Merge pull request #108 from cuappdev/ashley/refactoring-user-session

Refactoring all login bugs/flow

Author: ashleynhs

ormconfig.ts

@@ -1,4 +1,4 @@
-import { SnakeNamingStrategy } from 'typeorm-naming-strategies';
+// import { SnakeNamingStrategy } from 'typeorm-naming-strategies';
 
 module.exports = {
    type: 'postgres',
@@ -11,7 +11,7 @@ module.exports = {
       'src/models/*.ts',
    ],
    synchronize: false,
-   namingStrategy: new SnakeNamingStrategy(),
+   // namingStrategy: new SnakeNamingStrategy(),
    migrations: [
       'src/migrations/*.ts',
    ],

src/api/controllers/AuthController.ts

@@ -2,16 +2,7 @@ import { Body, CurrentUser, Delete, Get, HeaderParam, JsonController, Params, Po
 
 import { UserModel } from '../../models/UserModel';
 import { AuthService } from '../../services/AuthService';
-import {
-  APIUserSession,
-  CreateUserRequest,
-  GetSessionReponse,
-  GetSessionsReponse,
-  GetUserResponse,
-  LogoutResponse,
-} from '../../types';
-import { LoginRequest } from '../validators/AuthControllerRequests';
-import { UuidParam } from '../validators/GenericRequests';
+import { FcmTokenRequest } from '../../types';
 
 @JsonController('auth/')
 export class AuthController {
@@ -21,38 +12,8 @@ export class AuthController {
     this.authService = authService;
   }
 
-  @Get()
-  async currentUser(@CurrentUser() user: UserModel): Promise<GetUserResponse> {
-    return { user: user.getUserProfile() };
-  }
-
   @Post()
-  async createUser(@Body() createUserRequest: CreateUserRequest): Promise<GetUserResponse> {
-    return { user: await this.authService.createUser(createUserRequest) };
-  }
-
-  @Post('login/')
-  async login(@Body() loginRequest: LoginRequest): Promise<APIUserSession> {
-    return (await this.authService.loginUser(loginRequest)).serializeToken();
-  }
-
-  @Post('logout/')
-  async logout(@HeaderParam("authorization") accessToken: string): Promise<LogoutResponse> {
-    return { logoutSuccess: await this.authService.deleteSessionByAccessToken(accessToken) };
-  }
-
-  @Delete('id/:id/')
-  async deleteUserById(@Params() params: UuidParam): Promise<GetUserResponse> {
-    return { user: await this.authService.deleteUserById(params) };
-  }
-
-  @Get('sessions/:id/')
-  async getSessionsByUserId(@Params() params: UuidParam): Promise<GetSessionsReponse> {
-    return { sessions: await this.authService.getSessionsByUserId(params) };
-  }
-
-  @Get('refresh/')
-  async refreshToken(@HeaderParam("authorization") refreshToken: string): Promise<GetSessionReponse> {
-    return { session: await this.authService.updateSession(refreshToken) };
+  async authorize(@CurrentUser() user: UserModel, @Body() fcmToken: FcmTokenRequest): Promise<UserModel | null> {
+    return await this.authService.authorize(user, fcmToken.token);
   }
 }

src/api/controllers/FeedbackController.ts

@@ -2,7 +2,7 @@ import { Body, Delete, Get, JsonController, Params, Post } from 'routing-control
 
 import { FeedbackService } from '../../services/FeedbackService';
 import { CreateFeedbackRequest, GetFeedbackResponse, GetFeedbacksResponse, GetSearchedFeedbackRequest } from '../../types';
-import { UuidParam } from '../validators/GenericRequests';
+import { UuidParam, FirebaseUidParam } from '../validators/GenericRequests';
 
 @JsonController('feedback/')
 export class FeedbackController {
@@ -24,7 +24,7 @@ export class FeedbackController {
   }
 
   @Get('userId/:id/')
-  async getFeedbackByUserId(@Params() params: UuidParam): Promise<GetFeedbacksResponse> {
+  async getFeedbackByUserId(@Params() params: FirebaseUidParam): Promise<GetFeedbacksResponse> {
     return { feedbacks: await this.feedbackService.getFeedbackByUserId(params) };
   }
 

src/api/controllers/NotifController.ts

@@ -13,7 +13,7 @@ export class NotifController {
 
     @Get('recent')
     async getRecentNotifications(@CurrentUser() user: UserModel) {
-      return this.notifService.getRecentNotifications(user.id);
+      return this.notifService.getRecentNotifications(user.firebaseUid);
     }
 
     @Post()

src/api/controllers/PostController.ts

@@ -14,7 +14,7 @@ import {
   GetSearchedPostsRequest,
   IsSavedPostResponse,
 } from '../../types';
-import { UuidParam } from '../validators/GenericRequests';
+import { UuidParam, FirebaseUidParam } from '../validators/GenericRequests';
 
 @JsonController('post/')
 export class PostController {
@@ -35,7 +35,7 @@ export class PostController {
   }
 
   @Get('userId/:id/')
-  async getPostsByUserId(@CurrentUser() user: UserModel, @Params() params: UuidParam): Promise<GetPostsResponse> {
+  async getPostsByUserId(@CurrentUser() user: UserModel, @Params() params: FirebaseUidParam): Promise<GetPostsResponse> {
     return { posts: await this.postService.getPostsByUserId(user, params) };
   }
 
@@ -90,7 +90,7 @@ export class PostController {
   }
 
   @Get('archive/userId/:id/')
-  async getArchivedPostsByUserId(@Params() params: UuidParam): Promise<GetPostsResponse> {
+  async getArchivedPostsByUserId(@Params() params: FirebaseUidParam): Promise<GetPostsResponse> {
     return { posts: await this.postService.getArchivedPostsByUserId(params) };
   }
 
@@ -100,7 +100,7 @@ export class PostController {
   }
 
   @Post('archiveAll/userId/:id/')
-  async archiveAllPostsByUserId(@Params() params: UuidParam): Promise<GetPostsResponse> {
+  async archiveAllPostsByUserId(@Params() params: FirebaseUidParam): Promise<GetPostsResponse> {
     return { posts: await this.postService.archiveAllPostsByUserId(params) };
   }
 

src/api/controllers/RequestController.ts

@@ -3,7 +3,7 @@ import { Body, CurrentUser, Delete, Get, JsonController, Params, Post } from 'ro
 import { UserModel } from '../../models/UserModel';
 import { RequestService } from '../../services/RequestService';
 import { CreateRequestRequest, GetPostsResponse, GetRequestResponse, GetRequestsResponse } from '../../types';
-import { TimeParam, UuidParam } from '../validators/GenericRequests';
+import { TimeParam, UuidParam, FirebaseUidParam } from '../validators/GenericRequests';
 
 @JsonController('request/')
 export class RequestController {
@@ -25,7 +25,7 @@ export class RequestController {
   }
 
   @Get('userId/:id/')
-  async getRequestsByUserId(@Params() params: UuidParam): Promise<GetRequestsResponse> {
+  async getRequestsByUserId(@Params() params: FirebaseUidParam): Promise<GetRequestsResponse> {
     return { requests: await this.requestService.getRequestByUserId(params) };
   }
 
@@ -45,7 +45,7 @@ export class RequestController {
   }
 
   @Post('archiveAll/userId/:id/')
-  async archiveAllRequestsByUserId(@Params() params: UuidParam): Promise<GetRequestsResponse> {
+  async archiveAllRequestsByUserId(@Params() params: FirebaseUidParam): Promise<GetRequestsResponse> {
     return { requests: await this.requestService.archiveAllRequestsByUserId(params) };
   }
 

src/api/controllers/UserController.ts

@@ -2,8 +2,8 @@ import { Body, CurrentUser, Get, JsonController, Param, Params, Post, Delete} fr
 
 import { UserModel } from '../../models/UserModel';
 import { UserService } from '../../services/UserService';
-import { BlockUserRequest, UnblockUserRequest, EditProfileRequest, GetUserByEmailRequest, GetUserResponse, GetUsersResponse, SaveTokenRequest, SetAdminByEmailRequest } from '../../types';
-import { UuidParam } from '../validators/GenericRequests';
+import { BlockUserRequest, UnblockUserRequest, EditProfileRequest, GetUserByEmailRequest, GetUserResponse, GetUsersResponse, CreateUserRequest, SetAdminByEmailRequest, FcmTokenRequest } from '../../types';
+import { UuidParam, FirebaseUidParam } from '../validators/GenericRequests';
 
 @JsonController('user/')
 export class UserController {
@@ -13,6 +13,11 @@ export class UserController {
     this.userService = userService;
   }
 
+  @Post('create/')
+  async createUser(@CurrentUser() user: UserModel, @Body() createUserRequest: CreateUserRequest): Promise<UserModel> {
+    return await this.userService.createUser(user, createUserRequest);
+  }
+
   @Get()
   async getUsers(@CurrentUser() user: UserModel): Promise<GetUsersResponse> {
     const users = await this.userService.getAllUsers(user);
@@ -64,13 +69,24 @@ export class UserController {
     return { users: await this.userService.getBlockedUsersById(params) };
   }
 
+  @Delete()
+  async deleteUser(@CurrentUser() user: UserModel): Promise<UserModel> {
+    return await this.userService.deleteUser(user);
+  }
+  
   @Delete('id/:id/')
-  async deleteUser(@Params() params: UuidParam, @CurrentUser() user: UserModel): Promise<GetUserResponse> {
-    return { user: await this.userService.deleteUser(user, params) };
+  async deleteUserByOtherUser(@Params() params: FirebaseUidParam, @CurrentUser() user: UserModel): Promise<GetUserResponse> {
+    return { user: await this.userService.deleteUserByOtherUser(user, params) };
   }
 
   @Post('softDelete/id/:id/')
-  async softDeleteUser(@Params() params: UuidParam): Promise<GetUserResponse> {
+  async softDeleteUser(@Params() params: FirebaseUidParam): Promise<GetUserResponse> {
     return { user: await this.userService.softDeleteUser(params) };
   }
+
+  @Post('logout/')
+  async logout(@Body() fcmToken: FcmTokenRequest): Promise<null> {
+    return await this.userService.logout(fcmToken);
+  }
+
 }

src/api/validators/GenericRequests.ts

@@ -16,4 +16,8 @@ export class TimeParam {
   @IsUUID()
   id: Uuid;
   time: Date | undefined
+}
+
+export class FirebaseUidParam {
+  id: string;
 }

src/app.ts

@@ -2,7 +2,7 @@
 import 'reflect-metadata';
 
 import dotenv from 'dotenv';
-import { createExpressServer, ForbiddenError, useContainer as routingUseContainer } from 'routing-controllers';
+import { createExpressServer, ForbiddenError, UnauthorizedError, useContainer as routingUseContainer } from 'routing-controllers';
 import { EntityManager, getManager, useContainer } from 'typeorm';
 import { Container } from 'typeorm-typedi-extensions';
 import { Express } from 'express';
@@ -12,7 +12,6 @@ import * as path from 'path';
 import { controllers } from './api/controllers';
 import { middlewares } from './api/middlewares';
 import { UserModel } from './models/UserModel';
-import { UserSessionModel } from './models/UserSessionModel';
 import { ReportPostRequest, ReportProfileRequest, ReportMessageRequest } from './types';
 import { GetReportsResponse, Report } from './types/ApiResponses';
 import { ReportController } from './api/controllers/ReportController';
@@ -21,9 +20,23 @@ import { ReportService } from './services/ReportService';
 import { ReportRepository } from './repositories/ReportRepository';
 import { reportToString } from './utils/Requests';
 import { CurrentUserChecker } from 'routing-controllers/types/CurrentUserChecker';
+import * as firebaseAdmin from 'firebase-admin';
+
 
 dotenv.config();
+var serviceAccountPath = process.env.FIREBASE_SERVICE_ACCOUNT_PATH!;
+const serviceAccount = require(serviceAccountPath);
+
 
+if (!serviceAccountPath) {
+  throw new Error('FIREBASE_SERVICE_ACCOUNT_PATH environment variable is not set.');
+}
+
+// Initialize Firebase Admin SDK
+export const admin = firebaseAdmin.initializeApp({
+  credential: firebaseAdmin.credential.cert(serviceAccount),
+  // databaseURL: "https://resell-e99a2-default-rtdb.firebaseio.com"
+});
 
 async function main() {
   routingUseContainer(Container);
@@ -40,18 +53,47 @@ async function main() {
     controllers: controllers,
     middlewares: middlewares,
     currentUserChecker: async (action: any) => {
-      const accessToken = action.request.headers["authorization"];
-      const manager = getManager();
-      // find the user who has a token in their sessions field
-      const session = await manager.findOne(UserSessionModel, { accessToken: accessToken });
-      // check if the session token has expired
-      if (session && session.expiresAt.getTime() > Date.now()) {
-        const userId = session.userId;
-        // find a user with id `userId` and join with posts, saved,
-        // sessions, feedbacks, and requests
-        return await manager.findOne(UserModel, { id: userId }, { relations: ["posts", "saved", "sessions", "feedbacks", "requests"] });
+      const authHeader = action.request.headers["authorization"];
+      if (!authHeader) {
+        throw new ForbiddenError("No authorization token provided");
+      }
+      const token = authHeader.split(' ')[1];
+      if (!token) {
+        throw new ForbiddenError("Invalid authorization token format");
+      }
+      try {
+        // Verify the token using Firebase Admin SDK
+        const decodedToken = await admin.auth().verifyIdToken(token);
+        // Check if the email is a Cornell email
+        const email = decodedToken.email;
+        const userId = decodedToken.uid;
+        if (!email || !email.endsWith('@cornell.edu')) {
+          throw new ForbiddenError('Only Cornell email addresses are allowed');
+        }
+        // Find or create user in your database using Firebase UID
+        const manager = getManager();
+        let user = await manager.findOne(UserModel, { firebaseUid: userId }, 
+          { relations: ["posts", "saved", "feedbacks", "requests"] });
+        if (!user) {
+          // Check if this is the user creation route
+          const isUserCreateRoute = action.request.path === '/api/user/create' || action.request.path === 'api/authorize';
+          if (!isUserCreateRoute) {
+            throw new ForbiddenError('User not found. Please create an account first.');
+          }
+          // For user creation routes, return a minimal UserModel
+          const tempUser = new UserModel();
+          tempUser.googleId = email;
+          tempUser.firebaseUid = decodedToken.uid;
+          tempUser.isNewUser = true; 
+          return tempUser;
+        } 
+        return user;
+      } catch (error) {
+        if (error.code === 'auth/id-token-expired') {
+          throw new UnauthorizedError('Token has expired');
+        }
+        throw new UnauthorizedError('Invalid authorization token');
       }
-      throw new ForbiddenError("User unauthorized");
     },
     defaults: {
       paramOptions: {
@@ -81,16 +123,29 @@ async function main() {
 
   app.get('/api/reports/admin/', async (req: any, res: any) => {
     const userCheck = async (action: any) => {
-      const accessToken = action.headers["authorization"];
-      const manager = getManager();
-      const session = await manager.findOne(UserSessionModel, { accessToken: accessToken });
-      if (session && session.expiresAt.getTime() > Date.now()) {
-        const userId = session.userId;
-        const user = await manager.findOne(UserModel, { id: userId }, { relations: ["posts", "saved", "sessions", "feedbacks", "requests"] });
+      const authHeader = action.request.headers["authorization"];
+      if (!authHeader) {
+        throw new ForbiddenError("No authorization token provided");
+      }
+      const token = authHeader.split(' ')[1];
+      if (!token) {
+        throw new ForbiddenError("Invalid authorization token format");
+      }
+      try {
+        // Verify the token using Firebase Admin SDK
+        const decodedToken = await admin.auth().verifyIdToken(token);
+        const userId = decodedToken.uid;
+        // Find or create user in your database using Firebase UID
+        const manager = getManager();
+        const user = await manager.findOne(UserModel, { firebaseUid: userId });
         if (!user || !user.admin) throw new ForbiddenError("User unauthorized");
         return user;
+      } catch (error) {
+        if (error.code === 'auth/id-token-expired') {
+          throw new UnauthorizedError('Token has expired');
+        }
+        throw new UnauthorizedError('Invalid authorization token');
       }
-      throw new ForbiddenError("User unauthorized");
     }
     const user = await userCheck(req);
     user.admin = true;

src/factories/NotifFactory.ts

@@ -13,7 +13,7 @@ define(NotifModel, (_, context?: { user?: UserModel; index?: number }) => {
   notif.read = false;
 
   if (context?.user) {
-    notif.userId = context.user.id;
+    notif.userId = context.user.firebaseUid;
     notif.user = context.user;
   }