feat: authguard for password change api

Signed-off-by: Pranav C <pranavxc@gmail.com>

packages/nocodb-nest/src/app.module.ts

@@ -1,12 +1,13 @@
 import { Module, RequestMethod } from '@nestjs/common';
-import { APP_FILTER } from '@nestjs/core';
+import { APP_FILTER, APP_GUARD } from '@nestjs/core';
 import { ExtractJwt } from 'passport-jwt';
 import { Connection } from './connection/connection';
 import { GlobalExceptionFilter } from './filters/global-exception/global-exception.filter';
+import { GlobalGuard } from './guards/global/global.guard';
 import { GlobalMiddleware } from './middlewares/global/global.middleware';
 import { AuthModule } from './modules/auth/auth.module';
 import { ExtractProjectIdMiddleware } from './middlewares/extract-project-id/extract-project-id.middleware';
-import { AuthService } from './modules/auth/auth.service'
+import { AuthService } from './modules/auth/auth.service';
 import { UsersModule } from './modules/users/users.module';
 import { MetaService } from './meta/meta.service';
 import { UsersService } from './modules/users/users.service';
@@ -51,23 +52,24 @@ import { CachesModule } from './modules/caches/caches.module';
 import { TestModule } from './modules/test/test.module';
 import { PluginsModule } from './modules/plugins/plugins.module';
 import { GlobalModule } from './modules/global/global.module';
-import { LocalStrategy } from './strategies/local.strategy'
+import { LocalStrategy } from './strategies/local.strategy';
-import NcConfigFactory from './utils/NcConfigFactory'
+import NcConfigFactory from './utils/NcConfigFactory';
 import NcUpgrader from './version-upgrader/NcUpgrader';
+import { ClientService } from './services/client/client.service';
+import { AuthTokenStrategy } from './strategies/authtoken.strategy/authtoken.strategy';
+import { BaseViewStrategy } from './strategies/base-view.strategy/base-view.strategy';
+import { GoogleStrategy } from './strategies/google.strategy/google.strategy';
 import type {
   MiddlewareConsumer,
   OnApplicationBootstrap,
   Provider,
 } from '@nestjs/common';
-import { ClientService } from './services/client/client.service';
+/*
-import { AuthTokenStrategy } from './strategies/authtoken.strategy/authtoken.strategy';
-import { BaseViewStrategy } from './strategies/base-view.strategy/base-view.strategy';
-import { GoogleStrategy } from './strategies/google.strategy/google.strategy';
 
 export const JwtStrategyProvider: Provider = {
   provide: JwtStrategy,
   useFactory: async (usersService: UsersService) => {
-    const config = await NcConfigFactory.make()
+    const config = await NcConfigFactory.make();
 
     const options = {
       // ignoreExpiration: false,
@@ -82,6 +84,7 @@ export const JwtStrategyProvider: Provider = {
   },
   inject: [UsersService],
 };
+*/
 
 @Module({
   imports: [
@@ -129,18 +132,23 @@ export const JwtStrategyProvider: Provider = {
   ],
   controllers: [],
   providers: [
+    // {
+    //   provide: APP_GUARD,
+    //   useClass: GlobalGuard,
+    // },
     AuthService,
     {
       provide: APP_FILTER,
       useClass: GlobalExceptionFilter,
     },
-    JwtStrategyProvider,
+    // JwtStrategyProvider,
     LocalStrategy,
     ExtractProjectIdMiddleware,
     ClientService,
     AuthTokenStrategy,
     BaseViewStrategy,
     GoogleStrategy,
+    // GlobalGuard,
   ],
 })
 export class AppModule implements OnApplicationBootstrap {

packages/nocodb-nest/src/guards/global/global.guard.spec.ts

@@ -0,0 +1,7 @@
+import { GlobalGuard } from './global.guard';
+
+describe('GlobalGuard', () => {
+  it('should be defined', () => {
+    expect(new GlobalGuard()).toBeDefined();
+  });
+});

packages/nocodb-nest/src/guards/global/global.guard.ts

@@ -0,0 +1,36 @@
+import { Inject, Injectable } from '@nestjs/common';
+import { AuthGuard } from '@nestjs/passport';
+import { JwtStrategy } from '../../strategies/jwt.strategy';
+import type { ExecutionContext } from '@nestjs/common';
+
+@Injectable()
+export class GlobalGuard extends AuthGuard(['jwt']) {
+  constructor(private jwtStrategy: JwtStrategy) {
+    super();
+  }
+
+  async canActivate(context: ExecutionContext) {
+    let result;
+    try {
+      result = (await super.canActivate(context)) as boolean;
+    } catch (e) {
+      console.log(e);
+    }
+    if (!result) {
+      // If JWT authentication fails, use the fallback strategy to set a default user
+      const req = context.switchToHttp().getRequest();
+      const user = await this.fallbackAuthenticate(req);
+      req.user = user;
+      return true;
+    }
+    return true;
+  }
+
+  private async fallbackAuthenticate(req: any): Promise<any> {
+    return this.jwtStrategy.validate(req, {
+      roles: {
+        guest: true,
+      },
+    });
+  }
+}

packages/nocodb-nest/src/modules/global/global.module.ts

@@ -1,8 +1,33 @@
-import { Global, Module } from '@nestjs/common'
+import { Global, Module, Provider } from '@nestjs/common'
 import { JwtModule, JwtService } from '@nestjs/jwt'
+import { ExtractJwt } from 'passport-jwt'
 import { Connection } from '../../connection/connection'
+import { GlobalGuard } from '../../guards/global/global.guard'
 import { MetaService } from '../../meta/meta.service'
+import { JwtStrategy } from '../../strategies/jwt.strategy'
+import NcConfigFactory from '../../utils/NcConfigFactory'
 import { jwtConstants } from '../auth/constants'
+import { UsersModule } from '../users/users.module'
+import { UsersService } from '../users/users.service'
+
+export const JwtStrategyProvider: Provider = {
+  provide: JwtStrategy,
+  useFactory: async (usersService: UsersService) => {
+    const config = await NcConfigFactory.make();
+
+    const options = {
+      // ignoreExpiration: false,
+      jwtFromRequest: ExtractJwt.fromHeader('xc-auth'),
+      // expiresIn: '10h',
+      passReqToCallback: true,
+      secretOrKey: config.auth.jwt.secret,
+      ...config.auth.jwt.options,
+    };
+
+    return new JwtStrategy(options, usersService);
+  },
+  inject: [UsersService],
+};
 
 @Global()
 @Module({
@@ -12,11 +37,17 @@ import { jwtConstants } from '../auth/constants'
   providers: [
     Connection,
     MetaService,
+    UsersService,
+    JwtStrategyProvider,
+    GlobalGuard
   ],
   exports: [
     Connection,
     MetaService,
     // JwtService,
+    JwtStrategyProvider,
+    UsersService,
+    GlobalGuard
   ],
 })
 export class GlobalModule {

packages/nocodb-nest/src/modules/users/users.controller.ts

@@ -12,6 +12,7 @@ import {
 } from '@nestjs/common'
 import * as ejs from 'ejs';
 import { AuthGuard } from '@nestjs/passport';
+import { GlobalGuard } from '../../guards/global/global.guard'
 import { NcError } from '../../helpers/catchError';
 import {
   Acl,
@@ -142,7 +143,7 @@ export class UsersController {
   }
 
   @Get(['/auth/user/me', '/api/v1/db/auth/user/me', '/api/v1/auth/user/me'])
-  @UseGuards(ExtractProjectIdMiddleware, AuthGuard('jwt'))
+  @UseGuards(ExtractProjectIdMiddleware, GlobalGuard)
   async me(@Request() req) {
     const user = {
       ...req.user,
@@ -156,7 +157,9 @@ export class UsersController {
     '/api/v1/db/auth/password/change',
     '/api/v1/auth/password/change',
   ])
+  @UseGuards(GlobalGuard)
   @Acl('passwordChange')
+  @HttpCode(200)
   async passwordChange(@Request() req: any, @Body() body: any): Promise<any> {
     if (!(req as any).isAuthenticated()) {
       NcError.forbidden('Not allowed');

packages/nocodb-nest/src/modules/users/users.module.ts

@@ -7,11 +7,7 @@ import { UsersController } from './users.controller';
 
 @Module({
   imports: [
-    GlobalModule,
+    GlobalModule
-    JwtModule.register({
-      secret: jwtConstants.secret,
-      signOptions: { expiresIn: '10h' },
-    }),
   ],
   controllers: [UsersController],
   providers: [UsersService],

packages/nocodb-nest/src/modules/users/users.service.ts

@@ -1,6 +1,5 @@
 import { promisify } from 'util';
 import { Injectable } from '@nestjs/common';
-import { JwtService } from '@nestjs/jwt';
 import { OrgUserRoles, validatePassword } from 'nocodb-sdk';
 import { v4 as uuidv4 } from 'uuid';
 import { isEmail } from 'validator';
@@ -28,7 +27,6 @@ import type {
 export class UsersService {
   constructor(
     private metaService: MetaService,
-    private jwtService: JwtService,
   ) {}
 
   async findOne(email: string) {

packages/nocodb-nest/src/modules/views/views.controller.ts

@@ -10,17 +10,17 @@ import {
   Request,
   UseGuards,
 } from '@nestjs/common';
-import { AuthGuard } from '@nestjs/passport';
 import { ViewUpdateReqType } from 'nocodb-sdk';
 import { PagedResponseImpl } from '../../helpers/PagedResponse';
 import {
   ExtractProjectIdMiddleware,
   UseAclMiddleware,
 } from '../../middlewares/extract-project-id/extract-project-id.middleware';
+import { GlobalGuard } from '../../guards/global/global.guard';
 import { ViewsService } from './views.service';
 
 @Controller()
-@UseGuards(ExtractProjectIdMiddleware, AuthGuard('jwt'))
+@UseGuards(ExtractProjectIdMiddleware, GlobalGuard)
 export class ViewsController {
   constructor(private readonly viewsService: ViewsService) {}
 

packages/nocodb-nest/src/strategies/authtoken.strategy/authtoken.strategy.ts

@@ -7,10 +7,12 @@ import type { Request } from 'express';
 @Injectable()
 export class AuthTokenStrategy extends PassportStrategy(Strategy, 'authtoken') {
   constructor() {
-    super({
+    super(
-      headerFields: ['xc-token'],
+      {
-      passReqToCallback: true,
+        headerFields: ['xc-token'],
-    });
+        passReqToCallback: true,
+      },
+    );
   }
 
   // eslint-disable-next-line @typescript-eslint/ban-types

packages/nocodb-nest/src/strategies/jwt.strategy.ts

@@ -1,16 +1,16 @@
-import { Injectable, UnauthorizedException } from '@nestjs/common';
+import { Injectable, UnauthorizedException } from '@nestjs/common'
-import { PassportStrategy } from '@nestjs/passport';
+import { PassportStrategy } from '@nestjs/passport'
-import { ExtractJwt, Strategy } from 'passport-jwt';
+import { ExtractJwt, Strategy } from 'passport-jwt'
-import { OrgUserRoles } from 'nocodb-sdk';
+import { OrgUserRoles } from 'nocodb-sdk'
-import NocoCache from '../cache/NocoCache';
+import NocoCache from '../cache/NocoCache'
-import { ProjectUser, User } from '../models';
+import { ProjectUser, User } from '../models'
-import { genJwt } from '../modules/users/helpers';
+import { genJwt } from '../modules/users/helpers'
-import Noco from '../Noco';
+import Noco from '../Noco'
-import extractRolesObj from '../utils/extractRolesObj';
+import extractRolesObj from '../utils/extractRolesObj'
-import { CacheGetType, CacheScope } from '../utils/globals';
+import { CacheGetType, CacheScope } from '../utils/globals'
-import { jwtConstants } from '../modules/auth/constants';
+import { jwtConstants } from '../modules/auth/constants'
-import { UsersService } from '../modules/users/users.service';
+import { UsersService } from '../modules/users/users.service'
-import NcConfigFactory from '../utils/NcConfigFactory';
+import NcConfigFactory from '../utils/NcConfigFactory'
 
 @Injectable()
 export class JwtStrategy extends PassportStrategy(Strategy) {
@@ -18,10 +18,13 @@ export class JwtStrategy extends PassportStrategy(Strategy) {
     super({
       expiresIn: '10h',
       ...options,
-    });
+    })
   }
 
   async validate(req: any, jwtPayload: any) {
+
+    if (!jwtPayload?.email) return jwtPayload
+
     // todo: improve this
     if (
       req.ncProjectId &&
@@ -31,19 +34,19 @@ export class JwtStrategy extends PassportStrategy(Strategy) {
         return {
           ...user,
           roles: extractRolesObj(`owner,creator,${OrgUserRoles.SUPER_ADMIN}`),
-        };
+        }
-      });
+      })
     }
 
-    const keyVals = [jwtPayload?.email];
+    const keyVals = [jwtPayload?.email]
     if (req.ncProjectId) {
-      keyVals.push(req.ncProjectId);
+      keyVals.push(req.ncProjectId)
     }
-    const key = keyVals.join('___');
+    const key = keyVals.join('___')
     const cachedVal = await NocoCache.get(
       `${CacheScope.USER}:${key}`,
       CacheGetType.TYPE_OBJECT,
-    );
+    )
 
     if (cachedVal) {
       /*todo: tobe fixed
@@ -54,12 +57,12 @@ export class JwtStrategy extends PassportStrategy(Strategy) {
       ) {
         throw new Error('Token Expired. Please login again.');
       }*/
-      return cachedVal;
+      return cachedVal
     }
 
     return User.getByEmail(jwtPayload?.email).then(
       async (user: { roles: any; id: string }) => {
-        user.roles = extractRolesObj(user?.roles);
+        user.roles = extractRolesObj(user?.roles)
         /*
      todo: tobe fixed
      if (
@@ -77,26 +80,26 @@ export class JwtStrategy extends PassportStrategy(Strategy) {
 
           return ProjectUser.get(req.ncProjectId, user.id).then(
             async (projectUser) => {
-              user.roles = extractRolesObj(projectUser?.roles || user.roles);
+              user.roles = extractRolesObj(projectUser?.roles || user.roles)
               user.roles = extractRolesObj(
                 user.roles === 'owner' ? 'owner,creator' : user.roles,
-              );
+              )
               // + (user.roles ? `,${user.roles}` : '');
 
-              await NocoCache.set(`${CacheScope.USER}:${key}`, user);
+              await NocoCache.set(`${CacheScope.USER}:${key}`, user)
-              return user;
+              return user
             },
-          );
+          )
         } else {
           // const roles = projectUser?.roles ? JSON.parse(projectUser.roles) : {guest: true};
           if (user) {
-            await NocoCache.set(`${CacheScope.USER}:${key}`, user);
+            await NocoCache.set(`${CacheScope.USER}:${key}`, user)
-            return user;
+            return user
           } else {
-            throw new Error('User not found');
+            throw new Error('User not found')
           }
         }
       },
-    );
+    )
   }
 }