authorization refactor for consistency

ZenSoftware · Nov 25, 2021 · 0d31a5d · 0d31a5d
1 parent f199d44
commit 0d31a5d
Show file tree

Hide file tree

Showing 9 changed files with 89 additions and 56 deletions.
diff --git a/apps/api/src/app/auth/auth-logic.ts b/apps/api/src/app/auth/auth-logic.ts
@@ -0,0 +1,25 @@
+import { Role } from '@prisma/client';
+
+type RoleType = string[] | Role[] | undefined;
+
+export function authLogic(
+  userRoles: RoleType,
+  classRoles: RoleType,
+  handlerRoles: RoleType
+): boolean {
+  const _userRoles = userRoles ?? [];
+  const _classRoles = classRoles ?? [];
+  const _handlerRoles = handlerRoles ?? [];
+
+  // Give super users unlimited access
+  if (_userRoles.includes(Role.Super)) return true;
+
+  if (_classRoles.length > 0) {
+    if (!_userRoles.some(r => _classRoles.includes(r as Role))) return false;
+    if (_handlerRoles.length > 0 && !_userRoles.some(r => _handlerRoles.includes(r))) return false;
+  } else if (_handlerRoles.length > 0 && !_userRoles.some(r => _handlerRoles.includes(r))) {
+    return false;
+  }
+
+  return true;
+}
diff --git a/apps/api/src/app/auth/auth.module.ts b/apps/api/src/app/auth/auth.module.ts
@@ -4,7 +4,7 @@ import { PassportModule } from '@nestjs/passport';
 import { JwtModule } from '../jwt';
 import { PrismaModule } from '../prisma';
 import { AuthService } from './auth.service';
-import { GqlGuard } from './gql';
+import { GqlGuard } from './gql.guard';
 import { JwtStrategy } from './jwt.strategy';
 
 @Module({

diff --git a/...pi/src/app/auth/gql/gql-user.decorator.ts → apps/api/src/app/auth/gql-user.decorator.ts b/...pi/src/app/auth/gql/gql-user.decorator.ts → apps/api/src/app/auth/gql-user.decorator.ts
@@ -1,7 +1,7 @@
 import { ExecutionContext, UnauthorizedException, createParamDecorator } from '@nestjs/common';
 import { GqlExecutionContext } from '@nestjs/graphql';
 
-import { RequestUser } from '../request-user';
+import { RequestUser } from './request-user';
 
 export const GqlUser = createParamDecorator((data, context: ExecutionContext) => {
   const user = GqlExecutionContext.create(context).getContext().req.user;

diff --git a/apps/api/src/app/auth/gql.guard.ts b/apps/api/src/app/auth/gql.guard.ts
@@ -0,0 +1,30 @@
+import { ExecutionContext, Injectable } from '@nestjs/common';
+import { Reflector } from '@nestjs/core';
+import { GqlExecutionContext } from '@nestjs/graphql';
+import { AuthGuard } from '@nestjs/passport';
+import { Role } from '@prisma/client';
+
+import { authLogic } from './auth-logic';
+import { ROLES_KEY } from './roles.decorator';
+
+@Injectable()
+/**
+ * Replicates RBAC rules for [ASP.NET Core](https://docs.microsoft.com/en-us/aspnet/core/security/authorization/roles?view=aspnetcore-6.0).
+ * **Super** users are granted unlimited access.
+ */
+export class GqlGuard extends AuthGuard('jwt') {
+  constructor(private readonly reflector: Reflector) {
+    super();
+  }
+
+  async canActivate(context: ExecutionContext) {
+    await super.canActivate(context);
+
+    const ctx = GqlExecutionContext.create(context);
+    const user = ctx.getContext().req.user;
+    const classRoles = this.reflector.get<Role[]>(ROLES_KEY, ctx.getClass());
+    const handlerRoles = this.reflector.get<Role[]>(ROLES_KEY, ctx.getHandler());
+
+    return authLogic(user.roles, classRoles, handlerRoles);
+  }
+}
diff --git a/apps/api/src/app/auth/gql/gql.guard.ts b/apps/api/src/app/auth/gql/gql.guard.ts
diff --git a/apps/api/src/app/auth/gql/index.ts b/apps/api/src/app/auth/gql/index.ts
diff --git a/apps/api/src/app/auth/http.guard.ts b/apps/api/src/app/auth/http.guard.ts
@@ -0,0 +1,24 @@
+import { ExecutionContext, Injectable } from '@nestjs/common';
+import { Reflector } from '@nestjs/core';
+import { AuthGuard } from '@nestjs/passport';
+import { Role } from '@prisma/client';
+
+import { authLogic } from './auth-logic';
+import { ROLES_KEY } from './roles.decorator';
+
+@Injectable()
+export class HttpGuard extends AuthGuard('jwt') {
+  constructor(private readonly reflector: Reflector) {
+    super();
+  }
+
+  async canActivate(ctx: ExecutionContext) {
+    await super.canActivate(ctx);
+
+    const { user } = ctx.switchToHttp().getRequest();
+    const classRoles = this.reflector.get<Role[]>(ROLES_KEY, ctx.getClass());
+    const handlerRoles = this.reflector.get<Role[]>(ROLES_KEY, ctx.getHandler());
+
+    return authLogic(user.roles, classRoles, handlerRoles);
+  }
+}
diff --git a/apps/api/src/app/auth/index.ts b/apps/api/src/app/auth/index.ts
@@ -1,8 +1,10 @@
 export { AuthGuard } from '@nestjs/passport';
-export * from './auth.module';
-export * from './gql';
+export { Role } from '@prisma/client';
 export { RequestUser } from './request-user';
-export * from './roles.decorator';
+export * from './auth.module';
 export * from './auth.service';
+export * from './gql-user.decorator';
+export * from './gql.guard';
 export * from './http-user.decorator';
-export { Role } from '@prisma/client';
+export * from './http.guard';
+export * from './roles.decorator';
diff --git a/apps/api/src/app/auth/roles.decorator.ts b/apps/api/src/app/auth/roles.decorator.ts
@@ -1,4 +1,5 @@
 import { SetMetadata } from '@nestjs/common';
 import { Role } from '@prisma/client';
 
-export const Roles = (...roles: Array<Role>) => SetMetadata('roles', roles);
+export const ROLES_KEY = 'roles';
+export const Roles = (...roles: Array<Role>) => SetMetadata(ROLES_KEY, roles);