LocChat/server/controllers/sessions.controller.ts

65 lines
2.6 KiB
TypeScript
Raw Normal View History

2021-11-23 16:04:12 -05:00
import { Body, Controller, Delete, HttpException, HttpStatus, Post, Res } from '@nestjs/common';
2021-11-16 21:14:46 -05:00
import { Response } from 'express';
2021-11-20 20:18:58 -05:00
import { UsersService } from 'server/providers/services/users.service';
import { SignInDto } from 'server/dto/sign_in.dto';
2021-11-23 16:04:12 -05:00
import { JwtService } from 'server/providers/services/jwt.service';
import { RefreshTokensService } from 'server/providers/services/refresh_tokens.service';
import { RefreshToken } from 'server/entities/refresh_token.entity';
2021-12-01 22:18:26 -05:00
import { Skip } from 'server/decorators/skip.decorator';
import { AuthGuard } from 'server/providers/guards/auth.guard';
import { RolesService } from 'server/providers/services/roles.service';
import { JwtBody } from 'server/decorators/jwt_body.decorator';
import { JwtBodyDto } from 'server/dto/jwt_body.dto';
2021-11-20 20:18:58 -05:00
2021-11-16 21:14:46 -05:00
// this is kind of a misnomer because we are doing token based auth
// instead of session based auth
@Controller()
export class SessionsController {
2021-11-23 16:04:12 -05:00
constructor(
private usersService: UsersService,
private jwtService: JwtService,
2021-12-01 22:18:26 -05:00
private rolesService: RolesService,
2021-11-23 16:04:12 -05:00
private refreshTokenService: RefreshTokensService,
) {}
2021-11-16 21:14:46 -05:00
2021-11-22 16:21:53 -05:00
@Post('/sessions')
2021-12-01 22:18:26 -05:00
@Skip(AuthGuard)
2021-11-23 16:04:12 -05:00
async create(@Body() body: SignInDto, @Res({ passthrough: true }) res: Response) {
const { verified, user } = await this.usersService.verify(body.email, body.password);
2021-11-16 21:14:46 -05:00
if (!verified) {
2021-11-23 16:04:12 -05:00
throw new HttpException('Invalid email or password.', HttpStatus.BAD_REQUEST);
}
let refreshToken = user.refreshTokens[0];
if (!refreshToken) {
const newRefreshToken = new RefreshToken();
newRefreshToken.user = user;
refreshToken = await this.refreshTokenService.create(newRefreshToken);
// generate new refresh token
2021-11-16 21:14:46 -05:00
}
2021-11-23 16:04:12 -05:00
2021-12-01 22:18:26 -05:00
const userRoles = await this.rolesService.findByIds(user.userRoles.map((ur) => ur.roleId));
2021-11-23 16:04:12 -05:00
// JWT gets sent with response
2021-12-01 22:18:26 -05:00
const token = this.jwtService.issueToken({ userId: user.id, roles: userRoles.map((r) => r.key) });
2021-11-23 16:04:12 -05:00
const refreshJwtToken = this.jwtService.issueRefreshToken({ id: refreshToken.id, userId: user.id });
// only refresh token should go in the cookie
res.cookie('_refresh_token', refreshJwtToken, {
httpOnly: true, // prevents javascript code from accessing cookie (helps protect against XSS attacks)
});
2021-11-20 20:18:58 -05:00
return { token };
2021-11-16 21:14:46 -05:00
}
2021-11-22 16:21:53 -05:00
@Delete('/sessions')
async destroy(@Res({ passthrough: true }) res: Response, @JwtBody() jwtBody: JwtBodyDto) {
const user = await this.usersService.find(jwtBody.userId, ['refreshTokens']);
await this.refreshTokenService.destroy(...user.refreshTokens);
2021-11-23 16:04:12 -05:00
res.clearCookie('_refresh_token');
2021-11-22 16:21:53 -05:00
return { success: true };
}
2021-11-16 21:14:46 -05:00
}