Merge branch 'dev' of https://git.odit.services/lfk/backend into dev

ref #12

src/app.ts

@@ -1,9 +1,9 @@
-import "reflect-metadata";
-import * as dotenvSafe from "dotenv-safe";
-import { createExpressServer } from "routing-controllers";
 import consola from "consola";
-import loaders from "./loaders/index";
+import * as dotenvSafe from "dotenv-safe";
+import "reflect-metadata";
+import { createExpressServer } from "routing-controllers";
 import authchecker from "./authchecker";
+import loaders from "./loaders/index";
 import { ErrorHandler } from './middlewares/ErrorHandler';
 
 dotenvSafe.config();

src/authchecker.ts

@@ -1,12 +1,15 @@
 import * as jwt from "jsonwebtoken";
-import { Action, HttpError } from "routing-controllers";
+import { Action } from "routing-controllers";
+import { getConnectionManager } from 'typeorm';
+import { IllegalJWTError, NoPermissionError, UserNonexistantOrRefreshtokenInvalidError } from './errors/AuthError';
+import { User } from './models/entities/User';
 // -----------
 const sampletoken = jwt.sign({
     "permissions": {
         "TRACKS": ["read", "update", "delete", "add"]
         // "TRACKS": []
     }
-}, process.env.JWT_SECRET || "secretjwtsecret")
+}, "securekey")
 console.log(`sampletoken: ${sampletoken}`);
 // -----------
 const authchecker = async (action: Action, permissions: string | string[]) => {
@@ -20,9 +23,14 @@ const authchecker = async (action: Action, permissions: string | string[]) => {
     const provided_token = action.request.query["auth"];
     let jwtPayload = undefined
     try {
-        jwtPayload = <any>jwt.verify(provided_token, process.env.JWT_SECRET || "secretjwtsecret");
+        jwtPayload = <any>jwt.verify(provided_token, "securekey");
     } catch (error) {
-        throw new HttpError(401, "jwt_illegal")
+        console.log(error);
+        throw new IllegalJWTError()
+    }
+    const count = await getConnectionManager().get().getRepository(User).count({ id: jwtPayload["userdetails"]["id"], refreshTokenCount: jwtPayload["userdetails"]["refreshTokenCount"] })
+    if (count !== 1) {
+        throw new UserNonexistantOrRefreshtokenInvalidError()
     }
     if (jwtPayload.permissions) {
         action.response.local = {}
@@ -34,11 +42,11 @@ const authchecker = async (action: Action, permissions: string | string[]) => {
             if (actual_accesslevel_for_permission.includes(permission_access_level)) {
                 return true;
             } else {
-                throw new HttpError(403, "no")
+                throw new NoPermissionError()
             }
         });
     } else {
-        throw new HttpError(403, "no")
+        throw new NoPermissionError()
     }
     // 
     try {

src/controllers/AuthController.ts

@@ -0,0 +1,71 @@
+import { Body, JsonController, Post } from 'routing-controllers';
+import { OpenAPI, ResponseSchema } from 'routing-controllers-openapi';
+import { IllegalJWTError, InvalidCredentialsError, JwtNotProvidedError, PasswordNeededError, RefreshTokenCountInvalidError, UsernameOrEmailNeededError } from '../errors/AuthError';
+import { UserNotFoundError } from '../errors/UserErrors';
+import { CreateAuth } from '../models/creation/CreateAuth';
+import { HandleLogout } from '../models/creation/HandleLogout';
+import { RefreshAuth } from '../models/creation/RefreshAuth';
+import { Auth } from '../models/responses/Auth';
+import { Logout } from '../models/responses/Logout';
+
+@JsonController('/auth')
+export class AuthController {
+	constructor() {
+	}
+
+	@Post("/login")
+	@ResponseSchema(Auth)
+	@ResponseSchema(InvalidCredentialsError)
+	@ResponseSchema(UserNotFoundError)
+	@ResponseSchema(UsernameOrEmailNeededError)
+	@ResponseSchema(PasswordNeededError)
+	@ResponseSchema(InvalidCredentialsError)
+	@OpenAPI({ description: 'Create a new access token object' })
+	async login(@Body({ validate: true }) createAuth: CreateAuth) {
+		let auth;
+		try {
+			auth = await createAuth.toAuth();
+			console.log(auth);
+		} catch (error) {
+			return error;
+		}
+		return auth
+	}
+
+	@Post("/logout")
+	@ResponseSchema(Logout)
+	@ResponseSchema(InvalidCredentialsError)
+	@ResponseSchema(UserNotFoundError)
+	@ResponseSchema(UsernameOrEmailNeededError)
+	@ResponseSchema(PasswordNeededError)
+	@ResponseSchema(InvalidCredentialsError)
+	@OpenAPI({ description: 'Create a new access token object' })
+	async logout(@Body({ validate: true }) handleLogout: HandleLogout) {
+		let logout;
+		try {
+			logout = await handleLogout.logout()
+			console.log(logout);
+		} catch (error) {
+			return error;
+		}
+		return logout
+	}
+
+	@Post("/refresh")
+	@ResponseSchema(Auth)
+	@ResponseSchema(JwtNotProvidedError)
+	@ResponseSchema(IllegalJWTError)
+	@ResponseSchema(UserNotFoundError)
+	@ResponseSchema(RefreshTokenCountInvalidError)
+	@OpenAPI({ description: 'refresh a access token' })
+	async refresh(@Body({ validate: true }) refreshAuth: RefreshAuth) {
+		let auth;
+		try {
+			auth = await refreshAuth.toAuth();
+			console.log(auth);
+		} catch (error) {
+			return error;
+		}
+		return auth
+	}
+}

src/errors/AuthError.ts

@@ -0,0 +1,123 @@
+import { IsString } from 'class-validator';
+import { ForbiddenError, NotAcceptableError, NotFoundError, UnauthorizedError } from 'routing-controllers';
+
+/**
+ * Error to throw when a jwt is expired
+ */
+export class ExpiredJWTError extends UnauthorizedError {
+	@IsString()
+	name = "ExpiredJWTError"
+
+	@IsString()
+	message = "your provided jwt is expired"
+}
+
+/**
+ * Error to throw when a jwt could not be parsed
+ */
+export class IllegalJWTError extends UnauthorizedError {
+	@IsString()
+	name = "IllegalJWTError"
+
+	@IsString()
+	message = "your provided jwt could not be parsed"
+}
+
+/**
+ * Error to throw when user is nonexistant or refreshtoken is invalid
+ */
+export class UserNonexistantOrRefreshtokenInvalidError extends UnauthorizedError {
+	@IsString()
+	name = "UserNonexistantOrRefreshtokenInvalidError"
+
+	@IsString()
+	message = "user is nonexistant or refreshtoken is invalid"
+}
+
+/**
+ * Error to throw when provided credentials are invalid
+ */
+export class InvalidCredentialsError extends UnauthorizedError {
+	@IsString()
+	name = "InvalidCredentialsError"
+
+	@IsString()
+	message = "your provided credentials are invalid"
+}
+
+/**
+ * Error to throw when a jwt does not have permission for this route/ action
+ */
+export class NoPermissionError extends ForbiddenError {
+	@IsString()
+	name = "NoPermissionError"
+
+	@IsString()
+	message = "your provided jwt does not have permission for this route/ action"
+}
+
+/**
+ * Error to thow when no username and no email is set
+ */
+export class UsernameOrEmailNeededError extends NotAcceptableError {
+	@IsString()
+	name = "UsernameOrEmailNeededError"
+
+	@IsString()
+	message = "Auth needs to have email or username set! \n You provided neither."
+}
+
+/**
+ * Error to thow when no password is provided
+ */
+export class PasswordNeededError extends NotAcceptableError {
+	@IsString()
+	name = "PasswordNeededError"
+
+	@IsString()
+	message = "no password is provided - you need to provide it"
+}
+
+/**
+ * Error to thow when no user could be found for provided credential
+ */
+export class UserNotFoundError extends NotFoundError {
+	@IsString()
+	name = "UserNotFoundError"
+
+	@IsString()
+	message = "no user could be found for provided credential"
+}
+
+/**
+ * Error to thow when no jwt token was provided
+ */
+export class JwtNotProvidedError extends NotAcceptableError {
+	@IsString()
+	name = "JwtNotProvidedError"
+
+	@IsString()
+	message = "no jwt token was provided"
+}
+
+/**
+ * Error to thow when user was not found or refresh token count was invalid
+ */
+export class UserNotFoundOrRefreshTokenCountInvalidError extends NotAcceptableError {
+	@IsString()
+	name = "UserNotFoundOrRefreshTokenCountInvalidError"
+
+	@IsString()
+	message = "user was not found or refresh token count was invalid"
+}
+
+/**
+ * Error to thow when refresh token count was invalid
+ */
+export class RefreshTokenCountInvalidError extends NotAcceptableError {
+	@IsString()
+	name = "RefreshTokenCountInvalidError"
+
+	@IsString()
+	message = "refresh token count was invalid"
+}

src/loaders/openapi.ts

@@ -1,8 +1,8 @@
+import { validationMetadatasToSchemas } from "class-validator-jsonschema";
 import { Application } from "express";
-import * as swaggerUiExpress from "swagger-ui-express";
 import { getMetadataArgsStorage } from "routing-controllers";
 import { routingControllersToSpec } from "routing-controllers-openapi";
-import { validationMetadatasToSchemas } from "class-validator-jsonschema";
+import * as swaggerUiExpress from "swagger-ui-express";
 
 export default async (app: Application) => {
   const storage = getMetadataArgsStorage();
@@ -17,6 +17,13 @@ export default async (app: Application) => {
     {
       components: {
         schemas,
+        "securitySchemes": {
+          "AuthToken": {
+            "type": "http",
+            "scheme": "bearer",
+            "bearerFormat": "JWT"
+          }
+        }
       },
       info: {
         description: "The the backend API for the LfK! runner system.",

src/middlewares/jwtauth.ts

@@ -1,17 +0,0 @@
-import { Request, Response, NextFunction } from "express";
-// import bodyParser from 'body-parser';
-// import cors from 'cors';
-import * as jwt from "jsonwebtoken";
-
-export default (req: Request, res: Response, next: NextFunction) => {
-  const token = <string>req.headers["auth"];
-  try {
-    const jwtPayload = <any>jwt.verify(token, "secretjwtsecret");
-    // const jwtPayload = <any>jwt.verify(token, process.env.JWT_SECRET);
-    res.locals.jwtPayload = jwtPayload;
-  } catch (error) {
-    console.log(error);
-    return res.status(401).send();
-  }
-  next();
-};

src/models/creation/CreateAuth.ts

@@ -0,0 +1,57 @@
+import * as argon2 from "argon2";
+import { IsEmail, IsOptional, IsString } from 'class-validator';
+import * as jsonwebtoken from 'jsonwebtoken';
+import { getConnectionManager } from 'typeorm';
+import { InvalidCredentialsError, PasswordNeededError, UserNotFoundError } from '../../errors/AuthError';
+import { UsernameOrEmailNeededError } from '../../errors/UserErrors';
+import { User } from '../entities/User';
+import { Auth } from '../responses/Auth';
+
+export class CreateAuth {
+    @IsOptional()
+    @IsString()
+    username?: string;
+    @IsString()
+    password: string;
+    @IsOptional()
+    @IsEmail()
+    @IsString()
+    email?: string;
+
+    public async toAuth(): Promise<Auth> {
+        let newAuth: Auth = new Auth();
+
+        if (this.email === undefined && this.username === undefined) {
+            throw new UsernameOrEmailNeededError();
+        }
+        if (!this.password) {
+            throw new PasswordNeededError()
+        }
+        const found_users = await getConnectionManager().get().getRepository(User).find({ where: [{ username: this.username }, { email: this.email }] });
+        if (found_users.length === 0) {
+            throw new UserNotFoundError()
+        } else {
+            const found_user = found_users[0]
+            if (await argon2.verify(found_user.password, this.password + found_user.uuid)) {
+                const timestamp_accesstoken_expiry = Math.floor(Date.now() / 1000) + 5 * 60
+                delete found_user.password;
+                newAuth.access_token = jsonwebtoken.sign({
+                    userdetails: found_user,
+                    exp: timestamp_accesstoken_expiry
+                }, "securekey")
+                newAuth.access_token_expires_at = timestamp_accesstoken_expiry
+                // 
+                const timestamp_refresh_expiry = Math.floor(Date.now() / 1000) + 10 * 36000
+                newAuth.refresh_token = jsonwebtoken.sign({
+                    refreshtokencount: found_user.refreshTokenCount,
+                    userid: found_user.id,
+                    exp: timestamp_refresh_expiry
+                }, "securekey")
+                newAuth.refresh_token_expires_at = timestamp_refresh_expiry
+            } else {
+                throw new InvalidCredentialsError()
+            }
+        }
+        return newAuth;
+    }
+}

src/models/creation/HandleLogout.ts

@@ -0,0 +1,35 @@
+import { IsString } from 'class-validator';
+import * as jsonwebtoken from 'jsonwebtoken';
+import { getConnectionManager } from 'typeorm';
+import { IllegalJWTError, JwtNotProvidedError, RefreshTokenCountInvalidError, UserNotFoundError } from '../../errors/AuthError';
+import { User } from '../entities/User';
+import { Logout } from '../responses/Logout';
+
+export class HandleLogout {
+    @IsString()
+    token: string;
+
+    public async logout(): Promise<Logout> {
+        let logout: Logout = new Logout();
+        if (!this.token || this.token === undefined) {
+            throw new JwtNotProvidedError()
+        }
+        let decoded;
+        try {
+            decoded = jsonwebtoken.verify(this.token, 'securekey')
+        } catch (error) {
+            throw new IllegalJWTError()
+        }
+        logout.timestamp = Math.floor(Date.now() / 1000)
+        let found_user: User = await getConnectionManager().get().getRepository(User).findOne({ id: decoded["userid"] });
+        if (!found_user) {
+            throw new UserNotFoundError()
+        }
+        if (found_user.refreshTokenCount !== decoded["refreshtokencount"]) {
+            throw new RefreshTokenCountInvalidError()
+        }
+        found_user.refreshTokenCount++;
+        await getConnectionManager().get().getRepository(User).update({ id: found_user.id }, found_user)
+        return logout;
+    }
+}

src/models/creation/RefreshAuth.ts

@@ -0,0 +1,49 @@
+import { IsString } from 'class-validator';
+import * as jsonwebtoken from 'jsonwebtoken';
+import { getConnectionManager } from 'typeorm';
+import { IllegalJWTError, JwtNotProvidedError, RefreshTokenCountInvalidError, UserNotFoundError } from '../../errors/AuthError';
+import { User } from '../entities/User';
+import { Auth } from '../responses/Auth';
+
+export class RefreshAuth {
+    @IsString()
+    token: string;
+
+    public async toAuth(): Promise<Auth> {
+        let newAuth: Auth = new Auth();
+        if (!this.token || this.token === undefined) {
+            throw new JwtNotProvidedError()
+        }
+        let decoded
+        try {
+            decoded = jsonwebtoken.verify(this.token, 'securekey')
+        } catch (error) {
+            throw new IllegalJWTError()
+        }
+        const found_user = await getConnectionManager().get().getRepository(User).findOne({ id: decoded["userid"] });
+        if (!found_user) {
+            throw new UserNotFoundError()
+        }
+        if (found_user.refreshTokenCount !== decoded["refreshtokencount"]) {
+            throw new RefreshTokenCountInvalidError()
+        }
+        delete found_user.password;
+        const timestamp_accesstoken_expiry = Math.floor(Date.now() / 1000) + 5 * 60
+        delete found_user.password;
+        newAuth.access_token = jsonwebtoken.sign({
+            userdetails: found_user,
+            exp: timestamp_accesstoken_expiry
+        }, "securekey")
+        newAuth.access_token_expires_at = timestamp_accesstoken_expiry
+        // 
+        const timestamp_refresh_expiry = Math.floor(Date.now() / 1000) + 10 * 36000
+        newAuth.refresh_token = jsonwebtoken.sign({
+            refreshtokencount: found_user.refreshTokenCount,
+            userid: found_user.id,
+            exp: timestamp_refresh_expiry
+        }, "securekey")
+        newAuth.refresh_token_expires_at = timestamp_refresh_expiry
+
+        return newAuth;
+    }
+}

src/models/entities/User.ts

@@ -19,14 +19,14 @@ export class User {
   /**
   * uuid
   */
-  @Column()
+  @Column({ unique: true })
   @IsUUID(4)
   uuid: string;
 
   /**
   * user email
   */
-  @Column({ nullable: true })
+  @Column({ nullable: true, unique: true })
   @IsEmail()
   email?: string;
 
@@ -41,7 +41,7 @@ export class User {
   /**
   * username
   */
-  @Column({ nullable: true })
+  @Column({ nullable: true, unique: true })
   @IsString()
   username?: string;
 
@@ -109,7 +109,7 @@ export class User {
   /**
   * profilepic
   */
-  @Column({ nullable: true })
+  @Column({ nullable: true, unique: true })
   @IsString()
   @IsOptional()
   profilePic?: string;

src/models/responses/Auth.ts

@@ -0,0 +1,27 @@
+import { IsInt, IsString } from 'class-validator';
+
+/**
+ * Defines a auth object
+*/
+export class Auth {
+  /**
+  * access_token - JWT shortterm access token
+  */
+  @IsString()
+  access_token: string;
+  /**
+  * refresh_token - longterm refresh token (used for requesting new access tokens)
+  */
+  @IsString()
+  refresh_token: string;
+  /**
+  * access_token_expires_at - unix timestamp of access token expiry
+  */
+  @IsInt()
+  access_token_expires_at: number;
+  /**
+  * refresh_token_expires_at - unix timestamp of access token expiry
+  */
+  @IsInt()
+  refresh_token_expires_at: number;
+}

src/models/responses/Logout.ts

@@ -0,0 +1,12 @@
+import { IsString } from 'class-validator';
+
+/**
+ * Defines a Logout object
+*/
+export class Logout {
+  /**
+  * timestamp of logout
+  */
+  @IsString()
+  timestamp: number;
+}