Denied access to login & register while logged in. Fixed regular user auth for requiring admin.

backend/nestjs-seshat-api/src/app.module.ts

@@ -74,7 +74,8 @@ import { BullModule } from '@nestjs/bullmq';
     BooksModule,
     ProvidersModule,
     SeriesModule,
-    LibraryModule
+    LibraryModule,
+    ConfigModule,
   ],
   controllers: [AppController],
   providers: [AppService, UsersService],

backend/nestjs-seshat-api/src/auth/auth.controller.ts

@@ -1,5 +1,4 @@
-import { Controller, Request, Post, UseGuards, Body, Res, Delete, Patch } from '@nestjs/common';
+import { Controller, Request, Post, UseGuards, Body, Res, Delete, Patch, UnauthorizedException } from '@nestjs/common';
-import { LoginAuthGuard } from './guards/login-auth.guard';
 import { AuthService } from './auth.service';
 import { UsersService } from 'src/users/users.service';
 import { RegisterUserDto } from './dto/register-user.dto';
@@ -21,7 +20,7 @@ export class AuthController {
     private logger: PinoLogger,
   ) { }
 
-  @UseGuards(LoginAuthGuard)
+  @UseGuards(OfflineGuard)
   @Post('login')
   async login(
     @Request() req,
@@ -30,7 +29,7 @@ export class AuthController {
   ) {
     let data: AuthenticationDto | null;
     try {
-      data = await this.auth.login(req.user, body.remember_me);
+      data = await this.auth.login(body);
       if (!data.access_token || body.remember_me && (!data.refresh_token || !data.refresh_exp)) {
         response.statusCode = 500;
         return {
@@ -47,6 +46,14 @@ export class AuthController {
         error: err,
       });
 
+      if (err instanceof UnauthorizedException) {
+        response.statusCode = 401;
+        return {
+          success: false,
+          error_message: 'Invalid credentials.',
+        };
+      }
+
       response.statusCode = 500;
       return {
         success: false,
@@ -224,7 +231,11 @@ export class AuthController {
     }
 
     try {
-      data = await this.auth.login(user, false);
+      data = await this.auth.login({
+        user_login: body.user_login,
+        password: body.password,
+        remember_me: false,
+      });
       if (!data.access_token) {
         this.logger.error({
           class: AuthController.name,
@@ -250,6 +261,15 @@ export class AuthController {
         error: err,
       });
 
+      // This should never happen...
+      if (err instanceof UnauthorizedException) {
+        response.statusCode = 401;
+        return {
+          success: false,
+          error_message: 'Invalid credentials.',
+        };
+      }
+
       response.statusCode = 500;
       return {
         success: false,
@@ -264,13 +284,6 @@ export class AuthController {
       sameSite: 'strict',
     });
 
-    response.cookie('Refresh', data.refresh_token, {
-      httpOnly: true,
-      secure: true,
-      expires: new Date(data.refresh_exp),
-      sameSite: 'strict',
-    });
-
     return {
       success: true,
     };

backend/nestjs-seshat-api/src/auth/auth.module.ts

@@ -2,7 +2,6 @@ import { Module } from '@nestjs/common';
 import { AuthService } from './auth.service';
 import { UsersModule } from 'src/users/users.module';
 import { PassportModule } from '@nestjs/passport';
-import { LoginStrategy } from './strategies/login.strategy';
 import { AuthController } from './auth.controller';
 import { ConfigModule, ConfigService } from '@nestjs/config';
 import { JwtModule } from '@nestjs/jwt';
@@ -37,7 +36,6 @@ import { JwtRefreshStrategy } from './strategies/jwt-refresh.strategy';
     AuthService,
     JwtStrategy,
     JwtRefreshStrategy,
-    LoginStrategy,
   ],
   controllers: [AuthController]
 })

backend/nestjs-seshat-api/src/auth/auth.service.ts

@@ -1,9 +1,11 @@
-import { Injectable } from '@nestjs/common';
+import { Injectable, UnauthorizedException } from '@nestjs/common';
 import { UserEntity } from 'src/users/entities/users.entity';
 import { UsersService } from 'src/users/users.service';
 import { AuthRefreshService } from './auth.refresh.service';
 import { AuthAccessService } from './auth.access.service';
 import { UUID } from 'crypto';
+import { AuthenticationDto } from './dto/authentication.dto';
+import { LoginDto } from './dto/login.dto';
 
 @Injectable()
 export class AuthService {
@@ -15,10 +17,14 @@ export class AuthService {
 
 
   async login(
-    user: UserEntity,
+    loginDetails: LoginDto
-    withRefresh: boolean
+  ): Promise<AuthenticationDto | null> {
-  ): Promise<AuthenticationDto> {
+    const user = await this.users.findOne(loginDetails);
-    if (withRefresh) {
+    if (!user) {
+      throw new UnauthorizedException();
+    }
+
+    if (loginDetails.remember_me) {
       return this.renew(user);
     }
 
@@ -47,7 +53,7 @@ export class AuthService {
     username: string,
     password: string,
   ): Promise<UserEntity | null> {
-    return await this.users.findOne({ username, password });
+    return await this.users.findOne({ user_login: username, password, remember_me: false });
   }
 
   async verify(

backend/nestjs-seshat-api/src/auth/dto/login.dto.ts

@@ -1,6 +1,18 @@
-import { IsBoolean, IsOptional } from 'class-validator';
+import { IsBoolean, IsNotEmpty, IsOptional, IsString, MaxLength, MinLength } from 'class-validator';
 
 export class LoginDto {
+  @IsString()
+  @IsNotEmpty()
+  @MinLength(3)
+  @MaxLength(24)
+  readonly user_login: string;
+
+  @IsString()
+  @IsNotEmpty()
+  @MinLength(8)
+  @MaxLength(128)
+  readonly password: string;
+
   @IsBoolean()
   @IsOptional()
   readonly remember_me: boolean;

backend/nestjs-seshat-api/src/auth/guards/jwt-access.guard.ts

@@ -5,7 +5,7 @@ import { AuthGuard } from '@nestjs/passport';
 @Injectable()
 export class JwtAccessGuard extends AuthGuard('jwt-access') {
   handleRequest(err, user, info) {
-    if (err || !user || !user.isAdmin) {
+    if (err || !user) {
       throw err || new UnauthorizedException();
     }
     return user;

backend/nestjs-seshat-api/src/auth/guards/login-auth.guard.ts

@@ -1,6 +0,0 @@
-
-import { Injectable } from '@nestjs/common';
-import { AuthGuard } from '@nestjs/passport';
-
-@Injectable()
-export class LoginAuthGuard extends AuthGuard('login') { }

backend/nestjs-seshat-api/src/auth/guards/offline.guard.ts

@@ -1,13 +1,13 @@
 
-import { CanActivate, ExecutionContext, Injectable } from '@nestjs/common';
+import { ForbiddenException, Injectable } from '@nestjs/common';
-import { Observable } from 'rxjs';
+import { AuthGuard } from '@nestjs/passport';
 
 @Injectable()
-export class OfflineGuard implements CanActivate {
+export class OfflineGuard extends AuthGuard('jwt-access') {
-  canActivate(
+  handleRequest(err, user, info) {
-    context: ExecutionContext,
+    if (err || user) {
-  ): boolean | Promise<boolean> | Observable<boolean> {
+      throw err || new ForbiddenException();
-    const request = context.switchToHttp().getRequest();
+    }
-    return !request.user;
+    return null;
   }
 }

backend/nestjs-seshat-api/src/auth/strategies/login.strategy.ts

@@ -1,20 +0,0 @@
-
-import { Strategy } from 'passport-local';
-import { PassportStrategy } from '@nestjs/passport';
-import { Injectable, UnauthorizedException } from '@nestjs/common';
-import { AuthService } from '../auth.service';
-
-@Injectable()
-export class LoginStrategy extends PassportStrategy(Strategy, 'login') {
-  constructor(private authService: AuthService) {
-    super();
-  }
-
-  async validate(username: string, password: string): Promise<any> {
-    const user = await this.authService.validate(username, password);
-    if (!user) {
-      throw new UnauthorizedException();
-    }
-    return user;
-  }
-}

backend/nestjs-seshat-api/src/users/dto/login-user.dto.ts

@@ -1,9 +0,0 @@
-import { IsNotEmpty } from 'class-validator';
-
-export class LoginUserDto {
-  @IsNotEmpty()
-  readonly username: string;
-
-  @IsNotEmpty()
-  readonly password: string;
-}

backend/nestjs-seshat-api/src/users/users.service.ts

@@ -3,8 +3,8 @@ import { Injectable } from '@nestjs/common';
 import { InjectRepository } from '@nestjs/typeorm';
 import { Repository } from 'typeorm';
 import { UserEntity } from './entities/users.entity';
-import { LoginUserDto } from './dto/login-user.dto';
 import { UUID } from 'crypto';
+import { LoginDto } from 'src/auth/dto/login.dto';
 
 class UserDto {
   userId: UUID;
@@ -32,15 +32,15 @@ export class UsersService {
     }));
   }
 
-  async findOne({ username, password }: LoginUserDto): Promise<UserEntity> {
+  async findOne(loginDetails: LoginDto): Promise<UserEntity> {
-    const user = await this.userRepository.findOneBy({ userLogin: username });
+    const user = await this.userRepository.findOneBy({ userLogin: loginDetails.user_login });
     if (!user) {
       // TODO: force an argon2.verify() to occur here.
       return null;
     }
 
     const buffer = Buffer.concat([
-      Buffer.from(password, 'utf8'),
+      Buffer.from(loginDetails.password, 'utf8'),
       Buffer.from(user.salt.toString(16), 'hex'),
     ]);