Finish Signin, SignUp, Refresh Token and validate all tokens with Guards

Author: Ángel De La Cruz

src/auth/abstract/auth-jwt.ts

@@ -1,10 +1,11 @@
 
-import { ConflictException, ForbiddenException, InternalServerErrorException } from "@nestjs/common";
+import { ConflictException, ForbiddenException, HttpException, HttpStatus, InternalServerErrorException } from "@nestjs/common";
 import { JwtService } from "@nestjs/jwt";
 import * as bcrypt from 'bcrypt';
 import { Tokens } from "../types";
 import { PrismaService } from '../../prisma/prisma.service';
 import { HashingException, UpdateHashException } from './../../exceptions';
+import { User } from "@prisma/client";
 
 
 export abstract class AuthJwt {
@@ -110,14 +111,16 @@ export abstract class AuthJwt {
      * user's ID or subject identifier. It is used to identify the user whose refresh token hash needs to
      * be updated to `null` during the logout process.
      */
-    async logout(sub: number) {
+    async logout(sub: number): Promise<boolean> {
         try {
-            await this.prismaService.user.update({
+            const result = await this.prismaService.user.update({
                 where: { id: sub },
                 data: {
                     refreshTokenHash: null,
                 },
             });
+
+            return !!result;
         } catch (error) {
             throw new UpdateHashException(sub, error.message);
         }
@@ -172,4 +175,54 @@ export abstract class AuthJwt {
             throw new InternalServerErrorException('Error al procesar el token de actualización.');
         }
     }
+
+    /**
+     * This TypeScript function asynchronously finds a user by their email using Prisma.
+     * @param {string} email - The `findUserEmail` function is an asynchronous function that takes an
+     * email address as a parameter and returns a Promise that resolves to a `User` object. The function
+     * uses the `prismaService` to query the database and find the first user with the specified email
+     * address.
+     * @returns The `findUserEmail` function is returning a Promise that resolves to a `User` object.
+     */
+    async findUserEmail(email: string): Promise<User> {
+        const user = await this.prismaService.user.findFirst({
+            where: {
+                email
+            }
+        })
+        return user;
+    }
+
+
+    /**
+     * The function `compareUserPassword` asynchronously compares an authentication password with a hashed
+     * password using bcrypt and returns a boolean indicating whether they match.
+     * @param {string} authPassword - The `authPassword` parameter is the password provided by the user
+     * during authentication, typically entered through a login form or API request. This password needs to
+     * be compared with the hashed password stored in the database (retrieved as `prismaPassword`) to
+     * verify the user's identity. The `compare
+     * @param {string} prismaPassword - The `prismaPassword` parameter in the `compareUserPassword`
+     * function refers to the hashed password stored in your database, typically hashed using a secure
+     * hashing algorithm like bcrypt. When a user tries to authenticate, their input password
+     * (`authPassword`) is compared with the hashed password retrieved from the database to
+     * @returns A boolean value is being returned. If the authentication password matches the Prisma
+     * password, the function returns `true`.
+     */
+    async compareUserPassword(authPassword: string, prismaPassword: string): Promise<boolean> {
+        try {
+
+            const rtMatches = await bcrypt.compare(authPassword, prismaPassword);
+            if (!rtMatches) {
+                throw new ForbiddenException('Authentication failed. Please check your credentials.');
+            }
+
+            return rtMatches;
+        } catch (error) {
+            if (error instanceof ForbiddenException) {
+                throw error
+            }
+            throw new HttpException("An unexpected error occurred. Please try again later.", HttpStatus.INTERNAL_SERVER_ERROR);
+        }
+    }
+
 }

src/auth/auth.controller.ts

@@ -1,10 +1,10 @@
 import { AuthService } from './auth.service';
 import { Body, Controller, Post, UseGuards } from '@nestjs/common';
-import { AuthDto } from './dto';
+import { AuthDto, SigninDto } from './dto';
 import { Tokens } from './types';
 import { AtGuard } from './guards';
 import { RtGuard } from './guards/rt-guards';
-import { GetCurrentUser, GetCurrentUserId, Public } from './decorators';
+import { GetCurrentUser, GetCurrentUserId, GetRefreshToken, Public } from './decorators';
 
 @Controller({
     path: 'auth',
@@ -22,14 +22,15 @@ export class AuthController {
 
     @Public()
     @Post('signin')
-    async signin() {
-        await this.authService.signin()
+    async signin(@Body() dto: SigninDto) {
+        return await this.authService.signin(dto)
     }
 
     @UseGuards(AtGuard)
     @Post('logout')
     async logout(@GetCurrentUserId() userId: number) {
-        await this.authService.logout(userId)
+        const result = await this.authService.logout(userId);
+        return result
     }
 
 
@@ -38,10 +39,9 @@ export class AuthController {
     @Post('refresh')
     async refreshToken(
         @GetCurrentUserId() userId: number,
-        @GetCurrentUser('refreshToken') refreshToken: string
+        @GetRefreshToken() refreshToken: string
     ) {
-        console.log(refreshToken)
-        await this.authService.refreshToken(userId, refreshToken)
+        return await this.authService.refreshToken(userId, refreshToken)
     }
 
 }

src/auth/auth.service.ts

@@ -1,10 +1,12 @@
-import { ConflictException, HttpException, HttpStatus, Injectable } from '@nestjs/common';
+import { ConflictException, ForbiddenException, HttpException, HttpStatus, Injectable, UnauthorizedException } from '@nestjs/common';
 import { JwtService } from '@nestjs/jwt';
 import { PrismaService } from '../prisma/prisma.service';
-import { AuthDto } from './dto';
+import { AuthDto, SigninDto } from './dto';
 import { Tokens } from './types';
 
 import { AuthJwt } from './abstract/auth-jwt';
+import { UpdateHashException } from '../exceptions/UpdateHashException';
+import { HashingException } from '../exceptions/HashingException';
 
 @Injectable()
 export class AuthService extends AuthJwt {
@@ -30,17 +32,42 @@ export class AuthService extends AuthJwt {
 
             return tokens
         } catch (error) {
-            if (error instanceof ConflictException) {
+            const allowedExceptions = [UnauthorizedException, UpdateHashException, ConflictException, HashingException];
+
+            if (allowedExceptions.some((exception) => error instanceof exception)) {
                 throw error;
             }
             throw new HttpException("An unexpected error occurred. Please try again later.", HttpStatus.INTERNAL_SERVER_ERROR);
         }
 
     }
 
-    async signin() {
+    async signin(dto: SigninDto): Promise<Tokens> {
+        try {
+            if (!await this.validateEmailExiste(dto.email)) throw new UnauthorizedException("Authentication failed. Please check your credentials.");
+
+            const user = await this.findUserEmail(dto.email);
+
+            await this.compareUserPassword(dto.password, user.password);
+
+            const tokens = await this.getToken(user.id, user.email);
+
+            await this.updatedRtHash(user.id, tokens.refresh_token);
 
+            return tokens;
 
+        } catch (error) {
+            const allowedExceptions = [UnauthorizedException, ForbiddenException];
+
+            if (allowedExceptions.some((exception) => error instanceof exception)) {
+                throw error;
+            }
+
+            throw new HttpException(
+                "An unexpected error occurred. Please try again later.",
+                HttpStatus.INTERNAL_SERVER_ERROR
+            );
+        }
     }
 
     private async validateEmailExiste(email: string): Promise<boolean> {

src/auth/decorators/get-current-user-id.decorator.ts

@@ -2,6 +2,7 @@ import { createParamDecorator, ExecutionContext } from "@nestjs/common";
 
 export const GetCurrentUserId = createParamDecorator((data: string | undefined, context: ExecutionContext) => {
     const request = context.switchToHttp().getRequest();
+
     if (!data) return request.user.sub;
-    return request.user['user'].sub
+    return request.user?.sub
 })

src/auth/decorators/get-refresh-token.decorator.ts

@@ -0,0 +1,6 @@
+import { createParamDecorator, ExecutionContext } from "@nestjs/common";
+
+export const GetRefreshToken = createParamDecorator((data: string | undefined, context: ExecutionContext) => {
+    const request = context.switchToHttp().getRequest();
+    return request?.refreshToken
+})

src/auth/decorators/index.ts

@@ -1,3 +1,4 @@
 export * from './get-current-user.decorator';
 export * from './get-current-user-id.decorator';
+export * from './get-refresh-token.decorator';
 export * from './public.decorator';

src/auth/guards/at-guards.ts

@@ -17,7 +17,6 @@ export class AtGuard extends AuthGuard('jwt') {
 
     async canActivate(context: ExecutionContext) {
 
-
         const isPublic = this.reflector.getAllAndOverride<boolean>(IS_PUBLIC_KEY, [
             context.getHandler(),
             context.getClass(),
@@ -34,15 +33,11 @@ export class AtGuard extends AuthGuard('jwt') {
         }
 
         try {
-            // Validar el token (puedes usar JwtService u otro mecanismo)
             const payload = await this.validateToken(token);
-
-            request.user = payload; // Adjuntar usuario decodificado a la solicitud
+            request.user = payload;
             return true;
         } catch (err) {
-            console.error(err)
-            console.error('Error al validar el token:', err.message);
-            return false;
+            throw err;
         }
     }
 
@@ -51,13 +46,13 @@ export class AtGuard extends AuthGuard('jwt') {
         try {
             return await this.jwService.verifyAsync(token, { secret });
         } catch (error) {
-            if (error.name === 'TokenExpiredError') {
-                throw new UnauthorizedException('El token ha expirado.');
-            } else if (error.name === 'JsonWebTokenError') {
-                throw new UnauthorizedException('Token inválido o firma incorrecta.');
-            } else {
-                throw new UnauthorizedException('Error al procesar el token.');
-            }
+            const errorMessages: Record<string, string> = {
+                TokenExpiredError: 'El token ha expirado.',
+                JsonWebTokenError: 'Token inválido o firma incorrecta.',
+            };
+
+            const message = errorMessages[error.name] || 'Error al procesar el token.';
+            throw new UnauthorizedException(message);
         }
     }
 }

src/auth/guards/rt-guards.ts

@@ -1,37 +1,35 @@
-import { ExecutionContext, UnauthorizedException } from '@nestjs/common';
+import { ExecutionContext, Injectable, UnauthorizedException } from '@nestjs/common';
 import { JwtService } from '@nestjs/jwt';
 import { AuthGuard } from '@nestjs/passport';
-import { Observable } from 'rxjs';
-
+@Injectable()
 export class RtGuard extends AuthGuard('jwt-refresh') {
     constructor(private readonly jwService: JwtService) {
         super()
     }
 
-
-    anActivate(
+    async canActivate(
         context: ExecutionContext,
-    ): boolean | Promise<boolean> | Observable<boolean> {
+    ) {
         const request = context.switchToHttp().getRequest();
-        const token = request.headers?.refreshtoken?.split(' ')[1]
-        console.log(token)
-        const payload = this.validateToken(token);
-        console.log(payload)
-        return false
+        const token = request.headers?.refreshtoken?.split(' ')[1];
+        const payload = await this.validateToken(token);
+        request.user = payload;
+        request.refreshToken = token;
+        return true
     }
 
     private async validateToken(token: string) {
         const secret = process.env.RT;
         try {
             return await this.jwService.verifyAsync(token, { secret });
         } catch (error) {
-            if (error.name === 'TokenExpiredError') {
-                throw new UnauthorizedException('El token ha expirado.');
-            } else if (error.name === 'JsonWebTokenError') {
-                throw new UnauthorizedException('Token inválido o firma incorrecta.');
-            } else {
-                throw new UnauthorizedException('Error al procesar el token.');
-            }
+            const errorMessages: Record<string, string> = {
+                TokenExpiredError: 'El token ha expirado.',
+                JsonWebTokenError: 'Token inválido o firma incorrecta.',
+            };
+
+            const message = errorMessages[error.name] || 'Error al procesar el token.';
+            throw new UnauthorizedException(message);
         }
     }
 }

src/auth/strategies/at.trategy.ts

@@ -18,7 +18,6 @@ export class AtStrategy extends PassportStrategy(Strategy, 'jwt') {
     }
 
     validate(payload: JwtPayload) {
-        console.log(payload,  'Hola')
         return payload;
     }
 }

src/auth/strategies/rt.strategy.ts

@@ -13,11 +13,8 @@ export class RtStrategy extends PassportStrategy(Strategy, 'jwt-refresh') {
         })
     }
     async validate(req: FastifyRequest, payload: any) {
-        console.log(req, 'Hola')
-        // const refreshToken = req.get('authorization').replace('Bearer', '').trim();
         return {
             ...payload,
-            // refreshToken,
         };
     }
 }