig.userPoolId,
-      Filter: `sub = "${userSub}"`,
-    });
-
-    // TODO need error handling
-    const { Users } = await this.providerClient.send(listUsersCommand);
-    return Users[0].Attributes;
-  }
-
   async signup(
     { firstName, lastName, email, password }: SignUpDto,
     role: Role = Role.VOLUNTEER,
   ): Promise<boolean> {
     // Needs error handling
     const signUpCommand = new SignUpCommand({
-      ClientId: CognitoAuthConfig.clientId,
+      ClientId: CognitoAuthConfig.userPoolClientId,
       SecretHash: this.calculateHash(email),
       Username: email,
       Password: password,
@@ -88,7 +76,7 @@ export class AuthService {
 
   async verifyUser(email: string, verificationCode: string): Promise<void> {
     const confirmCommand = new ConfirmSignUpCommand({
-      ClientId: CognitoAuthConfig.clientId,
+      ClientId: CognitoAuthConfig.userPoolClientId,
       SecretHash: this.calculateHash(email),
       Username: email,
       ConfirmationCode: verificationCode,
@@ -100,7 +88,7 @@ export class AuthService {
   async signin({ email, password }: SignInDto): Promise<SignInResponseDto> {
     const signInCommand = new AdminInitiateAuthCommand({
       AuthFlow: 'ADMIN_USER_PASSWORD_AUTH',
-      ClientId: CognitoAuthConfig.clientId,
+      ClientId: CognitoAuthConfig.userPoolClientId,
       UserPoolId: CognitoAuthConfig.userPoolId,
       AuthParameters: {
         USERNAME: email,
@@ -125,7 +113,7 @@ export class AuthService {
   }: RefreshTokenDto): Promise<SignInResponseDto> {
     const refreshCommand = new AdminInitiateAuthCommand({
       AuthFlow: 'REFRESH_TOKEN_AUTH',
-      ClientId: CognitoAuthConfig.clientId,
+      ClientId: CognitoAuthConfig.userPoolClientId,
       UserPoolId: CognitoAuthConfig.userPoolId,
       AuthParameters: {
         REFRESH_TOKEN: refreshToken,
@@ -144,7 +132,7 @@ export class AuthService {
 
   async forgotPassword(email: string) {
     const forgotCommand = new ForgotPasswordCommand({
-      ClientId: CognitoAuthConfig.clientId,
+      ClientId: CognitoAuthConfig.userPoolClientId,
       Username: email,
       SecretHash: this.calculateHash(email),
     });
@@ -158,7 +146,7 @@ export class AuthService {
     newPassword,
   }: ConfirmPasswordDto) {
     const confirmComamnd = new ConfirmForgotPasswordCommand({
-      ClientId: CognitoAuthConfig.clientId,
+      ClientId: CognitoAuthConfig.userPoolClientId,
       SecretHash: this.calculateHash(email),
       Username: email,
       ConfirmationCode: confirmationCode,

apps/backend/src/auth/aws-exports.ts

@@ -1,6 +1,6 @@
 const CognitoAuthConfig = {
-  userPoolId: 'us-east-1_oshVQXLX6',
-  clientId: '42bfm2o2pmk57mpm5399s0e9no',
+  userPoolClientId: '1kehn2mr64h94mire6os55bib7',
+  userPoolId: 'us-east-1_StSYXMibq',
   region: 'us-east-1',
 };
 

apps/backend/src/auth/jwt.strategy.ts

@@ -1,19 +1,20 @@
-import { Injectable } from '@nestjs/common';
+import { Injectable, UnauthorizedException } from '@nestjs/common';
 import { PassportStrategy } from '@nestjs/passport';
 import { passportJwtSecret } from 'jwks-rsa';
 import { ExtractJwt, Strategy } from 'passport-jwt';
-
+import { UsersService } from '../users/users.service';
 import CognitoAuthConfig from './aws-exports';
+import { AuthService } from './auth.service';
 
 @Injectable()
 export class JwtStrategy extends PassportStrategy(Strategy) {
-  constructor() {
+  constructor(private usersService: UsersService) {
     const cognitoAuthority = `https://cognito-idp.${CognitoAuthConfig.region}.amazonaws.com/${CognitoAuthConfig.userPoolId}`;
 
     super({
       jwtFromRequest: ExtractJwt.fromAuthHeaderAsBearerToken(),
       ignoreExpiration: false,
-      _audience: CognitoAuthConfig.clientId,
+      _audience: CognitoAuthConfig.userPoolClientId,
       issuer: cognitoAuthority,
       algorithms: ['RS256'],
       secretOrKeyProvider: passportJwtSecret({
@@ -26,6 +27,7 @@ export class JwtStrategy extends PassportStrategy(Strategy) {
   }
 
   async validate(payload) {
-    return { idUser: payload.sub, email: payload.email };
+    const dbUser = await this.usersService.findUserByCognitoId(payload.sub);
+    return dbUser;
   }
 }

apps/backend/src/auth/ownership.decorator.ts

@@ -0,0 +1,25 @@
+import { SetMetadata, Type } from '@nestjs/common';
+
+// Resolver function type to get the owner user ID for a given entity ID
+export type OwnerIdResolver = (params: {
+  entityId: number;
+  services: ServiceRegistry;
+}) => Promise<number | null>;
+
+// Registry of services that can be easily resolved
+// Eliminates the issues with circular dependencies
+// allowing the lambdas to resolve only the services they need
+export interface ServiceRegistry {
+  get<T>(serviceClass: Type<T>): T;
+}
+
+// Configuration for ownership check
+export interface OwnershipConfig {
+  idParam: string;
+  resolver: OwnerIdResolver;
+}
+
+export const OWNERSHIP_CHECK_KEY = 'ownership_check';
+
+export const CheckOwnership = (config: OwnershipConfig) =>
+  SetMetadata(OWNERSHIP_CHECK_KEY, config);

apps/backend/src/auth/ownership.guard.ts

@@ -0,0 +1,99 @@
+import {
+  Injectable,
+  CanActivate,
+  ExecutionContext,
+  ForbiddenException,
+  NotFoundException,
+  Type,
+} from '@nestjs/common';
+import { Reflector } from '@nestjs/core';
+import { ModuleRef } from '@nestjs/core';
+import {
+  OWNERSHIP_CHECK_KEY,
+  OwnershipConfig,
+  ServiceRegistry,
+} from './ownership.decorator';
+
+@Injectable()
+export class OwnershipGuard implements CanActivate {
+  constructor(private reflector: Reflector, private moduleRef: ModuleRef) {}
+
+  async canActivate(context: ExecutionContext): Promise<boolean> {
+    const config = this.reflector.get<OwnershipConfig>(
+      OWNERSHIP_CHECK_KEY,
+      context.getHandler(),
+    );
+
+    if (!config) {
+      return true;
+    }
+
+    // Process all request information and the logged in user
+    const req = context.switchToHttp().getRequest();
+    const user = req.user;
+
+    // Admins bypass ownership checks
+    if (user.role === 'ADMIN') {
+      return true;
+    }
+
+    if (!user) {
+      throw new ForbiddenException('Not authenticated');
+    }
+
+    // Get the id from the parameters
+    const entityId = Number(req.params[config.idParam]);
+
+    if (isNaN(entityId)) {
+      throw new ForbiddenException(`Invalid ${config.idParam}`);
+    }
+
+    // Create a service registry that easily resolves services
+    const services = this.createServiceRegistry();
+
+    try {
+      // Execute the lambda function to get the owner user ID
+      const ownerId = await config.resolver({
+        entityId,
+        services,
+      });
+
+      if (ownerId === null || ownerId === undefined) {
+        throw new ForbiddenException('Unable to determine resource ownership');
+      }
+
+      if (ownerId !== user.id) {
+        throw new ForbiddenException('Access denied');
+      }
+
+      return true;
+    } catch (error) {
+      console.error('Error in ownership resolver:', error);
+      throw new ForbiddenException('Error verifying resource ownership');
+    }
+  }
+
+  // Use a service registry for easy service resolution and caching
+  private createServiceRegistry(): ServiceRegistry {
+    const cache = new Map<Type<unknown>, unknown>();
+    const moduleRef = this.moduleRef;
+
+    return {
+      get<T>(serviceClass: Type<T>): T {
+        // Return cached service if already resolved before
+        if (cache.has(serviceClass)) {
+          return cache.get(serviceClass) as T;
+        }
+
+        // Resolve and cache the service
+        try {
+          const service = moduleRef.get(serviceClass, { strict: false });
+          cache.set(serviceClass, service);
+          return service;
+        } catch (error) {
+          throw new Error(`Could not resolve service: ${serviceClass.name}`);
+        }
+      },
+    };
+  }
+}

apps/backend/src/auth/roles.decorator.ts

@@ -0,0 +1,5 @@
+import { SetMetadata } from '@nestjs/common';
+import { Role } from '../users/types';
+
+export const ROLES_KEY = 'roles';
+export const Roles = (...roles: Role[]) => SetMetadata(ROLES_KEY, roles);