auth: adds token-auth to public api

adds auth service
adds auth module
adds token-auth strategy
adds token-auth to all public api calls

Signed-off-by: Philip Molares <philip.molares@udo.edu>

src/api/public/me/me.controller.ts

@@ -13,6 +13,8 @@ import {
   NotFoundException,
   Param,
   Put,
+  UseGuards,
+  Request,
 } from '@nestjs/common';
 import { HistoryEntryUpdateDto } from '../../../history/history-entry-update.dto';
 import { HistoryEntryDto } from '../../../history/history-entry.dto';
@@ -22,6 +24,7 @@ import { NoteMetadataDto } from '../../../notes/note-metadata.dto';
 import { NotesService } from '../../../notes/notes.service';
 import { UserInfoDto } from '../../../users/user-info.dto';
 import { UsersService } from '../../../users/users.service';
+import { TokenAuthGuard } from '../../../auth/token-auth.guard';
 
 @Controller('me')
 export class MeController {
@@ -34,29 +37,36 @@ export class MeController {
     this.logger.setContext(MeController.name);
   }
 
+  @UseGuards(TokenAuthGuard)
   @Get()
-  async getMe(): Promise<UserInfoDto> {
+  async getMe(@Request() req): Promise<UserInfoDto> {
     return this.usersService.toUserDto(
-      await this.usersService.getUserByUsername('hardcoded'),
+      await this.usersService.getUserByUsername(req.user.userName),
     );
   }
 
+  @UseGuards(TokenAuthGuard)
   @Get('history')
-  getUserHistory(): HistoryEntryDto[] {
-    return this.historyService.getUserHistory('someone');
+  getUserHistory(@Request() req): HistoryEntryDto[] {
+    return this.historyService.getUserHistory(req.user.userName);
   }
 
+  @UseGuards(TokenAuthGuard)
   @Put('history/:note')
   updateHistoryEntry(
+    @Request() req,
     @Param('note') note: string,
     @Body() entryUpdateDto: HistoryEntryUpdateDto,
   ): HistoryEntryDto {
+    // ToDo: Check if user is allowed to pin this history entry
     return this.historyService.updateHistoryEntry(note, entryUpdateDto);
   }
 
+  @UseGuards(TokenAuthGuard)
   @Delete('history/:note')
   @HttpCode(204)
-  deleteHistoryEntry(@Param('note') note: string) {
+  deleteHistoryEntry(@Request() req, @Param('note') note: string) {
+    // ToDo: Check if user is allowed to delete note
     try {
       return this.historyService.deleteHistoryEntry(note);
     } catch (e) {
@@ -64,8 +74,9 @@ export class MeController {
     }
   }
 
+  @UseGuards(TokenAuthGuard)
   @Get('notes')
-  getMyNotes(): NoteMetadataDto[] {
-    return this.notesService.getUserNotes('someone');
+  getMyNotes(@Request() req): NoteMetadataDto[] {
+    return this.notesService.getUserNotes(req.user.userName);
   }
 }

src/api/public/media/media.controller.ts

@@ -12,8 +12,10 @@ import {
   NotFoundException,
   Param,
   Post,
+  Request,
   UnauthorizedException,
   UploadedFile,
+  UseGuards,
   UseInterceptors,
 } from '@nestjs/common';
 import { FileInterceptor } from '@nestjs/platform-express';
@@ -25,6 +27,7 @@ import {
 import { ConsoleLoggerService } from '../../../logger/console-logger.service';
 import { MediaService } from '../../../media/media.service';
 import { MulterFile } from '../../../media/multer-file.interface';
+import { TokenAuthGuard } from '../../../auth/token-auth.guard';
 
 @Controller('media')
 export class MediaController {
@@ -35,14 +38,16 @@ export class MediaController {
     this.logger.setContext(MediaController.name);
   }
 
+  @UseGuards(TokenAuthGuard)
   @Post()
   @UseInterceptors(FileInterceptor('file'))
   async uploadMedia(
+    @Request() req,
     @UploadedFile() file: MulterFile,
     @Headers('HedgeDoc-Note') noteId: string,
   ) {
     //TODO: Get user from request
-    const username = 'hardcoded';
+    const username = req.user.userName;
     this.logger.debug(
       `Recieved filename '${file.originalname}' for note '${noteId}' from user '${username}'`,
       'uploadImage',
@@ -64,10 +69,11 @@ export class MediaController {
     }
   }
 
+  @UseGuards(TokenAuthGuard)
   @Delete(':filename')
-  async deleteMedia(@Param('filename') filename: string) {
+  async deleteMedia(@Request() req, @Param('filename') filename: string) {
     //TODO: Get user from request
-    const username = 'hardcoded';
+    const username = req.user.userName;
     try {
       await this.mediaService.deleteFile(filename, username);
     } catch (e) {

src/api/public/monitoring/monitoring.controller.ts

@@ -4,18 +4,21 @@
  * SPDX-License-Identifier: AGPL-3.0-only
  */
 
-import { Controller, Get } from '@nestjs/common';
+import { Controller, Get, UseGuards } from '@nestjs/common';
 import { MonitoringService } from '../../../monitoring/monitoring.service';
+import { TokenAuthGuard } from '../../../auth/token-auth.guard';
 
 @Controller('monitoring')
 export class MonitoringController {
   constructor(private monitoringService: MonitoringService) {}
 
+  @UseGuards(TokenAuthGuard)
   @Get()
   getStatus() {
     return this.monitoringService.getServerStatus();
   }
 
+  @UseGuards(TokenAuthGuard)
   @Get('prometheus')
   getPrometheusStatus() {
     return '';

src/api/public/notes/notes.controller.ts

@@ -14,6 +14,8 @@ import {
   Param,
   Post,
   Put,
+  Request,
+  UseGuards,
 } from '@nestjs/common';
 import { NotInDBError } from '../../../errors/errors';
 import { ConsoleLoggerService } from '../../../logger/console-logger.service';
@@ -21,6 +23,7 @@ import { NotePermissionsUpdateDto } from '../../../notes/note-permissions.dto';
 import { NotesService } from '../../../notes/notes.service';
 import { RevisionsService } from '../../../revisions/revisions.service';
 import { MarkdownBody } from '../../utils/markdownbody-decorator';
+import { TokenAuthGuard } from '../../../auth/token-auth.guard';
 
 @Controller('notes')
 export class NotesController {
@@ -32,14 +35,18 @@ export class NotesController {
     this.logger.setContext(NotesController.name);
   }
 
+  @UseGuards(TokenAuthGuard)
   @Post()
-  async createNote(@MarkdownBody() text: string) {
+  async createNote(@Request() req, @MarkdownBody() text: string) {
+    // ToDo: provide user for createNoteDto
     this.logger.debug('Got raw markdown:\n' + text);
     return this.noteService.createNoteDto(text);
   }
 
+  @UseGuards(TokenAuthGuard)
   @Get(':noteIdOrAlias')
-  async getNote(@Param('noteIdOrAlias') noteIdOrAlias: string) {
+  async getNote(@Request() req, @Param('noteIdOrAlias') noteIdOrAlias: string) {
+    // ToDo: check if user is allowed to view this note
     try {
       return await this.noteService.getNoteDtoByIdOrAlias(noteIdOrAlias);
     } catch (e) {
@@ -50,17 +57,25 @@ export class NotesController {
     }
   }
 
+  @UseGuards(TokenAuthGuard)
   @Post(':noteAlias')
   async createNamedNote(
+    @Request() req,
     @Param('noteAlias') noteAlias: string,
     @MarkdownBody() text: string,
   ) {
+    // ToDo: check if user is allowed to view this note
     this.logger.debug('Got raw markdown:\n' + text);
     return this.noteService.createNoteDto(text, noteAlias);
   }
 
+  @UseGuards(TokenAuthGuard)
   @Delete(':noteIdOrAlias')
-  async deleteNote(@Param('noteIdOrAlias') noteIdOrAlias: string) {
+  async deleteNote(
+    @Request() req,
+    @Param('noteIdOrAlias') noteIdOrAlias: string,
+  ) {
+    // ToDo: check if user is allowed to delete this note
     this.logger.debug('Deleting note: ' + noteIdOrAlias);
     try {
       await this.noteService.deleteNoteByIdOrAlias(noteIdOrAlias);
@@ -74,11 +89,14 @@ export class NotesController {
     return;
   }
 
+  @UseGuards(TokenAuthGuard)
   @Put(':noteIdOrAlias')
   async updateNote(
+    @Request() req,
     @Param('noteIdOrAlias') noteIdOrAlias: string,
     @MarkdownBody() text: string,
   ) {
+    // ToDo: check if user is allowed to change this note
     this.logger.debug('Got raw markdown:\n' + text);
     try {
       return await this.noteService.updateNoteByIdOrAlias(noteIdOrAlias, text);
@@ -90,9 +108,14 @@ export class NotesController {
     }
   }
 
+  @UseGuards(TokenAuthGuard)
   @Get(':noteIdOrAlias/content')
   @Header('content-type', 'text/markdown')
-  async getNoteContent(@Param('noteIdOrAlias') noteIdOrAlias: string) {
+  async getNoteContent(
+    @Request() req,
+    @Param('noteIdOrAlias') noteIdOrAlias: string,
+  ) {
+    // ToDo: check if user is allowed to view this notes content
     try {
       return await this.noteService.getNoteContent(noteIdOrAlias);
     } catch (e) {
@@ -103,8 +126,13 @@ export class NotesController {
     }
   }
 
+  @UseGuards(TokenAuthGuard)
   @Get(':noteIdOrAlias/metadata')
-  async getNoteMetadata(@Param('noteIdOrAlias') noteIdOrAlias: string) {
+  async getNoteMetadata(
+    @Request() req,
+    @Param('noteIdOrAlias') noteIdOrAlias: string,
+  ) {
+    // ToDo: check if user is allowed to view this notes metadata
     try {
       return await this.noteService.getNoteMetadata(noteIdOrAlias);
     } catch (e) {
@@ -115,11 +143,14 @@ export class NotesController {
     }
   }
 
+  @UseGuards(TokenAuthGuard)
   @Put(':noteIdOrAlias/metadata/permissions')
   async updateNotePermissions(
+    @Request() req,
     @Param('noteIdOrAlias') noteIdOrAlias: string,
     @Body() updateDto: NotePermissionsUpdateDto,
   ) {
+    // ToDo: check if user is allowed to view this notes permissions
     try {
       return await this.noteService.updateNotePermissions(
         noteIdOrAlias,
@@ -133,8 +164,13 @@ export class NotesController {
     }
   }
 
+  @UseGuards(TokenAuthGuard)
   @Get(':noteIdOrAlias/revisions')
-  async getNoteRevisions(@Param('noteIdOrAlias') noteIdOrAlias: string) {
+  async getNoteRevisions(
+    @Request() req,
+    @Param('noteIdOrAlias') noteIdOrAlias: string,
+  ) {
+    // ToDo: check if user is allowed to view this notes revisions
     try {
       return await this.revisionsService.getNoteRevisionMetadatas(
         noteIdOrAlias,
@@ -147,11 +183,14 @@ export class NotesController {
     }
   }
 
+  @UseGuards(TokenAuthGuard)
   @Get(':noteIdOrAlias/revisions/:revisionId')
   async getNoteRevision(
+    @Request() req,
     @Param('noteIdOrAlias') noteIdOrAlias: string,
     @Param('revisionId') revisionId: number,
   ) {
+    // ToDo: check if user is allowed to view this notes revision
     try {
       return await this.revisionsService.getNoteRevision(
         noteIdOrAlias,