STNDP-144 Handle todo comments and miscellaneous bugs - cleanup (#91)

* STNDP-144 Handle todo comments and miscellaneous bugs - cleanup

* STNDP-144 Handle todo comments and miscellaneous bugs - cleanup

* STNDP-144 Handle todo comments and miscellaneous bugs - cleanup

* STNDP-144 Handle todo comments and miscellaneous bugs - cleanup

* STNDP-144 Handle todo comments and miscellaneous bugs - cleanup

* STNDP-144 Handle todo comments and miscellaneous bugs - cleanup

* STNDP-144 Handle todo comments and miscellaneous bugs - cleanup

Author: hyokualexkwon

apps/api/src/app.module.ts

@@ -2,11 +2,23 @@ import { Module } from '@nestjs/common';
 import { AppController } from './app.controller';
 import { AppService } from './app.service';
 import { AuthModule } from './auth/auth.module';
+import { OtpModule } from './auth/otp/otp.module';
+import { UsersModule } from './auth/users/users.module';
+import { TokenModule } from './auth/token/token.module';
+import { SessionsModule } from './auth/sessions/sessions.module';
 import { BoardsModule } from './boards/boards.module';
 import { DbModule } from './db/db.module';
 
 @Module({
-  imports: [AuthModule, BoardsModule, DbModule],
+  imports: [
+    AuthModule,
+    OtpModule,
+    UsersModule,
+    TokenModule,
+    SessionsModule,
+    BoardsModule,
+    DbModule,
+  ],
   controllers: [AppController],
   providers: [AppService],
 })

apps/api/src/auth/auth.module.ts

@@ -1,11 +1,12 @@
 import { Module } from '@nestjs/common';
-import { OtpModule } from './otp/otp.module';
-import { UsersModule } from './users/users.module';
-import { TokenModule } from './token/token.module';
-import { SessionsModule } from './sessions/sessions.module';
+import { AuthService } from './auth.service';
+import { AuthGuard } from './guards/auth.guard';
+import { PermissiveAuthGuard } from './guards/permissive-auth.guard';
 
 @Module({
   controllers: [],
-  imports: [OtpModule, UsersModule, TokenModule, SessionsModule],
+  imports: [],
+  providers: [AuthService, AuthGuard, PermissiveAuthGuard],
+  exports: [AuthService, AuthGuard, PermissiveAuthGuard],
 })
 export class AuthModule {}

apps/api/src/auth/auth.service.ts

@@ -0,0 +1,50 @@
+import { Injectable } from '@nestjs/common';
+import * as jose from 'jose';
+
+@Injectable()
+export class AuthService {
+  private readonly jwks = jose.createRemoteJWKSet(
+    new URL(process.env.AUTH_SERVICE_JWKS_URL!),
+  );
+
+  /**
+   * Verifies a JWT token and returns the user ID.
+   * Throws an error if the token is invalid.
+   */
+  async verifyToken(token: string): Promise<string> {
+    const { payload } = await jose.jwtVerify<{
+      sub: string;
+      iss: string;
+      iat: number;
+      aud: string;
+      exp: number;
+    }>(token, this.jwks);
+
+    return payload.sub;
+  }
+
+  /**
+   * Optionally verifies a JWT token and returns the user ID.
+   * Returns null if the token is invalid or missing.
+   */
+  async verifyTokenOptional(token?: string): Promise<string | null> {
+    if (!token) {
+      return null;
+    }
+
+    try {
+      return await this.verifyToken(token);
+    } catch (error) {
+      // Silently fail for optional verification
+      return null;
+    }
+  }
+
+  /**
+   * Extracts Bearer token from Authorization header.
+   */
+  extractBearerToken(authHeader?: string): string | undefined {
+    const [type, token] = authHeader?.split(' ') ?? [];
+    return type === 'Bearer' ? token : undefined;
+  }
+}

apps/api/src/auth/decorators/permissive-auth.decorator.ts

@@ -0,0 +1,9 @@
+import { UseGuards } from '@nestjs/common';
+import { PermissiveAuthGuard } from '../guards/permissive-auth.guard';
+
+/**
+ * Decorator that applies PermissiveAuthGuard.
+ * Allows both authenticated and anonymous access, but enhances
+ * the request with user data when authentication is available.
+ */
+export const PermissiveAuth = () => UseGuards(PermissiveAuthGuard);

apps/api/src/auth/guards/auth.guard.ts

@@ -4,50 +4,36 @@ import {
   Injectable,
   UnauthorizedException,
 } from '@nestjs/common';
-import * as jose from 'jose';
 import { Request } from 'express';
+import { AuthService } from '../auth.service';
 
 export interface AuthenticatedRequest extends Request {
   userId: string;
 }
 
 @Injectable()
 export class AuthGuard implements CanActivate {
-  constructor() {}
+  constructor(private readonly authService: AuthService) {}
 
   async canActivate(context: ExecutionContext): Promise<boolean> {
     const request = context.switchToHttp().getRequest<Request>();
 
-    const token = this.extractTokenFromHeader(request);
+    const token = this.authService.extractBearerToken(
+      request.headers.authorization,
+    );
 
     if (!token) {
       throw new UnauthorizedException();
     }
 
-    const jwks = jose.createRemoteJWKSet(
-      new URL(process.env.AUTH_SERVICE_JWKS_URL!),
-    );
-
     try {
-      const { payload } = await jose.jwtVerify<{
-        sub: string;
-        iss: string;
-        iat: number;
-        aud: string;
-        exp: number;
-      }>(token, jwks);
-      (request as AuthenticatedRequest).userId = payload.sub;
+      const userId = await this.authService.verifyToken(token);
+      (request as AuthenticatedRequest).userId = userId;
     } catch (error) {
       console.error(error);
       throw new UnauthorizedException();
     }
 
     return true;
   }
-
-  private extractTokenFromHeader(request: Request): string | undefined {
-    const authHeader = request.headers.authorization;
-    const [type, token] = authHeader?.split(' ') ?? [];
-    return type === 'Bearer' ? token : undefined;
-  }
 }

apps/api/src/auth/guards/permissive-auth.guard.ts

@@ -0,0 +1,34 @@
+import { CanActivate, ExecutionContext, Injectable } from '@nestjs/common';
+import { Request } from 'express';
+import { AuthService } from '../auth.service';
+import { AuthenticatedRequest } from './auth.guard';
+
+/**
+ * PermissiveAuthGuard allows both authenticated and anonymous access.
+ * If a valid Authorization header is present, it will populate req.userId.
+ * If not, the request continues without authentication.
+ *
+ * This is useful for endpoints that provide enhanced functionality for
+ * authenticated users but should remain publicly accessible.
+ */
+@Injectable()
+export class PermissiveAuthGuard implements CanActivate {
+  constructor(private readonly authService: AuthService) {}
+
+  async canActivate(context: ExecutionContext): Promise<boolean> {
+    const request = context.switchToHttp().getRequest<Request>();
+
+    const token = this.authService.extractBearerToken(
+      request.headers.authorization,
+    );
+
+    const userId = await this.authService.verifyTokenOptional(token);
+
+    if (userId) {
+      (request as AuthenticatedRequest).userId = userId;
+    }
+
+    // Always allow the request to proceed
+    return true;
+  }
+}

apps/api/src/auth/sessions/sessions.controller.ts

@@ -1,4 +1,10 @@
-import { Controller, Param, Post, UnauthorizedException } from '@nestjs/common';
+import {
+  Controller,
+  Param,
+  Post,
+  UnauthorizedException,
+  ServiceUnavailableException,
+} from '@nestjs/common';
 import { SessionsService } from './sessions.service';
 
 @Controller('auth/sessions')
@@ -8,9 +14,18 @@ export class SessionsController {
   @Post(':sessionId/refresh')
   async refresh(@Param('sessionId') sessionId: string) {
     const response = await this.sessionsService.refresh(sessionId);
+
     if ('code' in response) {
+      // Check if it's a network error vs auth failure
+      if (response.code === 'NETWORK_ERROR') {
+        // Return 503 Service Unavailable for network issues
+        throw new ServiceUnavailableException(response.error);
+      }
+
+      // Return 401 Unauthorized for other auth failures
       throw new UnauthorizedException(response.error);
     }
+
     return response;
   }
 }

apps/api/src/auth/sessions/sessions.service.ts

@@ -2,30 +2,61 @@ import { Injectable } from '@nestjs/common';
 
 @Injectable()
 export class SessionsService {
+  private isNetworkError(error: any): boolean {
+    const networkErrorCodes = [
+      'ENOTFOUND', // DNS lookup failed
+      'ECONNREFUSED', // Connection refused
+      'ETIMEDOUT', // Connection timeout
+      'ECONNRESET', // Connection reset by peer
+      'EHOSTUNREACH', // Host unreachable
+      'ENETUNREACH', // Network unreachable
+      'ECONNABORTED', // Connection aborted
+      'EPIPE', // Broken pipe
+      'EAI_AGAIN', // DNS lookup timeout
+    ];
+
+    const errorCode = error.code || error.cause?.code;
+    return (
+      networkErrorCodes.includes(errorCode) ||
+      error.message?.includes('fetch failed') ||
+      (error.name === 'TypeError' && error.message?.includes('Failed to fetch'))
+    );
+  }
+
   async refresh(
     sessionId: string,
   ): Promise<{ access_token: string } | { code: string; error: string }> {
-    return await fetch(
-      process.env.AUTH_SERVICE_API_URL + '/auth/sessions/current/refresh',
-      {
-        method: 'POST',
-        headers: {
-          'X-Stack-Access-Type': 'server',
-          'X-Stack-Project-Id': process.env.AUTH_SERVICE_PROJECT_ID!,
-          'X-Stack-Secret-Server-Key':
-            process.env.AUTH_SERVICE_SECRET_SERVER_KEY!,
-          'X-Stack-Refresh-Token': sessionId,
+    try {
+      const response = await fetch(
+        process.env.AUTH_SERVICE_API_URL + '/auth/sessions/current/refresh',
+        {
+          method: 'POST',
+          headers: {
+            'X-Stack-Access-Type': 'server',
+            'X-Stack-Project-Id': process.env.AUTH_SERVICE_PROJECT_ID!,
+            'X-Stack-Secret-Server-Key':
+              process.env.AUTH_SERVICE_SECRET_SERVER_KEY!,
+            'X-Stack-Refresh-Token': sessionId,
+          },
         },
-      },
-    ).then(
-      (response) =>
-        response.json() as Promise<
-          | { access_token: string }
-          | {
-              code: string;
-              error: string;
-            }
-        >,
-    );
+      );
+
+      return await response.json();
+    } catch (error: any) {
+      if (this.isNetworkError(error)) {
+        // Return consistent error format for network issues
+        return {
+          code: 'NETWORK_ERROR',
+          error:
+            'Network connectivity issue - unable to reach authentication service',
+        };
+      }
+
+      // For other errors, treat as auth failure
+      return {
+        code: 'UNKNOWN_ERROR',
+        error: error.message || 'Failed to refresh token',
+      };
+    }
   }
 }

apps/api/src/auth/token/token.module.ts

@@ -1,7 +1,9 @@
 import { Module } from '@nestjs/common';
 import { TokenController } from './token.controller';
+import { AuthModule } from '../auth.module';
 
 @Module({
+  imports: [AuthModule],
   providers: [],
   controllers: [TokenController],
 })

apps/api/src/auth/users/users.module.ts

@@ -2,10 +2,11 @@ import { Module } from '@nestjs/common';
 import { UsersService } from './users.service';
 import { UsersController } from './users.controller';
 import { DbModule } from 'src/db/db.module';
+import { AuthModule } from '../auth.module';
 
 @Module({
   controllers: [UsersController],
   providers: [UsersService],
-  imports: [DbModule],
+  imports: [DbModule, AuthModule],
 })
 export class UsersModule {}