Skip to content

Ben backend auth #251

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
prooflesben merged 6 commits into from
Jan 14, 2026
Merged

Ben backend auth #251

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
4bcb548
Added guards for routes and make it so that the back to login button …
prooflesben Dec 7, 2025
b12f1f9
All the routes have guards on them
prooflesben Dec 7, 2025
3c19607
added back to login on restricted page
prooflesben Dec 8, 2025
68738ca
Changed the auth test so it passes
prooflesben Jan 13, 2026
411fcb5
added user pool to test to stop that error
prooflesben Jan 13, 2026
ef4ba1c
added mocks for the auth guard modules
prooflesben Jan 14, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
62 changes: 60 additions & 2 deletions backend/package-lock.json
View file
Open in desktop

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

3 changes: 3 additions & 0 deletions backend/package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,10 +16,12 @@
"@nestjs/jwt": "^8.0.0",
"@nestjs/passport": "^8.0.0",
"@nestjs/platform-express": "^8.4.7",
"aws-jwt-verify": "^5.1.1",
"aws-sdk": "^2.1030.0",
"aws-serverless-express": "^3.4.0",
"class-transformer": "^0.5.1",
"class-validator": "^0.14.1",
"cookie-parser": "^1.4.7",
"crypto": "^1.0.1",
"dotenv": "^16.4.5",
"jwt-decode": "^4.0.0",
Expand All @@ -32,6 +34,7 @@
"@nestjs/testing": "^8.4.7",
"@types/aws-lambda": "^8.10.149",
"@types/aws-serverless-express": "^3.3.10",
"@types/cookie-parser": "^1.4.10",
"@types/jest": "^27.0.0",
"@types/node": "^20.0.0",
"esbuild": "^0.25.2",
Expand Down
19 changes: 15 additions & 4 deletions backend/src/auth/__test__/auth.service.spec.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,15 @@ import {
} from "@nestjs/common";
import { describe, it, expect, beforeEach, vi, beforeAll } from "vitest";

vi.mock('../../auth/auth.guard', () => ({
VerifyUserGuard: vi.fn(() => ({
canActivate: vi.fn().mockResolvedValue(true),
})),
VerifyAdminRoleGuard: vi.fn(() => ({
canActivate: vi.fn().mockResolvedValue(true),
})),
}));

// Create mock functions for Cognito operations
const mockAdminCreateUser = vi.fn().mockReturnThis();
const mockAdminSetUserPassword = vi.fn().mockReturnThis();
Expand Down Expand Up @@ -166,7 +175,9 @@ describe("AuthService", () => {
const mockGet = () => ({
promise: () =>
Promise.resolve({
Item: { userId: "c4c", email: "c4c@example.com", biography: "" },
Item: { userId: "c4c",
email: "c4c@example.com",
position: "Inactive", },
}),
});

Expand All @@ -178,11 +189,11 @@ describe("AuthService", () => {
const result = await service.login("c4c", "Pass123!");

// Verify the results
expect(result.access_token).toBe("id-token");
expect(result.access_token).toBe("access-token");
expect(result.user).toEqual({
userId: "c4c",
email: "c4c@example.com",
biography: "",
position: "Inactive",
});
expect(result.message).toBe("Login Successful!");
});
Expand Down Expand Up @@ -253,7 +264,7 @@ describe("AuthService", () => {

const result = await service.login("c4c", "Pass123!");

expect(result.access_token).toBe("id-token");
expect(result.access_token).toBe("access-token");
expect(result.user).toEqual({
userId: "c4c",
email: "c4c@gmail.com",
Expand Down
22 changes: 18 additions & 4 deletions backend/src/auth/auth.controller.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,6 +1,7 @@
import { Controller, Post, Body } from '@nestjs/common';
import { Controller, Post, Body, Res } from '@nestjs/common';
import { AuthService } from './auth.service';
import { User } from '../types/User';
import { Response } from 'express';
import { UserStatus } from '../../../middle-layer/types/UserStatus';

@Controller('auth')
Expand All @@ -19,18 +20,31 @@ export class AuthController {

@Post('login')
async login(
@Res({ passthrough: true }) response: Response,
@Body('username') username: string,
@Body('password') password: string,
@Body('password') password: string,
): Promise<{
access_token?: string;
user: User;
session?: string;
challenge?: string;
requiredAttributes?: string[];
username?: string;
position?: string;
}> {
return await this.authService.login(username, password);
const result = await this.authService.login(username, password);

// Set cookie with access token
if (result.access_token) {
response.cookie('access_token', result.access_token, {
httpOnly: true, // Cannot be accessed by JavaScript (XSS protection)
secure: process.env.NODE_ENV === 'production', // Only HTTPS in production
sameSite: 'strict', // CSRF protection
maxAge: 3600000, // 1 hour in milliseconds
path: '/', // Cookie available on all routes
});
}
delete result.access_token;
return result
}

@Post('set-password')
Expand Down
76 changes: 76 additions & 0 deletions backend/src/auth/auth.guard.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,76 @@
import { Injectable, CanActivate, ExecutionContext } from "@nestjs/common";
import { Observable } from "rxjs";
import { CognitoJwtVerifier } from "aws-jwt-verify";




@Injectable()
export class VerifyUserGuard implements CanActivate {
private verifier: any;
constructor() {
const userPoolId = process.env.COGNITO_USER_POOL_ID;
if (userPoolId) {
this.verifier = CognitoJwtVerifier.create({
userPoolId,
tokenUse: "access",
clientId: process.env.COGNITO_CLIENT_ID,
});
} else {
throw new Error(
"[AUTH] USER POOL ID is not defined in environment variables"
);
}
}

async canActivate(context: ExecutionContext): Promise<boolean> {
try {
const request = context.switchToHttp().getRequest();
const accessToken = request.cookies["access_token"];
const result = await this.verifier.verify(accessToken);

return true;
} catch (error) {
console.error("Token verification failed:", error); // Debug log
return false;
}
}
}

@Injectable()
export class VerifyAdminRoleGuard implements CanActivate {
private verifier: any;
constructor() {
const userPoolId = process.env.COGNITO_USER_POOL_ID;
if (userPoolId) {
this.verifier = CognitoJwtVerifier.create({
userPoolId,
tokenUse: "access",
clientId: process.env.COGNITO_CLIENT_ID,
});
} else {
throw new Error(
"[AUTH] USER POOL ID is not defined in environment variables"
);
}
}
async canActivate(context: ExecutionContext): Promise<boolean> {
try {
const request = context.switchToHttp().getRequest();
const accessToken = request.cookies["access_token"];
const result = await this.verifier.verify(accessToken);
const groups = result['cognito:groups'] || [];
console.log("User groups from token:", groups);
if (!groups.includes('Admin')) {
console.warn("Access denied: User is not an Admin");
return false;
} else {
return true;
}

} catch (error) {
console.error("Token verification failed:", error); // Debug log
return false;
}
}
}
Loading