tokens: Add token creation

Fix token deletion Update plantuml docs Add token validUntil and lastUsed fields Signed-off-by: Philip Molares <philip.molares@udo.edu>
2025-05-29 06:15:29 -04:00 · 2021-01-21 19:37:43 +01:00 · 2021-01-21 19:37:43 +01:00 · c9751404f7
commit c9751404f7
parent cce1626c48
9 changed files with 113 additions and 35 deletions
--- a/src/users/auth-token.dto.ts
+++ b/src/users/auth-token.dto.ts
@ -11,4 +11,8 @@ export class AuthTokenDto {
  label: string;
  @IsNumber()
  created: number;
+  @IsNumber()
+  validUntil: number | null;
+  @IsNumber()
+  lastUsed: number | null;
 }
--- a/src/users/auth-token.entity.ts
+++ b/src/users/auth-token.entity.ts
@ -4,7 +4,13 @@
 * SPDX-License-Identifier: AGPL-3.0-only
 */

-import { Column, CreateDateColumn, Entity, ManyToOne, PrimaryGeneratedColumn } from 'typeorm';
+import {
+  Column,
+  CreateDateColumn,
+  Entity,
+  ManyToOne,
+  PrimaryGeneratedColumn,
+} from 'typeorm';
 import { User } from './user.entity';

@Entity()
@ -12,6 +18,9 @@ export class AuthToken {
  @PrimaryGeneratedColumn()
  id: number;

+  @Column({ unique: true })
+  keyId: string;
+
  @ManyToOne((_) => User, (user) => user.authTokens)
  user: User;

@ -24,21 +33,32 @@ export class AuthToken {
  @Column({ unique: true })
  accessToken: string;

-  @Column({ type: 'date' })
-  validUntil: Date;
+  @Column({
+    nullable: true,
+  })
+  validUntil: number;
+
+  @Column({
+    nullable: true,
+  })
+  lastUsed: number;

  public static create(
    user: User,
    identifier: string,
+    keyId: string,
    accessToken: string,
-    validUntil: Date,
+    validUntil?: number,
  ): Pick<AuthToken, 'user' | 'accessToken'> {
    const newToken = new AuthToken();
    newToken.user = user;
    newToken.identifier = identifier;
+    newToken.keyId = keyId;
    newToken.accessToken = accessToken;
    newToken.createdAt = new Date();
-    newToken.validUntil = validUntil;
+    if (validUntil !== undefined) {
+      newToken.validUntil = validUntil;
+    }
    return newToken;
  }
 }
--- a/src/users/users.service.ts
+++ b/src/users/users.service.ts
@ -7,13 +7,13 @@
 import { Injectable } from '@nestjs/common';
 import { InjectRepository } from '@nestjs/typeorm';
 import { Repository } from 'typeorm';
-import { NotInDBError } from '../errors/errors';
+import { NotInDBError, TokenNotValid } from '../errors/errors';
 import { ConsoleLoggerService } from '../logger/console-logger.service';
 import { UserInfoDto } from './user-info.dto';
 import { User } from './user.entity';
 import { AuthToken } from './auth-token.entity';
-import { hash, compare } from 'bcrypt'
-import crypt from 'crypto';
+import { hash, compare } from 'bcrypt';
+import { randomBytes } from 'crypto';
 import { AuthTokenDto } from './auth-token.dto';
 import { AuthTokenWithSecretDto } from './auth-token-with-secret.dto';

@ -33,19 +33,36 @@ export class UsersService {
    return this.userRepository.save(user);
  }

+  randomBase64UrlString(): string {
+    // This is necessary as the is no base64url encoding in the toString method
+    // but as can be seen on https://tools.ietf.org/html/rfc4648#page-7
+    // base64url is quite easy buildable from base64
+    return randomBytes(64)
+      .toString('base64')
+      .replace('+', '-')
+      .replace('/', '_')
+      .replace(/=+$/, '');
+  }
+
  async createTokenForUser(
    userName: string,
    identifier: string,
    until: number,
  ): Promise<AuthToken> {
    const user = await this.getUserByUsername(userName);
-    const randomString = crypt.randomBytes(64).toString('base64url');
-    const accessToken = await this.hashPassword(randomString);
-    const token = AuthToken.create(user, identifier, accessToken, new Date(until));
+    const secret = this.randomBase64UrlString();
+    const keyId = this.randomBase64UrlString();
+    const accessToken = await this.hashPassword(secret);
+    let token;
+    if (until === 0) {
+      token = AuthToken.create(user, identifier, keyId, accessToken);
+    } else {
+      token = AuthToken.create(user, identifier, keyId, accessToken, until);
+    }
    const createdToken = await this.authTokenRepository.save(token);
    return {
-      accessToken: randomString,
      ...createdToken,
+      accessToken: `${keyId}.${secret}`,
    };
  }

@ -57,9 +74,10 @@ export class UsersService {
    await this.userRepository.delete(user);
  }

-  async getUserByUsername(userName: string): Promise<User> {
+  async getUserByUsername(userName: string, withTokens = false): Promise<User> {
    const user = await this.userRepository.findOne({
      where: { userName: userName },
+      relations: withTokens ? ['authTokens'] : null,
    });
    if (user === undefined) {
      throw new NotInDBError(`User with username '${userName}' not found`);
@ -69,22 +87,45 @@ export class UsersService {

  async hashPassword(cleartext: string): Promise<string> {
    // hash the password with bcrypt and 2^16 iterations
-    return hash(cleartext, 16)
+    return hash(cleartext, 16);
  }

  async checkPassword(cleartext: string, password: string): Promise<boolean> {
    // hash the password with bcrypt and 2^16 iterations
-    return compare(cleartext, password)
+    return compare(cleartext, password);
  }

-  async getUserByAuthToken(token: string): Promise<User> {
-    const hash = this.hashPassword(token);
+  async setLastUsedToken(keyId: string) {
    const accessToken = await this.authTokenRepository.findOne({
-      where: { accessToken: hash },
+      where: { keyId: keyId },
+    });
+    accessToken.lastUsed = new Date().getTime();
+    await this.authTokenRepository.save(accessToken);
+  }
+
+  async getUserByAuthToken(keyId: string, token: string): Promise<User> {
+    const accessToken = await this.authTokenRepository.findOne({
+      where: { keyId: keyId },
+      relations: ['user'],
    });
    if (accessToken === undefined) {
      throw new NotInDBError(`AuthToken '${token}' not found`);
    }
+    if (!(await this.checkPassword(token, accessToken.accessToken))) {
+      // hashes are not the same
+      throw new TokenNotValid(`AuthToken '${token}' is not valid.`);
+    }
+    if (
+      accessToken.validUntil &&
+      accessToken.validUntil < new Date().getTime()
+    ) {
+      // tokens validUntil Date lies in the past
+      throw new TokenNotValid(
+        `AuthToken '${token}' is not valid since ${new Date(
+          accessToken.validUntil,
+        )}.`,
+      );
+    }
    return this.getUserByUsername(accessToken.user.userName);
  }

@ -98,14 +139,17 @@ export class UsersService {
  }

  async getTokensByUsername(userName: string): Promise<AuthToken[]> {
-    const user = await this.getUserByUsername(userName);
+    const user = await this.getUserByUsername(userName, true);
+    if (user.authTokens === undefined) {
+      return [];
+    }
    return user.authTokens;
  }

-  async removeToken(userName: string, timestamp: number) {
+  async removeToken(userName: string, keyId: string) {
    const user = await this.getUserByUsername(userName);
    const token = await this.authTokenRepository.findOne({
-      where: { createdAt: new Date(timestamp), user: user },
+      where: { keyId: keyId, user: user },
    });
    await this.authTokenRepository.remove(token);
  }
@ -118,19 +162,17 @@ export class UsersService {
    return {
      label: authToken.identifier,
      created: authToken.createdAt.getTime(),
+      validUntil: authToken.validUntil,
+      lastUsed: authToken.lastUsed,
    };
  }

  toAuthTokenWithSecretDto(
    authToken: AuthToken | null | undefined,
  ): AuthTokenWithSecretDto | null {
-    if (!authToken) {
-      this.logger.warn(`Recieved ${authToken} argument!`, 'toAuthTokenDto');
-      return null;
-    }
+    const tokeDto = this.toAuthTokenDto(authToken)
    return {
-      label: authToken.identifier,
-      created: authToken.createdAt.getTime(),
+      ...tokeDto,
      secret: authToken.accessToken,
    };
  }