Denied access to login & register while logged in. Fixed regular user auth for requiring admin.

This commit is contained in:
Tom
2025-06-18 13:50:38 +00:00
parent 6b010f66ba
commit 6ac9a2f1ec
11 changed files with 65 additions and 70 deletions

View File

@ -74,7 +74,8 @@ import { BullModule } from '@nestjs/bullmq';
BooksModule, BooksModule,
ProvidersModule, ProvidersModule,
SeriesModule, SeriesModule,
LibraryModule LibraryModule,
ConfigModule,
], ],
controllers: [AppController], controllers: [AppController],
providers: [AppService, UsersService], providers: [AppService, UsersService],

View File

@ -1,5 +1,4 @@
import { Controller, Request, Post, UseGuards, Body, Res, Delete, Patch } from '@nestjs/common'; import { Controller, Request, Post, UseGuards, Body, Res, Delete, Patch, UnauthorizedException } from '@nestjs/common';
import { LoginAuthGuard } from './guards/login-auth.guard';
import { AuthService } from './auth.service'; import { AuthService } from './auth.service';
import { UsersService } from 'src/users/users.service'; import { UsersService } from 'src/users/users.service';
import { RegisterUserDto } from './dto/register-user.dto'; import { RegisterUserDto } from './dto/register-user.dto';
@ -21,7 +20,7 @@ export class AuthController {
private logger: PinoLogger, private logger: PinoLogger,
) { } ) { }
@UseGuards(LoginAuthGuard) @UseGuards(OfflineGuard)
@Post('login') @Post('login')
async login( async login(
@Request() req, @Request() req,
@ -30,7 +29,7 @@ export class AuthController {
) { ) {
let data: AuthenticationDto | null; let data: AuthenticationDto | null;
try { try {
data = await this.auth.login(req.user, body.remember_me); data = await this.auth.login(body);
if (!data.access_token || body.remember_me && (!data.refresh_token || !data.refresh_exp)) { if (!data.access_token || body.remember_me && (!data.refresh_token || !data.refresh_exp)) {
response.statusCode = 500; response.statusCode = 500;
return { return {
@ -47,6 +46,14 @@ export class AuthController {
error: err, error: err,
}); });
if (err instanceof UnauthorizedException) {
response.statusCode = 401;
return {
success: false,
error_message: 'Invalid credentials.',
};
}
response.statusCode = 500; response.statusCode = 500;
return { return {
success: false, success: false,
@ -224,7 +231,11 @@ export class AuthController {
} }
try { try {
data = await this.auth.login(user, false); data = await this.auth.login({
user_login: body.user_login,
password: body.password,
remember_me: false,
});
if (!data.access_token) { if (!data.access_token) {
this.logger.error({ this.logger.error({
class: AuthController.name, class: AuthController.name,
@ -250,6 +261,15 @@ export class AuthController {
error: err, error: err,
}); });
// This should never happen...
if (err instanceof UnauthorizedException) {
response.statusCode = 401;
return {
success: false,
error_message: 'Invalid credentials.',
};
}
response.statusCode = 500; response.statusCode = 500;
return { return {
success: false, success: false,
@ -264,13 +284,6 @@ export class AuthController {
sameSite: 'strict', sameSite: 'strict',
}); });
response.cookie('Refresh', data.refresh_token, {
httpOnly: true,
secure: true,
expires: new Date(data.refresh_exp),
sameSite: 'strict',
});
return { return {
success: true, success: true,
}; };

View File

@ -2,7 +2,6 @@ import { Module } from '@nestjs/common';
import { AuthService } from './auth.service'; import { AuthService } from './auth.service';
import { UsersModule } from 'src/users/users.module'; import { UsersModule } from 'src/users/users.module';
import { PassportModule } from '@nestjs/passport'; import { PassportModule } from '@nestjs/passport';
import { LoginStrategy } from './strategies/login.strategy';
import { AuthController } from './auth.controller'; import { AuthController } from './auth.controller';
import { ConfigModule, ConfigService } from '@nestjs/config'; import { ConfigModule, ConfigService } from '@nestjs/config';
import { JwtModule } from '@nestjs/jwt'; import { JwtModule } from '@nestjs/jwt';
@ -37,7 +36,6 @@ import { JwtRefreshStrategy } from './strategies/jwt-refresh.strategy';
AuthService, AuthService,
JwtStrategy, JwtStrategy,
JwtRefreshStrategy, JwtRefreshStrategy,
LoginStrategy,
], ],
controllers: [AuthController] controllers: [AuthController]
}) })

View File

@ -1,9 +1,11 @@
import { Injectable } from '@nestjs/common'; import { Injectable, UnauthorizedException } from '@nestjs/common';
import { UserEntity } from 'src/users/entities/users.entity'; import { UserEntity } from 'src/users/entities/users.entity';
import { UsersService } from 'src/users/users.service'; import { UsersService } from 'src/users/users.service';
import { AuthRefreshService } from './auth.refresh.service'; import { AuthRefreshService } from './auth.refresh.service';
import { AuthAccessService } from './auth.access.service'; import { AuthAccessService } from './auth.access.service';
import { UUID } from 'crypto'; import { UUID } from 'crypto';
import { AuthenticationDto } from './dto/authentication.dto';
import { LoginDto } from './dto/login.dto';
@Injectable() @Injectable()
export class AuthService { export class AuthService {
@ -15,10 +17,14 @@ export class AuthService {
async login( async login(
user: UserEntity, loginDetails: LoginDto
withRefresh: boolean ): Promise<AuthenticationDto | null> {
): Promise<AuthenticationDto> { const user = await this.users.findOne(loginDetails);
if (withRefresh) { if (!user) {
throw new UnauthorizedException();
}
if (loginDetails.remember_me) {
return this.renew(user); return this.renew(user);
} }
@ -47,7 +53,7 @@ export class AuthService {
username: string, username: string,
password: string, password: string,
): Promise<UserEntity | null> { ): Promise<UserEntity | null> {
return await this.users.findOne({ username, password }); return await this.users.findOne({ user_login: username, password, remember_me: false });
} }
async verify( async verify(

View File

@ -1,6 +1,18 @@
import { IsBoolean, IsOptional } from 'class-validator'; import { IsBoolean, IsNotEmpty, IsOptional, IsString, MaxLength, MinLength } from 'class-validator';
export class LoginDto { export class LoginDto {
@IsString()
@IsNotEmpty()
@MinLength(3)
@MaxLength(24)
readonly user_login: string;
@IsString()
@IsNotEmpty()
@MinLength(8)
@MaxLength(128)
readonly password: string;
@IsBoolean() @IsBoolean()
@IsOptional() @IsOptional()
readonly remember_me: boolean; readonly remember_me: boolean;

View File

@ -5,7 +5,7 @@ import { AuthGuard } from '@nestjs/passport';
@Injectable() @Injectable()
export class JwtAccessGuard extends AuthGuard('jwt-access') { export class JwtAccessGuard extends AuthGuard('jwt-access') {
handleRequest(err, user, info) { handleRequest(err, user, info) {
if (err || !user || !user.isAdmin) { if (err || !user) {
throw err || new UnauthorizedException(); throw err || new UnauthorizedException();
} }
return user; return user;

View File

@ -1,6 +0,0 @@
import { Injectable } from '@nestjs/common';
import { AuthGuard } from '@nestjs/passport';
@Injectable()
export class LoginAuthGuard extends AuthGuard('login') { }

View File

@ -1,13 +1,13 @@
import { CanActivate, ExecutionContext, Injectable } from '@nestjs/common'; import { ForbiddenException, Injectable } from '@nestjs/common';
import { Observable } from 'rxjs'; import { AuthGuard } from '@nestjs/passport';
@Injectable() @Injectable()
export class OfflineGuard implements CanActivate { export class OfflineGuard extends AuthGuard('jwt-access') {
canActivate( handleRequest(err, user, info) {
context: ExecutionContext, if (err || user) {
): boolean | Promise<boolean> | Observable<boolean> { throw err || new ForbiddenException();
const request = context.switchToHttp().getRequest(); }
return !request.user; return null;
} }
} }

View File

@ -1,20 +0,0 @@
import { Strategy } from 'passport-local';
import { PassportStrategy } from '@nestjs/passport';
import { Injectable, UnauthorizedException } from '@nestjs/common';
import { AuthService } from '../auth.service';
@Injectable()
export class LoginStrategy extends PassportStrategy(Strategy, 'login') {
constructor(private authService: AuthService) {
super();
}
async validate(username: string, password: string): Promise<any> {
const user = await this.authService.validate(username, password);
if (!user) {
throw new UnauthorizedException();
}
return user;
}
}

View File

@ -1,9 +0,0 @@
import { IsNotEmpty } from 'class-validator';
export class LoginUserDto {
@IsNotEmpty()
readonly username: string;
@IsNotEmpty()
readonly password: string;
}

View File

@ -3,8 +3,8 @@ import { Injectable } from '@nestjs/common';
import { InjectRepository } from '@nestjs/typeorm'; import { InjectRepository } from '@nestjs/typeorm';
import { Repository } from 'typeorm'; import { Repository } from 'typeorm';
import { UserEntity } from './entities/users.entity'; import { UserEntity } from './entities/users.entity';
import { LoginUserDto } from './dto/login-user.dto';
import { UUID } from 'crypto'; import { UUID } from 'crypto';
import { LoginDto } from 'src/auth/dto/login.dto';
class UserDto { class UserDto {
userId: UUID; userId: UUID;
@ -32,15 +32,15 @@ export class UsersService {
})); }));
} }
async findOne({ username, password }: LoginUserDto): Promise<UserEntity> { async findOne(loginDetails: LoginDto): Promise<UserEntity> {
const user = await this.userRepository.findOneBy({ userLogin: username }); const user = await this.userRepository.findOneBy({ userLogin: loginDetails.user_login });
if (!user) { if (!user) {
// TODO: force an argon2.verify() to occur here. // TODO: force an argon2.verify() to occur here.
return null; return null;
} }
const buffer = Buffer.concat([ const buffer = Buffer.concat([
Buffer.from(password, 'utf8'), Buffer.from(loginDetails.password, 'utf8'),
Buffer.from(user.salt.toString(16), 'hex'), Buffer.from(user.salt.toString(16), 'hex'),
]); ]);