Remove Passport

demo/api/package.json

@@ -38,7 +38,6 @@
         "@nestjs/config": "^2.0.0",
         "@nestjs/core": "^9.0.0",
         "@nestjs/graphql": "^10.0.0",
-        "@nestjs/passport": "^9.0.0",
         "@nestjs/platform-express": "^9.0.0",
         "@opentelemetry/api": "^1.9.0",
         "@opentelemetry/auto-instrumentations-node": "^0.50.0",
@@ -70,7 +69,6 @@
         "multer": "^1.0.0",
         "nestjs-console": "^8.0.0",
         "node-fetch": "^2.0.0",
-        "passport": "^0.4.0",
         "reflect-metadata": "^0.1.13",
         "response-time": "^2.3.2",
         "rimraf": "^3.0.0",
@@ -94,7 +92,6 @@
         "@types/mime": "^2.0.0",
         "@types/multer": "^1.0.0",
         "@types/node": "^22.0.0",
-        "@types/passport": "^1.0.0",
         "@types/pg": "^8.0.0",
         "@types/response-time": "^2.3.8",
         "@types/rimraf": "^3.0.0",

demo/api/schema.gql

@@ -2,34 +2,6 @@
 # THIS FILE WAS AUTOMATICALLY GENERATED (DO NOT MODIFY)
 # ------------------------------------------------------
 
-type User {
-  id: String!
-  name: String!
-  email: String!
-  permissionsCount: Int!
-  contentScopesCount: Int!
-}
-
-type CurrentUserPermission {
-  permission: String!
-  contentScopes: [JSONObject!]!
-}
-
-"""
-The `JSONObject` scalar type represents JSON objects as specified by [ECMA-404](http://www.ecma-international.org/publications/files/ECMA-ST/ECMA-404.pdf).
-"""
-scalar JSONObject @specifiedBy(url: "http://www.ecma-international.org/publications/files/ECMA-ST/ECMA-404.pdf")
-
-type CurrentUser {
-  id: String!
-  name: String!
-  email: String!
-  permissions: [CurrentUserPermission!]!
-  impersonated: Boolean
-  authenticatedUser: User
-  permissionsForScope(scope: JSONObject!): [String!]!
-}
-
 type UserPermission {
   id: ID!
   source: UserPermissionSource!
@@ -53,6 +25,34 @@ A date-time string at UTC, such as 2019-12-03T09:54:33Z, compliant with the date
 """
 scalar DateTime
 
+"""
+The `JSONObject` scalar type represents JSON objects as specified by [ECMA-404](http://www.ecma-international.org/publications/files/ECMA-ST/ECMA-404.pdf).
+"""
+scalar JSONObject @specifiedBy(url: "http://www.ecma-international.org/publications/files/ECMA-ST/ECMA-404.pdf")
+
+type User {
+  id: String!
+  name: String!
+  email: String!
+  permissionsCount: Int!
+  contentScopesCount: Int!
+}
+
+type CurrentUserPermission {
+  permission: String!
+  contentScopes: [JSONObject!]!
+}
+
+type CurrentUser {
+  id: String!
+  name: String!
+  email: String!
+  permissions: [CurrentUserPermission!]!
+  impersonated: Boolean
+  authenticatedUser: User
+  permissionsForScope(scope: JSONObject!): [String!]!
+}
+
 type Dependency {
   rootId: String!
   rootGraphqlObjectType: String!

demo/api/src/auth/auth.module.ts

@@ -1,4 +1,4 @@
-import { createAuthResolver, createCometAuthGuard, createStaticAuthedUserStrategy, createStaticCredentialsBasicStrategy } from "@comet/cms-api";
+import { CometAuthGuard, createAuthGuardProviders, createAuthResolver, createBasicAuthService, createStaticUserAuthService } from "@comet/cms-api";
 import { DynamicModule, Module } from "@nestjs/common";
 import { APP_GUARD } from "@nestjs/core";
 import { Config } from "@src/config/config";
@@ -15,18 +15,17 @@ export class AuthModule {
         return {
             module: AuthModule,
             providers: [
-                createStaticCredentialsBasicStrategy({
-                    username: SYSTEM_USER_NAME,
-                    password: config.auth.systemUserPassword,
-                    strategyName: "system-user",
-                }),
-                createStaticAuthedUserStrategy({
-                    staticAuthedUser: staticUsers[0],
-                }),
+                ...createAuthGuardProviders(
+                    createBasicAuthService({
+                        username: SYSTEM_USER_NAME,
+                        password: config.auth.systemUserPassword,
+                    }),
+                    createStaticUserAuthService({ staticUser: staticUsers[0] }),
+                ),
                 createAuthResolver(),
                 {
                     provide: APP_GUARD,
-                    useClass: createCometAuthGuard(["system-user", "static-authed-user"]),
+                    useClass: CometAuthGuard,
                 },
                 UserService,
                 AccessControlService,

packages/api/cms-api/package.json

@@ -41,7 +41,6 @@
         "@hapi/accept": "^5.0.2",
         "@nestjs/jwt": "^9.0.0",
         "@nestjs/mapped-types": "^1.2.2",
-        "@nestjs/passport": "^9.0.0",
         "@opentelemetry/api": "^1.9.0",
         "@smithy/node-http-handler": "3.1.4",
         "@types/get-image-colors": "^4.0.0",
@@ -68,10 +67,6 @@
         "mime-db": "^1.0.0",
         "multer": "^1.4.4",
         "node-fetch": "^2.0.0",
-        "passport": "^0.6.0",
-        "passport-custom": "^1.1.1",
-        "passport-http": "^0.3.0",
-        "passport-jwt": "^4.0.0",
         "pluralize": "^8.0.0",
         "probe-image-size": "^7.0.0",
         "reflect-metadata": "^0.1.0",
@@ -107,8 +102,6 @@
         "@types/multer": "^1.4.4",
         "@types/node": "^22.0.0",
         "@types/node-fetch": "^2.6.2",
-        "@types/passport-http": "^0.3.9",
-        "@types/passport-jwt": "^3.0.7",
         "@types/pluralize": "^0.0.29",
         "@types/probe-image-size": "^7.0.0",
         "@types/request-ip": "^0.0.41",

packages/api/cms-api/schema.gql

@@ -1,31 +1,3 @@
-type User {
-  id: String!
-  name: String!
-  email: String!
-  permissionsCount: Int!
-  contentScopesCount: Int!
-}
-
-type CurrentUserPermission {
-  permission: String!
-  contentScopes: [JSONObject!]!
-}
-
-"""
-The `JSONObject` scalar type represents JSON objects as specified by [ECMA-404](http://www.ecma-international.org/publications/files/ECMA-ST/ECMA-404.pdf).
-"""
-scalar JSONObject @specifiedBy(url: "http://www.ecma-international.org/publications/files/ECMA-ST/ECMA-404.pdf")
-
-type CurrentUser {
-  id: String!
-  name: String!
-  email: String!
-  permissions: [CurrentUserPermission!]!
-  impersonated: Boolean
-  authenticatedUser: User
-  permissionsForScope(scope: JSONObject!): [String!]!
-}
-
 type UserPermission {
   id: ID!
   source: UserPermissionSource!
@@ -49,6 +21,34 @@ A date-time string at UTC, such as 2019-12-03T09:54:33Z, compliant with the date
 """
 scalar DateTime
 
+"""
+The `JSONObject` scalar type represents JSON objects as specified by [ECMA-404](http://www.ecma-international.org/publications/files/ECMA-ST/ECMA-404.pdf).
+"""
+scalar JSONObject @specifiedBy(url: "http://www.ecma-international.org/publications/files/ECMA-ST/ECMA-404.pdf")
+
+type User {
+  id: String!
+  name: String!
+  email: String!
+  permissionsCount: Int!
+  contentScopesCount: Int!
+}
+
+type CurrentUserPermission {
+  permission: String!
+  contentScopes: [JSONObject!]!
+}
+
+type CurrentUser {
+  id: String!
+  name: String!
+  email: String!
+  permissions: [CurrentUserPermission!]!
+  impersonated: Boolean
+  authenticatedUser: User
+  permissionsForScope(scope: JSONObject!): [String!]!
+}
+
 type Dependency {
   rootId: String!
   rootGraphqlObjectType: String!

packages/api/cms-api/src/auth/guards/comet.guard.ts

@@ -1,59 +1,73 @@
-import { CanActivate, ExecutionContext, HttpException, Injectable, mixin } from "@nestjs/common";
+import { CanActivate, ExecutionContext, Inject, Injectable, UnauthorizedException } from "@nestjs/common";
 import { Reflector } from "@nestjs/core";
 import { GqlContextType, GqlExecutionContext } from "@nestjs/graphql";
-import { AuthGuard, IAuthGuard, Type } from "@nestjs/passport";
 import { Request } from "express";
-import { isObservable, lastValueFrom } from "rxjs";
 
-export function createCometAuthGuard(type?: string | string[]): Type<IAuthGuard> {
-    @Injectable()
-    class CometAuthGuard extends AuthGuard(type) implements CanActivate {
-        constructor(private reflector: Reflector) {
-            super();
+import { CurrentUser } from "../../user-permissions/dto/current-user";
+import { UserPermissionsService } from "../../user-permissions/user-permissions.service";
+import { AuthServiceInterface } from "../util/auth-service.interface";
+
+@Injectable()
+export class CometAuthGuard implements CanActivate {
+    constructor(
+        private reflector: Reflector,
+        private readonly service: UserPermissionsService,
+        @Inject("COMET_AUTH_SERVICES") private readonly authServices: AuthServiceInterface[],
+    ) {}
+
+    private getRequest(context: ExecutionContext): Request & { user: CurrentUser } {
+        return context.getType().toString() === "graphql"
+            ? GqlExecutionContext.create(context).getContext().req
+            : context.switchToHttp().getRequest();
+    }
+
+    async canActivate(context: ExecutionContext): Promise<boolean> {
+        const request = this.getRequest(context);
+
+        const disableCometGuard = this.reflector.getAllAndOverride("disableCometGuards", [context.getHandler(), context.getClass()]);
+        const hasIncludeInvisibleContentHeader = !!request.headers["x-include-invisible-content"];
+        if (disableCometGuard && !hasIncludeInvisibleContentHeader) {
+            return true;
         }
 
-        getRequest(context: ExecutionContext): Request {
-            return context.getType().toString() === "graphql"
-                ? GqlExecutionContext.create(context).getContext().req
-                : context.switchToHttp().getRequest();
+        if (this.isResolvingGraphQLField(context)) {
+            return true;
         }
 
-        // eslint-disable-next-line @typescript-eslint/explicit-module-boundary-types, @typescript-eslint/no-explicit-any
-        handleRequest<CurrentUser>(err: unknown, user: any): CurrentUser {
-            if (err) {
-                throw err;
-            }
-            if (user) {
-                return user;
+        let user = await this.getAuthenticatedUser(request);
+        if (!user) return false;
+
+        if (typeof user === "string") {
+            const userId = user;
+            const userService = this.service.getUserService();
+            if (!userService) throw new UnauthorizedException(`User authenticated by ID but no user service given: ${userId}`);
+            try {
+                user = await userService.getUser(userId); // TODO Cache this call
+            } catch (e) {
+                throw new UnauthorizedException(`Could not get user from UserService: ${userId}`);
             }
-            throw new HttpException("UNAUTHENTICATED", 401);
         }
 
-        async canActivate(context: ExecutionContext): Promise<boolean> {
-            const disableCometGuard = this.reflector.getAllAndOverride("disableCometGuards", [context.getHandler(), context.getClass()]);
-            const hasIncludeInvisibleContentHeader = !!this.getRequest(context).headers["x-include-invisible-content"];
-            if (disableCometGuard && !hasIncludeInvisibleContentHeader) {
-                return true;
-            }
+        request["user"] = await this.service.createCurrentUser(user);
 
-            if (this.isResolvingGraphQLField(context)) {
-                return true;
-            }
+        return true;
+    }
 
-            const canActivate = await super.canActivate(context);
-            return isObservable(canActivate) ? lastValueFrom(canActivate) : canActivate;
+    private async getAuthenticatedUser(request: Request) {
+        for (const authService of this.authServices) {
+            const user = await authService.authenticateUser(request);
+            if (user) return user;
         }
+    }
 
-        // See https://docs.nestjs.com/graphql/other-features#execute-enhancers-at-the-field-resolver-level
-        private isResolvingGraphQLField(context: ExecutionContext): boolean {
-            if (context.getType<GqlContextType>() === "graphql") {
-                const gqlContext = GqlExecutionContext.create(context);
-                const info = gqlContext.getInfo();
-                const parentType = info.parentType.name;
-                return parentType !== "Query" && parentType !== "Mutation";
-            }
-            return false;
+    // See https://docs.nestjs.com/graphql/other-features#execute-enhancers-at-the-field-resolver-level
+    private isResolvingGraphQLField(context: ExecutionContext): boolean {
+        if (context.getType<GqlContextType>() === "graphql") {
+            const gqlContext = GqlExecutionContext.create(context);
+            const info = gqlContext.getInfo();
+            const parentType = info.parentType.name;
+            return parentType !== "Query" && parentType !== "Mutation";
         }
+        return false;
     }
-    return mixin(CometAuthGuard);
 }

packages/api/cms-api/src/auth/services/basic.auth-service.ts

@@ -0,0 +1,30 @@
+import { Injectable, UnauthorizedException } from "@nestjs/common";
+import { Request } from "express";
+
+import { AuthServiceInterface } from "../util/auth-service.interface";
+
+interface BasicAuthServiceConfig {
+    username: string;
+    password: string;
+}
+
+export function createBasicAuthService({ username: requiredUsername, password: requiredPassword }: BasicAuthServiceConfig) {
+    if (requiredUsername === "") throw new Error(`username for BasicAuthService must no be empty`);
+    if (requiredPassword === "") throw new Error(`password for BasicAuthService (username "${requiredUsername}") must no be empty`);
+
+    @Injectable()
+    class BasicAuthService implements AuthServiceInterface {
+        authenticateUser(request: Request) {
+            const [type, token] = request.header("authorization")?.split(" ") ?? [];
+            if (type !== "Basic") return;
+
+            const [username, password] = Buffer.from(token, "base64").toString("ascii").split(":");
+            if (username !== requiredUsername) return;
+
+            if (password !== requiredPassword) throw new UnauthorizedException(`Wrong password for Basic Auth user "${username}".`);
+
+            return username;
+        }
+    }
+    return BasicAuthService;
+}