Guards first pass

apps/server/prisma/seed.ts

@@ -107,7 +107,7 @@ const employees: EmployeeData[] = [
     email: '[email protected]',
     positionId: CHIEF_FIN_OFFICER_UUID,
     signatureLink: DEV_SIGNATURE_LINK,
-    scope: EmployeeScope.BASE_USER,
+    scope: EmployeeScope.ADMIN,
   },
   {
     id: ANGELA_WEIGL_UUID,

apps/server/src/app.controller.ts

@@ -47,8 +47,8 @@ export class AppController {
     return this.appService.getHello();
   }
 
-  @UseGuards(LocalAuthGuard)
   @Post('/auth/login')
+  @UseGuards(LocalAuthGuard)
   @ApiCreatedResponse({ type: JwtEntity })
   @ApiForbiddenResponse({ description: AppErrorMessage.FORBIDDEN })
   @ApiUnprocessableEntityResponse({
@@ -80,8 +80,8 @@ export class AppController {
     return tokens;
   }
 
-  @UseGuards(JwtRefreshAuthGuard)
   @Get('/auth/refresh')
+  @UseGuards(JwtRefreshAuthGuard)
   @ApiBearerAuth()
   @ApiOkResponse({ type: JwtEntity })
   @ApiForbiddenResponse({ description: AppErrorMessage.FORBIDDEN })

apps/server/src/auth/auth.service.spec.ts

@@ -114,6 +114,16 @@ describe('AuthService', () => {
       const result = await service.validateEmployee(email, password);
       expect(result).toBeNull();
     });
+
+    it('should return null on an invalid admin credential', async () => {
+      jest.spyOn(employeeService, 'findOneByEmail').mockResolvedValue(employee);
+
+      const result = await service.validateEmployeeScope(
+        email,
+        EmployeeScope.ADMIN,
+      );
+      expect(result).toBeNull();
+    });
   });
 
   describe('login', () => {

apps/server/src/auth/auth.service.ts

@@ -6,7 +6,7 @@ import { EmployeeEntity } from '../employees/entities/employee.entity';
 import { CreateEmployeeDto } from '../employees/dto/create-employee.dto';
 import { DepartmentsService } from '../departments/departments.service';
 import { PositionsService } from '../positions/positions.service';
-import { Department, Position } from '@prisma/client';
+import { Department, EmployeeScope, Position } from '@prisma/client';
 
 @Injectable()
 export class AuthService {
@@ -37,6 +37,22 @@ export class AuthService {
     return new EmployeeEntity(result);
   }
 
+  /**
+   * Validate if employee has specified scope.
+   * @param email employee email
+   * @returns validated employee or null
+   */
+  async validateEmployeeScope(
+    email: string,
+    scope: EmployeeScope,
+  ): Promise<EmployeeEntity | null> {
+    const user = await this.employeesService.findOneByEmail(email);
+    if (user.scope == scope) {
+      return user;
+    }
+    return null;
+  }
+
   /**
    * Authenticate a user.
    * @param request the incoming request

apps/server/src/auth/strategies/jwt.strategy.ts

@@ -18,6 +18,6 @@ export class JwtStrategy extends PassportStrategy(Strategy) {
   }
 
   async validate(payload: any) {
-    return { id: payload.sub, email: payload.email };
+    return { id: payload.sub, email: payload.email, scope: payload.scope };
   }
 }

apps/server/src/departments/departments.controller.ts

@@ -8,6 +8,7 @@ import {
   Delete,
   NotFoundException,
   Query,
+  UseGuards,
   ValidationPipe,
 } from '@nestjs/common';
 import { DepartmentsService } from './departments.service';
@@ -27,6 +28,8 @@ import { Prisma } from '@prisma/client';
 import { AppErrorMessage } from '../app.errors';
 import { DepartmentsErrorMessage } from './departments.errors';
 import { LoggerServiceImpl } from '../logger/logger.service';
+import { AdminAuthGuard } from '../auth/guards/admin-auth.guard';
+import { JwtAuthGuard } from '../auth/guards/jwt-auth.guard';
 
 @ApiTags('departments')
 @Controller('departments')
@@ -37,6 +40,7 @@ export class DepartmentsController {
   ) {}
 
   @Post()
+  @UseGuards(AdminAuthGuard)
   @ApiCreatedResponse({ type: DepartmentEntity })
   @ApiForbiddenResponse({ description: AppErrorMessage.FORBIDDEN })
   @ApiUnprocessableEntityResponse({
@@ -54,6 +58,7 @@ export class DepartmentsController {
   }
 
   @Get()
+  @UseGuards(JwtAuthGuard)
   @ApiOkResponse({ type: [DepartmentEntity] })
   @ApiForbiddenResponse({ description: AppErrorMessage.FORBIDDEN })
   @ApiBadRequestResponse({ description: AppErrorMessage.UNPROCESSABLE_ENTITY })
@@ -63,6 +68,7 @@ export class DepartmentsController {
   }
 
   @Get(':id')
+  @UseGuards(JwtAuthGuard)
   @ApiOkResponse({ type: DepartmentEntity })
   @ApiForbiddenResponse({ description: AppErrorMessage.FORBIDDEN })
   @ApiNotFoundResponse({ description: AppErrorMessage.NOT_FOUND })
@@ -81,6 +87,7 @@ export class DepartmentsController {
   }
 
   @Get('name/:name')
+  @UseGuards(JwtAuthGuard)
   @ApiOkResponse({ type: DepartmentEntity })
   @ApiForbiddenResponse({ description: AppErrorMessage.FORBIDDEN })
   @ApiNotFoundResponse({ description: AppErrorMessage.NOT_FOUND })
@@ -99,6 +106,7 @@ export class DepartmentsController {
   }
 
   @Patch(':id')
+  @UseGuards(AdminAuthGuard)
   @ApiOkResponse({ type: DepartmentEntity })
   @ApiForbiddenResponse({ description: AppErrorMessage.FORBIDDEN })
   @ApiNotFoundResponse({ description: AppErrorMessage.NOT_FOUND })
@@ -133,6 +141,7 @@ export class DepartmentsController {
   }
 
   @Delete(':id')
+  @UseGuards(AdminAuthGuard)
   @ApiOkResponse()
   @ApiForbiddenResponse({ description: AppErrorMessage.FORBIDDEN })
   @ApiNotFoundResponse({ description: AppErrorMessage.NOT_FOUND })

apps/server/src/employees/employees.controller.ts

@@ -33,6 +33,7 @@ import { AuthUser } from '../auth/auth.decorators';
 import { UserEntity } from '../auth/entities/user.entity';
 import { JwtAuthGuard } from '../auth/guards/jwt-auth.guard';
 import { LoggerServiceImpl } from '../logger/logger.service';
+import { AdminAuthGuard } from '../auth/guards/admin-auth.guard';
 
 @ApiTags('employees')
 @Controller('employees')
@@ -43,6 +44,7 @@ export class EmployeesController {
   ) {}
 
   @Post()
+  @UseGuards(AdminAuthGuard)
   @ApiBearerAuth()
   @ApiCreatedResponse({ type: EmployeeEntity })
   @ApiForbiddenResponse({ description: AppErrorMessage.FORBIDDEN })
@@ -60,6 +62,7 @@ export class EmployeesController {
   }
 
   @Get()
+  @UseGuards(JwtAuthGuard)
   @ApiOkResponse({ type: [EmployeeEntity] })
   @ApiForbiddenResponse({ description: AppErrorMessage.FORBIDDEN })
   @ApiBadRequestResponse({ description: AppErrorMessage.UNPROCESSABLE_ENTITY })
@@ -75,9 +78,9 @@ export class EmployeesController {
     return employees.map((employee) => new EmployeeEntity(employee));
   }
 
-  @UseGuards(JwtAuthGuard)
   @Get('me')
   @ApiBearerAuth()
+  @UseGuards(JwtAuthGuard)
   @ApiOkResponse({ type: EmployeeEntity })
   @ApiForbiddenResponse({ description: AppErrorMessage.FORBIDDEN })
   @ApiBadRequestResponse({ description: AppErrorMessage.UNPROCESSABLE_ENTITY })
@@ -87,12 +90,12 @@ export class EmployeesController {
   }
 
   @Get(':id')
+  @UseGuards(JwtAuthGuard)
   @ApiOkResponse({ type: EmployeeEntity })
   @ApiForbiddenResponse({ description: AppErrorMessage.FORBIDDEN })
   @ApiNotFoundResponse({ description: AppErrorMessage.NOT_FOUND })
   @ApiBadRequestResponse({ description: AppErrorMessage.UNPROCESSABLE_ENTITY })
   async findOne(@Param('id') id: string) {
-    // TODO: Auth
     const employee = await this.employeesService.findOne(id);
     if (employee == null) {
       this.loggerService.error(EmployeeErrorMessage.EMPLOYEE_NOT_FOUND);
@@ -104,6 +107,7 @@ export class EmployeesController {
   }
 
   @Patch(':id')
+  @UseGuards(AdminAuthGuard)
   @ApiOkResponse({ type: EmployeeEntity })
   @ApiForbiddenResponse({ description: AppErrorMessage.FORBIDDEN })
   @ApiNotFoundResponse({ description: AppErrorMessage.NOT_FOUND })
@@ -116,7 +120,6 @@ export class EmployeesController {
     @Body(new ValidationPipe({ transform: true }))
     updateEmployeeDto: UpdateEmployeeDto,
   ) {
-    // TODO: Auth
     try {
       const updatedEmployee = await this.employeesService.update(
         id,
@@ -137,12 +140,12 @@ export class EmployeesController {
   }
 
   @Delete(':id')
+  @UseGuards(AdminAuthGuard)
   @ApiOkResponse()
   @ApiForbiddenResponse({ description: AppErrorMessage.FORBIDDEN })
   @ApiNotFoundResponse({ description: AppErrorMessage.NOT_FOUND })
   @ApiBadRequestResponse({ description: AppErrorMessage.UNPROCESSABLE_ENTITY })
   async remove(@Param('id') id: string) {
-    // TODO: Auth
     try {
       await this.employeesService.remove(id);
     } catch (e) {

apps/server/src/form-instances/form-instances.controller.ts

@@ -33,6 +33,7 @@ import { JwtAuthGuard } from '../auth/guards/jwt-auth.guard';
 import { AuthUser } from '../auth/auth.decorators';
 import { UserEntity } from '../auth/entities/user.entity';
 import { LoggerServiceImpl } from '../logger/logger.service';
+import { AdminAuthGuard } from '../auth/guards/admin-auth.guard';
 
 @ApiTags('form-instances')
 @Controller('form-instances')
@@ -43,6 +44,7 @@ export class FormInstancesController {
   ) {}
 
   @Post()
+  @UseGuards(JwtAuthGuard)
   @ApiCreatedResponse({ type: FormInstanceEntity })
   @ApiForbiddenResponse({ description: AppErrorMessage.FORBIDDEN })
   @ApiUnprocessableEntityResponse({
@@ -59,13 +61,14 @@ export class FormInstancesController {
   }
 
   @Get()
+  @UseGuards(AdminAuthGuard)
   @ApiOkResponse({ type: [FormInstanceEntity] })
   @ApiForbiddenResponse({ description: AppErrorMessage.FORBIDDEN })
   @ApiBadRequestResponse({ description: AppErrorMessage.UNPROCESSABLE_ENTITY })
   @ApiQuery({
     name: 'limit',
     type: Number,
-    description: 'Limit on number of positions to return',
+    description: 'Limit on number of form instances to return',
     required: false,
   })
   async findAll(@Query('limit') limit?: number) {
@@ -75,8 +78,8 @@ export class FormInstancesController {
     );
   }
 
-  @UseGuards(JwtAuthGuard)
   @Get('me')
+  @UseGuards(JwtAuthGuard)
   @ApiBearerAuth()
   @ApiOkResponse({ type: [FormInstanceEntity] })
   @ApiForbiddenResponse({ description: AppErrorMessage.FORBIDDEN })
@@ -90,8 +93,8 @@ export class FormInstancesController {
     );
   }
 
-  @UseGuards(JwtAuthGuard)
   @Get('created/me')
+  @UseGuards(JwtAuthGuard)
   @ApiBearerAuth()
   @ApiOkResponse({ type: [FormInstanceEntity] })
   @ApiForbiddenResponse({ description: AppErrorMessage.FORBIDDEN })
@@ -106,6 +109,7 @@ export class FormInstancesController {
   }
 
   @Get(':id')
+  @UseGuards(JwtAuthGuard)
   @ApiOkResponse({ type: FormInstanceEntity })
   @ApiForbiddenResponse({ description: AppErrorMessage.FORBIDDEN })
   @ApiNotFoundResponse({ description: AppErrorMessage.NOT_FOUND })
@@ -126,6 +130,7 @@ export class FormInstancesController {
   }
 
   @Patch(':id')
+  @UseGuards(JwtAuthGuard)
   @ApiOkResponse({ type: FormInstanceEntity })
   @ApiForbiddenResponse({ description: AppErrorMessage.FORBIDDEN })
   @ApiNotFoundResponse({ description: AppErrorMessage.NOT_FOUND })
@@ -138,6 +143,7 @@ export class FormInstancesController {
     @Body(new ValidationPipe({ transform: true }))
     updateFormInstanceDto: UpdateFormInstanceDto,
   ) {
+    // TODO: Who is alloed to update a form instance? Creator? Admin? etc?
     try {
       const updatedFormInstance = await this.formInstancesService.update(
         id,
@@ -160,11 +166,13 @@ export class FormInstancesController {
   }
 
   @Delete(':id')
+  @UseGuards(JwtAuthGuard)
   @ApiOkResponse()
   @ApiForbiddenResponse({ description: AppErrorMessage.FORBIDDEN })
   @ApiNotFoundResponse({ description: AppErrorMessage.NOT_FOUND })
   @ApiBadRequestResponse({ description: AppErrorMessage.UNPROCESSABLE_ENTITY })
   async remove(@Param('id') id: string) {
+    // TODO: Who is alloed to update a form instance? Creator? Admin? etc?
     try {
       await this.formInstancesService.remove(id);
     } catch (e) {
@@ -182,8 +190,8 @@ export class FormInstancesController {
     }
   }
 
-  @UseGuards(JwtAuthGuard)
   @Patch(':formInstanceId/sign/:signatureId')
+  @UseGuards(JwtAuthGuard)
   @ApiOkResponse({ type: FormInstanceEntity })
   @ApiForbiddenResponse({ description: AppErrorMessage.FORBIDDEN })
   @ApiNotFoundResponse({ description: AppErrorMessage.NOT_FOUND })
@@ -218,8 +226,8 @@ export class FormInstancesController {
     }
   }
 
-  @UseGuards(JwtAuthGuard)
   @Patch(':formInstanceId/complete')
+  @UseGuards(JwtAuthGuard)
   @ApiBearerAuth()
   @ApiOkResponse({ type: FormInstanceEntity })
   @ApiForbiddenResponse({ description: AppErrorMessage.FORBIDDEN })