refactor: implement libnest v8

Author: joshunrau

apps/api/libnest.config.ts

@@ -1,24 +1,21 @@
-/* eslint-disable @typescript-eslint/no-namespace */
 /* eslint-disable @typescript-eslint/no-empty-object-type */
 /* eslint-disable @typescript-eslint/consistent-type-definitions */
+/* eslint-disable @typescript-eslint/no-namespace */
 
 import * as fs from 'node:fs/promises';
 import * as path from 'node:path';
 import * as url from 'node:url';
 
 import { defineUserConfig } from '@douglasneuroinformatics/libnest/user-config';
-import type { InferUserConfig } from '@douglasneuroinformatics/libnest/user-config';
 import { getReleaseInfo } from '@opendatacapture/release-info';
-import type { TokenPayload } from '@opendatacapture/schemas/auth';
-import type { Permissions } from '@opendatacapture/schemas/core';
+
+import type { RuntimePrismaClient } from '@/core/prisma.client.js';
+import type { $Env } from '@/core/schemas/env.schema.js';
 
 declare module '@douglasneuroinformatics/libnest/user-config' {
-  export interface UserConfig extends InferUserConfig<typeof config> {}
   export namespace UserTypes {
-    export interface JwtPayload extends TokenPayload {}
-    export interface UserQueryMetadata {
-      additionalPermissions?: Permissions;
-    }
+    export interface Env extends $Env {}
+    export interface PrismaClient extends RuntimePrismaClient {}
   }
 }
 

apps/api/src/assignments/assignments.controller.ts

@@ -1,9 +1,11 @@
-import { CurrentUser, RouteAccess } from '@douglasneuroinformatics/libnest';
-import type { AppAbility } from '@douglasneuroinformatics/libnest';
+import { CurrentUser } from '@douglasneuroinformatics/libnest';
 import { Body, Controller, Get, Param, Patch, Post, Query } from '@nestjs/common/decorators';
 import { ApiOperation } from '@nestjs/swagger';
 import type { Assignment } from '@opendatacapture/schemas/assignment';
 
+import type { AppAbility } from '@/auth/auth.types';
+import { RouteAccess } from '@/core/decorators/route-access.decorator';
+
 import { AssignmentsService } from './assignments.service';
 import { CreateAssignmentDto } from './dto/create-assignment.dto';
 import { UpdateAssignmentDto } from './dto/update-assignment.dto';

apps/api/src/assignments/assignments.service.ts

@@ -1,11 +1,12 @@
 import crypto from 'node:crypto';
 
 import { HybridCrypto } from '@douglasneuroinformatics/libcrypto';
-import { accessibleQuery, ConfigService, InjectModel } from '@douglasneuroinformatics/libnest';
+import { ConfigService, InjectModel } from '@douglasneuroinformatics/libnest';
 import type { Model } from '@douglasneuroinformatics/libnest';
 import { Injectable, NotFoundException } from '@nestjs/common';
 import type { Assignment, UpdateAssignmentData } from '@opendatacapture/schemas/assignment';
 
+import { accessibleQuery } from '@/auth/ability.utils';
 import type { EntityOperationOptions } from '@/core/types';
 import { GatewayService } from '@/gateway/gateway.service';
 

apps/api/src/auth/__tests__/ability.utils.test.ts

@@ -0,0 +1,24 @@
+import { describe, expect, it, vi } from 'vitest';
+
+import { accessibleQuery } from '../ability.utils';
+
+const accessibleBy = vi.hoisted(() => vi.fn());
+
+vi.mock('@casl/prisma/runtime', () => ({
+  createAccessibleByFactory: () => accessibleBy
+}));
+
+describe('accessibleQuery', () => {
+  it('should return an empty object if ability is undefined', () => {
+    expect(accessibleQuery(undefined, 'manage', 'User')).toStrictEqual({});
+    expect(accessibleBy).not.toHaveBeenCalled();
+  });
+  it('should call accessibleBy with the correct parameters and return the result of accessibleBy for the model', () => {
+    accessibleBy.mockReturnValueOnce({
+      User: 'QUERY'
+    });
+    const ability = vi.fn();
+    expect(accessibleQuery(ability as any, 'manage', 'User')).toStrictEqual('QUERY');
+    expect(accessibleBy).toHaveBeenCalledExactlyOnceWith(ability, 'manage');
+  });
+});

apps/api/src/auth/ability.factory.ts

@@ -0,0 +1,63 @@
+import { AbilityBuilder } from '@casl/ability';
+import { createPrismaAbility } from '@casl/prisma';
+import { LoggingService } from '@douglasneuroinformatics/libnest';
+import { Injectable } from '@nestjs/common';
+import type { TokenPayload } from '@opendatacapture/schemas/auth';
+
+import { createAppAbility, detectAppSubject } from './ability.utils';
+
+import type { AppAbility, Permission } from './auth.types';
+
+@Injectable()
+export class AbilityFactory {
+  constructor(private readonly loggingService: LoggingService) {}
+
+  createForPayload(payload: Omit<TokenPayload, 'permissions'>): AppAbility {
+    this.loggingService.verbose({
+      message: 'Creating Ability From Payload',
+      payload
+    });
+    const ability = new AbilityBuilder<AppAbility>(createPrismaAbility);
+    const groupIds = payload.groups.map((group) => group.id);
+    switch (payload.basePermissionLevel) {
+      case 'ADMIN':
+        ability.can('manage', 'all');
+        break;
+      case 'GROUP_MANAGER':
+        ability.can('manage', 'Assignment', { groupId: { in: groupIds } });
+        ability.can('manage', 'Group', { id: { in: groupIds } });
+        ability.can('read', 'Instrument');
+        ability.can('create', 'InstrumentRecord');
+        ability.can('read', 'InstrumentRecord', { groupId: { in: groupIds } });
+        ability.can('create', 'Session');
+        ability.can('read', 'Session', { groupId: { in: groupIds } });
+        ability.can('create', 'Subject');
+        ability.can('read', 'Subject', { groupIds: { hasSome: groupIds } });
+        ability.can('read', 'User', { groupIds: { hasSome: groupIds } });
+        break;
+      case 'STANDARD':
+        ability.can('read', 'Group', { id: { in: groupIds } });
+        ability.can('read', 'Instrument');
+        ability.can('create', 'InstrumentRecord');
+        ability.can('read', 'Session', { groupId: { in: groupIds } });
+        ability.can('create', 'Session');
+        ability.can('create', 'Subject');
+        ability.can('read', 'Subject', { groupIds: { hasSome: groupIds } });
+        break;
+    }
+    payload.additionalPermissions?.forEach(({ action, subject }) => {
+      ability.can(action, subject);
+    });
+    return ability.build({
+      detectSubjectType: detectAppSubject
+    });
+  }
+
+  createForPermissions(permissions: Permission[]): AppAbility {
+    this.loggingService.verbose({
+      message: 'Creating Ability From Permissions',
+      permissions
+    });
+    return createAppAbility(permissions);
+  }
+}

apps/api/src/auth/ability.utils.ts

@@ -0,0 +1,35 @@
+import { detectSubjectType } from '@casl/ability';
+import { createPrismaAbility } from '@casl/prisma';
+import type { PrismaQuery } from '@casl/prisma';
+import { createAccessibleByFactory } from '@casl/prisma/runtime';
+import type { AppSubject, Prisma } from '@prisma/client';
+
+import type { PrismaModelWhereInputMap } from '@/core/prisma.client';
+
+import type { AppAbilities, AppAbility, AppAction, Permission } from './auth.types';
+
+const accessibleBy = createAccessibleByFactory<PrismaModelWhereInputMap, PrismaQuery>();
+
+export function detectAppSubject(obj: { [key: string]: any }) {
+  if (typeof obj.__modelName === 'string') {
+    return obj.__modelName as AppSubject;
+  }
+  return detectSubjectType(obj) as AppSubject;
+}
+
+export function createAppAbility(permissions: Permission[]): AppAbility {
+  return createPrismaAbility<AppAbilities>(permissions, {
+    detectSubjectType: detectAppSubject
+  });
+}
+
+export function accessibleQuery<T extends Prisma.ModelName>(
+  ability: AppAbility | undefined,
+  action: AppAction,
+  modelName: T
+): NonNullable<PrismaModelWhereInputMap[T]> {
+  if (!ability) {
+    return {};
+  }
+  return accessibleBy(ability, action)[modelName]!;
+}

apps/api/src/auth/auth.controller.ts

@@ -0,0 +1,20 @@
+import { Body, Controller, HttpCode, HttpStatus, Post } from '@nestjs/common';
+import { ApiOperation } from '@nestjs/swagger';
+import { $LoginCredentials } from '@opendatacapture/schemas/auth';
+
+import { RouteAccess } from '@/core/decorators/route-access.decorator.js';
+
+import { AuthService } from './auth.service.js';
+
+@Controller({ path: 'auth' })
+export class AuthController {
+  constructor(private readonly authService: AuthService) {}
+
+  @ApiOperation({ summary: 'Login' })
+  @HttpCode(HttpStatus.OK)
+  @Post('login')
+  @RouteAccess('public')
+  async login(@Body() credentials: $LoginCredentials): Promise<{ accessToken: string }> {
+    return this.authService.login(credentials);
+  }
+}

apps/api/src/auth/auth.module.ts

@@ -0,0 +1,35 @@
+import { ConfigService } from '@douglasneuroinformatics/libnest';
+import { Module } from '@nestjs/common';
+import { APP_GUARD } from '@nestjs/core';
+import { JwtModule } from '@nestjs/jwt';
+
+import { UsersModule } from '@/users/users.module';
+
+import { AbilityFactory } from './ability.factory';
+import { AuthController } from './auth.controller';
+import { AuthService } from './auth.service';
+import { JwtAuthGuard } from './guards/jwt-auth.guard';
+import { JwtStrategy } from './strategies/jwt.strategy';
+
+@Module({
+  controllers: [AuthController],
+  imports: [
+    JwtModule.registerAsync({
+      inject: [ConfigService],
+      useFactory: (configService: ConfigService) => ({
+        secret: configService.get('SECRET_KEY')
+      })
+    }),
+    UsersModule
+  ],
+  providers: [
+    AbilityFactory,
+    AuthService,
+    JwtStrategy,
+    {
+      provide: APP_GUARD,
+      useClass: JwtAuthGuard
+    }
+  ]
+})
+export class AuthModule {}

apps/api/src/auth/auth.service.ts

@@ -0,0 +1,60 @@
+import { CryptoService } from '@douglasneuroinformatics/libnest';
+import { Injectable, NotFoundException, UnauthorizedException } from '@nestjs/common';
+import { JwtService } from '@nestjs/jwt';
+import type { $LoginCredentials, TokenPayload } from '@opendatacapture/schemas/auth';
+import type { Group, User } from '@prisma/client';
+
+import { UsersService } from '@/users/users.service';
+
+import { AbilityFactory } from './ability.factory';
+
+@Injectable()
+export class AuthService {
+  constructor(
+    private readonly abilityFactory: AbilityFactory,
+    private readonly cryptoService: CryptoService,
+    private readonly jwtService: JwtService,
+    private readonly usersService: UsersService
+  ) {}
+
+  async login(credentials: $LoginCredentials): Promise<{ accessToken: string }> {
+    let user: User & {
+      groups: Group[];
+    };
+    try {
+      user = await this.usersService.findByUsername(credentials.username, { includeHashedPassword: true });
+    } catch (err) {
+      if (err instanceof NotFoundException) {
+        throw new UnauthorizedException('Invalid Credentials');
+      }
+      throw err;
+    }
+    const isCorrectPassword = await this.cryptoService.comparePassword(credentials.password, user.hashedPassword);
+    if (isCorrectPassword !== true) {
+      throw new UnauthorizedException('Invalid Credentials');
+    }
+
+    const tokenPayload: Omit<TokenPayload, 'permissions'> = {
+      additionalPermissions: user.additionalPermissions,
+      basePermissionLevel: user.basePermissionLevel,
+      firstName: user.firstName,
+      groups: user.groups,
+      lastName: user.lastName,
+      username: user.username
+    };
+
+    const ability = this.abilityFactory.createForPayload(tokenPayload);
+
+    return {
+      accessToken: await this.jwtService.signAsync(
+        {
+          ...tokenPayload,
+          permissions: ability.rules
+        },
+        {
+          expiresIn: '1h'
+        }
+      )
+    };
+  }
+}

apps/api/src/auth/auth.types.ts

@@ -0,0 +1,23 @@
+import { PureAbility } from '@casl/ability';
+import type { RawRuleOf } from '@casl/ability';
+import type { PrismaQuery, Subjects } from '@casl/prisma';
+import { Prisma } from '@prisma/client';
+import type { DefaultSelection } from '@prisma/client/runtime/library';
+
+type AppAction = 'create' | 'delete' | 'manage' | 'read' | 'update';
+
+type AppSubjects =
+  | 'all'
+  | Subjects<{
+      [K in keyof Prisma.TypeMap['model']]: DefaultSelection<Prisma.TypeMap['model'][K]['payload']>;
+    }>;
+
+type AppSubjectName = Extract<AppSubjects, string>;
+
+type AppAbilities = [AppAction, AppSubjects];
+
+type AppAbility = PureAbility<AppAbilities, PrismaQuery>;
+
+type Permission = RawRuleOf<PureAbility<[AppAction, AppSubjectName], PrismaQuery>>;
+
+export type { AppAbilities, AppAbility, AppAction, AppSubjectName, Permission };