Feature/oauth GitHub

CHANGELOG.md

@@ -48,6 +48,7 @@
 - Added same site property to the clear cookies function ([#218](https://github.com/chingu-x/chingu-dashboard-be/pull/218))
 - Added routes for teams to create own tech stack categories([#208](https://github.com/chingu-x/chingu-dashboard-be/pull/208))
 - Added unit tests for Features controller and services ([#220](https://github.com/chingu-x/chingu-dashboard-be/pull/220))
+- Add github oauth and e2e test ([#194](https://github.com/chingu-x/chingu-dashboard-be/pull/222))
 - Added GET endpoint for solo project ([#223](https://github.com/chingu-x/chingu-dashboard-be/pull/223))
 - Added units test for sprints ([#224](https://github.com/chingu-x/chingu-dashboard-be/pull/224))
 

README.md

@@ -45,6 +45,10 @@ DISCORD_CLIENT_ID={check Important Resources page}
 DISCORD_CLIENT_SECRET={check Important Resources page}
 DISCORD_CALLBACK_URL=http://localhost:8000/api/v1/auth/discord/redirect
 
+GITHUB_CLIENT_ID=
+GITHUB_CLIENT_SECRET=
+GITHUB_CALLBACK_URL=http://localhost:8000/api/v1/auth/github/redirect 
+
 # .env.test
 DATABASE_URL={your test database connection string}
 NODE_ENV=test

package.json

@@ -67,6 +67,7 @@
         "node-mailjet": "^6.0.6",
         "passport": "^0.7.0",
         "passport-discord": "^0.1.4",
+        "passport-github2": "^0.1.12",
         "passport-jwt": "^4.0.1",
         "passport-local": "^1.0.0",
         "reflect-metadata": "^0.2.2",

prisma/seed/data/oauth-providers.ts

@@ -2,4 +2,7 @@ export default [
     {
         name: "discord",
     },
+    {
+        name: "github",
+    },
 ];

src/auth/auth.controller.ts

@@ -44,6 +44,7 @@ import { CustomRequest } from "@/global/types/CustomRequest";
 import { Response } from "express";
 import { DiscordAuthGuard } from "./guards/discord-auth.guard";
 import { AppConfigService } from "@/config/app/appConfig.service";
+import { GithubAuthGuard } from "./guards/github-auth.guard";
 @ApiTags("Auth")
 @Controller("auth")
 export class AuthController {
@@ -336,6 +337,11 @@ export class AuthController {
         return;
     }
 
+    @ApiResponse({
+        status: HttpStatus.BAD_REQUEST,
+        description: "Invalid code",
+        type: BadRequestErrorResponse,
+    })
     @UseGuards(DiscordAuthGuard)
     @Public()
     @Get("/discord/redirect")
@@ -347,4 +353,33 @@ export class AuthController {
         const FRONTEND_URL = this.appConfigService.FrontendUrl;
         res.redirect(`${FRONTEND_URL}`);
     }
+
+    @ApiOperation({
+        summary: "Github oauth",
+        description:
+            "This does not work on swagger. Open `{BaseURL}/api/v1/auth/github/login` in a browser to see the GitHub popup.",
+    })
+    @UseGuards(GithubAuthGuard)
+    @Public()
+    @Get("/github/login")
+    handleGithubLogin() {
+        return;
+    }
+
+    @ApiResponse({
+        status: HttpStatus.BAD_REQUEST,
+        description: "Invalid code",
+        type: BadRequestErrorResponse,
+    })
+    @UseGuards(GithubAuthGuard)
+    @Public()
+    @Get("/github/redirect")
+    async handleGithubRedirect(
+        @Request() req: CustomRequest,
+        @Res({ passthrough: true }) res: Response,
+    ) {
+        await this.authService.returnTokensOnLoginSuccess(req, res);
+        const FRONTEND_URL = this.appConfigService.FrontendUrl;
+        res.redirect(`${FRONTEND_URL}`);
+    }
 }

src/auth/auth.module.ts

@@ -1,6 +1,6 @@
 import { Module } from "@nestjs/common";
 import { AuthService } from "./auth.service";
-import { UsersModule } from "@/users/users.module";
+import { UsersModule } from "../users/users.module";
 import { AuthController } from "./auth.controller";
 import { PassportModule } from "@nestjs/passport";
 import { LocalStrategy } from "./strategies/local.strategy";
@@ -9,11 +9,13 @@ import { AtStrategy } from "./strategies/at.strategy";
 import { RtStrategy } from "./strategies/rt.strategy";
 import { DiscordStrategy } from "./strategies/discord.strategy";
 import { DiscordAuthService } from "./discord-auth.service";
+import { GithubStrategy } from "./strategies/github.strategy";
+import { GithubAuthService } from "./github-auth.service";
 import { EmailService } from "../utils/emails/email.service";
 import { MailConfigModule } from "@/config/mail/mailConfig.module";
 import { AppConfigModule } from "@/config/app/appConfig.module";
 import { AuthConfigModule } from "@/config/auth/authConfig.module";
-import { OAuthConfigModule } from "@/config/Oauth/oauthConfig.module";
+import { OAuthConfigModule } from "../config/Oauth/oauthConfig.module";
 import { AuthConfig } from "@/config/auth/auth.interface";
 
 @Module({
@@ -43,6 +45,11 @@ import { AuthConfig } from "@/config/auth/auth.interface";
             provide: "DISCORD_OAUTH",
             useClass: DiscordAuthService,
         },
+        GithubStrategy,
+        {
+            provide: "GITHUB_OAUTH",
+            useClass: GithubAuthService,
+        },
     ],
     controllers: [AuthController],
     exports: [AuthService],

src/auth/discord-auth.service.ts

@@ -7,8 +7,8 @@ import { IAuthProvider } from "@/global/interfaces/oauth.interface";
 import { PrismaService } from "@/prisma/prisma.service";
 import { DiscordUser } from "@/global/types/auth.types";
 import { generatePasswordHash } from "@/global/auth/utils";
-
 import { OAuthConfig } from "@/config/Oauth/oauthConfig.interface";
+
 @Injectable()
 export class DiscordAuthService implements IAuthProvider {
     constructor(
@@ -40,10 +40,12 @@ export class DiscordAuthService implements IAuthProvider {
                 "[discord-auth.service]: Cannot get email from discord to create a new Chingu account",
             );
 
+        const existingUser = await this.findUserByEmails([user.email]);
+
         // check if email is in the database, add oauth profile to existing account, otherwise, create a new user account
         return this.prisma.user.upsert({
             where: {
-                email: user.email,
+                id: existingUser.id,
             },
             update: {
                 emailVerified: true,
@@ -78,4 +80,19 @@ export class DiscordAuthService implements IAuthProvider {
             },
         });
     }
+
+    async findUserByEmails(emails): Promise<any | null> {
+        // collect emails as strings
+        const emailStrings = emails.map((email) =>
+            typeof email === "string" ? email : email.value,
+        );
+
+        return this.prisma.user.findFirst({
+            where: {
+                email: {
+                    in: emailStrings,
+                },
+            },
+        });
+    }
 }

src/auth/github-auth.service.ts

@@ -0,0 +1,121 @@
+import {
+    Injectable,
+    Inject,
+    InternalServerErrorException,
+    NotFoundException,
+} from "@nestjs/common";
+import {
+    AuthUserResult,
+    IAuthProvider,
+} from "../global/interfaces/oauth.interface";
+import { PrismaService } from "../prisma/prisma.service";
+import { GithubUser } from "../global/types/auth.types";
+import { generatePasswordHash } from "../global/auth/utils";
+import { OAuthConfig } from "@/config/Oauth/oauthConfig.interface";
+
+@Injectable()
+export class GithubAuthService implements IAuthProvider {
+    constructor(
+        private prisma: PrismaService,
+        @Inject("OAuth-Config") private oAuthConfig: OAuthConfig,
+    ) {}
+    async validateUser(user: GithubUser) {
+        const userInDb = await this.prisma.findUserByOAuthId(
+            "github",
+            user.githubId,
+        );
+
+        if (userInDb)
+            return {
+                id: userInDb.userId,
+                email: user.email,
+            };
+        return this.createUser(user);
+    }
+
+    async createUser(user: GithubUser): Promise<AuthUserResult> {
+        // generate a random password and not tell them so they can't login, but they will be able to reset password,
+        // and will be able to login with this in future,
+        // or maybe the app will prompt user the input the password, exact oauth flow is to be determined
+
+        // this should not happen when "user:email" is in the scope
+        if (!user.email)
+            throw new InternalServerErrorException(
+                "[github-auth.service]: Cannot get email from github to create a new Chingu account",
+            );
+
+        const existingUser = await this.findUserByEmails([
+            user.email,
+            ...(user.verifiedEmails || []),
+        ]);
+
+        // check if email is in the database, add oauth profile to existing account, otherwise, create a new user account
+        let upsertResult;
+        try {
+            upsertResult = await this.prisma.user.upsert({
+                where: {
+                    id: existingUser.id,
+                },
+                update: {
+                    emailVerified: true,
+                    oAuthProfiles: {
+                        create: {
+                            provider: {
+                                connect: {
+                                    name: "github",
+                                },
+                            },
+                            providerUserId: user.githubId,
+                            providerUsername: user.username,
+                        },
+                    },
+                },
+                create: {
+                    email: user.email.value,
+                    password: await generatePasswordHash(),
+                    emailVerified: true,
+                    avatar: user.avatar,
+                    oAuthProfiles: {
+                        create: {
+                            provider: {
+                                connect: {
+                                    name: "github",
+                                },
+                            },
+                            providerUserId: user.githubId,
+                            providerUsername: user.username,
+                        },
+                    },
+                },
+            });
+        } catch (e) {
+            if (e.code === "P2025") {
+                if (e.message.includes("OAuthProvider")) {
+                    throw new NotFoundException(
+                        "OAuth provider not found in the database",
+                    );
+                }
+            }
+            console.error("Unexpected error during upsert:", e);
+            throw e;
+        }
+        return upsertResult;
+    }
+
+    async findUserByEmails(
+        emails: (string | { value: string })[],
+    ): Promise<any | null> {
+        // collect emails as strings
+        const emailStrings = emails.map((email) =>
+            typeof email === "string" ? email : email.value,
+        );
+
+        return this.prisma.user.findFirst({
+            where: {
+                email: {
+                    in: emailStrings,
+                },
+            },
+        });
+    }
+}

src/auth/guards/discord-auth.guard.ts

@@ -1,4 +1,8 @@
-import { ExecutionContext, Injectable } from "@nestjs/common";
+import {
+    BadRequestException,
+    ExecutionContext,
+    Injectable,
+} from "@nestjs/common";
 import { AuthGuard } from "@nestjs/passport";
 
 @Injectable()
@@ -9,9 +13,20 @@ export class DiscordAuthGuard extends AuthGuard("discord") {
         });
     }
     async canActivate(context: ExecutionContext): Promise<boolean> {
-        const activate = (await super.canActivate(context)) as boolean;
+        let activate;
+        try {
+            activate = (await super.canActivate(context)) as boolean;
+        } catch (e) {
+            if (e.code == "invalid_grant") {
+                throw new BadRequestException(
+                    `Invalid code in redirect query param.`,
+                );
+            }
+            throw e;
+        }
         const request = context.switchToHttp().getRequest();
         await super.logIn(request);
+
         return activate;
     }
 }

src/auth/guards/github-auth.guard.ts

@@ -0,0 +1,32 @@
+import {
+    BadRequestException,
+    ExecutionContext,
+    Injectable,
+} from "@nestjs/common";
+import { AuthGuard } from "@nestjs/passport";
+
+@Injectable()
+export class GithubAuthGuard extends AuthGuard("github") {
+    constructor() {
+        super({
+            session: false,
+        });
+    }
+    async canActivate(context: ExecutionContext): Promise<boolean> {
+        let activate;
+        try {
+            activate = (await super.canActivate(context)) as boolean;
+        } catch (e) {
+            if (e.message.includes("Failed to obtain access token")) {
+                throw new BadRequestException(
+                    `Failed to obtain access token. Possibly because of invalid redirect code.`,
+                );
+            }
+            throw e;
+        }
+        const request = context.switchToHttp().getRequest();
+        await super.logIn(request);
+
+        return activate;
+    }
+}