[Reputation Oracle] refactor: properly use auth strategies (#3168)

Author: dnechay

packages/apps/reputation-oracle/server/src/app.module.ts

@@ -1,34 +1,44 @@
 import { Module } from '@nestjs/common';
-import { APP_FILTER, APP_INTERCEPTOR, APP_PIPE } from '@nestjs/core';
+import { APP_FILTER, APP_GUARD, APP_INTERCEPTOR, APP_PIPE } from '@nestjs/core';
 import { ConfigModule } from '@nestjs/config';
 import { ScheduleModule } from '@nestjs/schedule';
 import { ServeStaticModule } from '@nestjs/serve-static';
 import { join } from 'path';
+
+import { envValidator } from './config';
+import { EnvConfigModule } from './config/config.module';
+
 import { DatabaseModule } from './database/database.module';
+
+import { JwtAuthGuard } from './common/guards';
+import { ExceptionFilter } from './common/filters/exception.filter';
+import { TransformInterceptor } from './common/interceptors/transform.interceptor';
 import { HttpValidationPipe } from './common/pipes';
+
 import { HealthModule } from './modules/health/health.module';
 import { ReputationModule } from './modules/reputation/reputation.module';
 import { Web3Module } from './modules/web3/web3.module';
-import { envValidator } from './config';
 import { AuthModule } from './modules/auth/auth.module';
-import { TransformInterceptor } from './common/interceptors/transform.interceptor';
 import { KycModule } from './modules/kyc/kyc.module';
 import { CronJobModule } from './modules/cron-job/cron-job.module';
 import { PayoutModule } from './modules/payout/payout.module';
-import { EnvConfigModule } from './config/config.module';
-import { ExceptionFilter } from './common/filters/exception.filter';
 import { QualificationModule } from './modules/qualification/qualification.module';
 import { EscrowCompletionModule } from './modules/escrow-completion/escrow-completion.module';
 import { WebhookIncomingModule } from './modules/webhook/webhook-incoming.module';
 import { WebhookOutgoingModule } from './modules/webhook/webhook-outgoing.module';
-import { UserModule } from './modules/user/user.module';
+import { UserModule } from './modules/user';
 import { EmailModule } from './modules/email/module';
 import { NDAModule } from './modules/nda/nda.module';
 import { StorageModule } from './modules/storage/storage.module';
+
 import Environment from './utils/environment';
 
 @Module({
   providers: [
+    {
+      provide: APP_GUARD,
+      useClass: JwtAuthGuard,
+    },
     {
       provide: APP_PIPE,
       useClass: HttpValidationPipe,

packages/apps/reputation-oracle/server/src/common/decorators/index.ts

@@ -1,8 +1,11 @@
-import { SetMetadata } from '@nestjs/common';
-import { Role } from '../enums/user';
+import { Reflector } from '@nestjs/core';
+import { UserRole } from '../../modules/user';
 
-export const Public = (): ((target: any, key?: any, descriptor?: any) => any) =>
-  SetMetadata('isPublic', true);
+export const Public = Reflector.createDecorator<boolean>({
+  key: 'isPublic',
+  transform: () => true,
+});
 
-export const ROLES_KEY = 'roles';
-export const Roles = (...roles: Role[]) => SetMetadata(ROLES_KEY, roles);
+export const Roles = Reflector.createDecorator<UserRole[]>({
+  key: 'roles',
+});

packages/apps/reputation-oracle/server/src/common/enums/user.ts

@@ -1,16 +1,3 @@
-export enum UserStatus {
-  ACTIVE = 'active',
-  INACTIVE = 'inactive',
-  PENDING = 'pending',
-}
-
-export enum Role {
-  OPERATOR = 'operator',
-  WORKER = 'worker',
-  HUMAN_APP = 'human_app',
-  ADMIN = 'admin',
-}
-
 export enum KycStatus {
   NONE = 'none',
   APPROVED = 'approved',

packages/apps/reputation-oracle/server/src/common/filters/exception.filter.ts

@@ -8,6 +8,7 @@ import {
 import { Request, Response } from 'express';
 import { DatabaseError } from '../errors/database';
 import logger from '../../logger';
+import { transformKeysFromCamelToSnake } from '../../utils/case-converters';
 
 @Catch()
 export class ExceptionFilter implements IExceptionFilter {
@@ -33,8 +34,24 @@ export class ExceptionFilter implements IExceptionFilter {
       const exceptionResponse = exception.getResponse();
       if (typeof exceptionResponse === 'string') {
         responseBody.message = exceptionResponse;
+      } else if (
+        'error' in exceptionResponse &&
+        exceptionResponse.error === exception.message
+      ) {
+        /**
+         * This is the case for "sugar" exception classes
+         * (e.g. UnauthorizedException) that have custom message
+         */
+        responseBody.message = exceptionResponse.error;
       } else {
-        Object.assign(responseBody, exceptionResponse);
+        /**
+         * Exception filters called after interceptors,
+         * so it's just a safety belt
+         */
+        Object.assign(
+          responseBody,
+          transformKeysFromCamelToSnake(exceptionResponse),
+        );
       }
     } else {
       this.logger.error('Unhandled exception', exception);

packages/apps/reputation-oracle/server/src/common/guards/jwt.auth.ts

@@ -1,5 +1,4 @@
 import {
-  CanActivate,
   ExecutionContext,
   HttpException,
   HttpStatus,
@@ -8,30 +7,45 @@ import {
 import { Reflector } from '@nestjs/core';
 import { AuthGuard } from '@nestjs/passport';
 import { JWT_STRATEGY_NAME } from '../constants';
+import { Public } from '../decorators';
 
 @Injectable()
-export class JwtAuthGuard
-  extends AuthGuard(JWT_STRATEGY_NAME)
-  implements CanActivate
-{
+export class JwtAuthGuard extends AuthGuard(JWT_STRATEGY_NAME) {
   constructor(private readonly reflector: Reflector) {
     super();
   }
 
-  public async canActivate(context: ExecutionContext): Promise<boolean> {
-    // `super` has to be called to set `user` on `request`
-    // see https://github.com/nestjs/passport/blob/master/lib/auth.guard.ts
-    return (super.canActivate(context) as Promise<boolean>).catch((_error) => {
-      const isPublic = this.reflector.getAllAndOverride<boolean>('isPublic', [
-        context.getHandler(),
-        context.getClass(),
-      ]);
+  canActivate(context: ExecutionContext) {
+    const isPublic = this.reflector.getAllAndOverride(Public, [
+      context.getHandler(),
+      context.getClass(),
+    ]);
 
-      if (isPublic) {
-        return true;
-      }
+    if (isPublic) {
+      return true;
+    }
 
+    return super.canActivate(context);
+  }
+
+  handleRequest(error: any, user: any) {
+    if (error) {
+      /**
+       * Error happened while "validate" in "passport" strategy
+       */
+      throw error;
+    }
+
+    /**
+     * There is no error and user in different cases, e.g.:
+     * - jwt is not provided - strategy does not validate it
+     * - token is expired
+     * - etc.
+     */
+    if (!user) {
       throw new HttpException('Unauthorized', HttpStatus.UNAUTHORIZED);
-    });
+    }
+
+    return user;
   }
 }

packages/apps/reputation-oracle/server/src/common/guards/roles.auth.ts

@@ -6,30 +6,34 @@ import {
   HttpException,
 } from '@nestjs/common';
 import { Reflector } from '@nestjs/core';
-import { Role } from '../enums/user';
-import { ROLES_KEY } from '../decorators';
+import { Roles } from '../decorators';
 
 @Injectable()
 export class RolesAuthGuard implements CanActivate {
   constructor(private reflector: Reflector) {}
 
   canActivate(context: ExecutionContext): boolean {
-    const requiredRoles = this.reflector.getAllAndOverride<Role[]>(ROLES_KEY, [
+    const allowedRoles = this.reflector.getAllAndOverride(Roles, [
       context.getHandler(),
       context.getClass(),
     ]);
 
-    if (!requiredRoles) {
-      return true;
+    /**
+     * We don't use this guard globally, only on specific routes,
+     * so it's just a safety belt
+     */
+    if (!allowedRoles?.length) {
+      throw new Error(
+        'Allowed roles must be specified when using RolesAuthGuard',
+      );
     }
 
     const { user } = context.switchToHttp().getRequest();
-    const isAllowed = requiredRoles.some((role) => user.role === role);
 
-    if (isAllowed) {
+    if (allowedRoles.includes(user.role)) {
       return true;
     }
 
-    throw new HttpException('Unauthorized', HttpStatus.UNAUTHORIZED);
+    throw new HttpException('Forbidden', HttpStatus.FORBIDDEN);
   }
 }

packages/apps/reputation-oracle/server/src/common/interfaces/user.ts

@@ -1,9 +1,9 @@
 import {
-  ApiBearerAuth,
   ApiOperation,
   ApiResponse,
   ApiTags,
   ApiBody,
+  ApiBearerAuth,
 } from '@nestjs/swagger';
 import {
   Body,
@@ -18,7 +18,6 @@ import {
 } from '@nestjs/common';
 import { Public } from '../../common/decorators';
 import { AuthService } from './auth.service';
-import { JwtAuthGuard } from '../../common/guards';
 import { RequestWithUser } from '../../common/interfaces/request';
 import { HCaptchaGuard } from '../../integrations/hcaptcha/hcaptcha.guard';
 import { TokenRepository } from './token.repository';
@@ -147,7 +146,7 @@ export class AuthController {
     description: 'Verification email resent successfully',
   })
   @ApiBearerAuth()
-  @UseGuards(HCaptchaGuard, JwtAuthGuard)
+  @UseGuards(HCaptchaGuard)
   @Post('/web2/resend-verification-email')
   @HttpCode(200)
   async resendEmailVerification(
@@ -223,7 +222,6 @@ export class AuthController {
     description: 'User logged out successfully',
   })
   @ApiBearerAuth()
-  @UseGuards(JwtAuthGuard)
   @Post('/logout')
   @HttpCode(200)
   async logout(@Req() request: RequestWithUser): Promise<void> {

packages/apps/reputation-oracle/server/src/modules/auth/auth.controller.ts

@@ -4,7 +4,7 @@ import { JwtModule } from '@nestjs/jwt';
 import { AuthConfigService } from '../../config/auth-config.service';
 import { HCaptchaModule } from '../../integrations/hcaptcha/hcaptcha.module';
 import { EmailModule } from '../email/module';
-import { UserModule } from '../user/user.module';
+import { UserModule } from '../user';
 import { Web3Module } from '../web3/web3.module';
 
 import { JwtHttpStrategy } from './strategy';

packages/apps/reputation-oracle/server/src/modules/auth/auth.module.ts

@@ -27,7 +27,6 @@ import { HCaptchaConfigService } from '../../config/hcaptcha-config.service';
 import { ServerConfigService } from '../../config/server-config.service';
 import { Web3ConfigService } from '../../config/web3-config.service';
 import { JobRequestType } from '../../common/enums';
-import { Role, UserStatus } from '../../common/enums/user';
 import { SignatureType } from '../../common/enums/web3';
 import {
   generateNonce,
@@ -37,9 +36,13 @@ import {
 import { HCaptchaService } from '../../integrations/hcaptcha/hcaptcha.service';
 import { SiteKeyRepository } from '../user/site-key.repository';
 import { PrepareSignatureDto } from '../user/user.dto';
-import { UserEntity } from '../user/user.entity';
-import { UserRepository } from '../user/user.repository';
-import { UserService } from '../user/user.service';
+import {
+  UserStatus,
+  UserRole,
+  UserEntity,
+  UserRepository,
+  UserService,
+} from '../user';
 import { Web3Service } from '../web3/web3.service';
 import {
   AuthError,
@@ -730,7 +733,7 @@ describe('AuthService', () => {
 
           const result = await authService.web3Signup({
             address: web3PreSignUpDto.address,
-            type: Role.WORKER,
+            type: UserRole.WORKER,
             signature,
           });
 
@@ -754,7 +757,7 @@ describe('AuthService', () => {
           await expect(
             authService.web3Signup({
               ...web3PreSignUpDto,
-              type: Role.WORKER,
+              type: UserRole.WORKER,
               signature: invalidSignature,
             }),
           ).rejects.toThrow(
@@ -769,7 +772,7 @@ describe('AuthService', () => {
           await expect(
             authService.web3Signup({
               ...web3PreSignUpDto,
-              type: Role.WORKER,
+              type: UserRole.WORKER,
               signature: signature,
             }),
           ).rejects.toThrow(new InvalidOperatorRoleError(''));
@@ -784,7 +787,7 @@ describe('AuthService', () => {
           await expect(
             authService.web3Signup({
               ...web3PreSignUpDto,
-              type: Role.WORKER,
+              type: UserRole.WORKER,
               signature: signature,
             }),
           ).rejects.toThrow(new InvalidOperatorFeeError(''));
@@ -800,7 +803,7 @@ describe('AuthService', () => {
           await expect(
             authService.web3Signup({
               ...web3PreSignUpDto,
-              type: Role.WORKER,
+              type: UserRole.WORKER,
               signature: signature,
             }),
           ).rejects.toThrow(new InvalidOperatorUrlError(''));
@@ -817,7 +820,7 @@ describe('AuthService', () => {
           await expect(
             authService.web3Signup({
               ...web3PreSignUpDto,
-              type: Role.WORKER,
+              type: UserRole.WORKER,
               signature: signature,
             }),
           ).rejects.toThrow(new InvalidOperatorJobTypesError(''));