Merge pull request #142 from import-ai/feature/cookie_auth

Feature/cookie auth

Author: LucienShui

src/attachments/attachments.controller.ts

@@ -16,9 +16,8 @@ import { FilesInterceptor } from '@nestjs/platform-express';
 import { AttachmentsService } from 'omniboxd/attachments/attachments.service';
 import { Request, Response } from 'express';
 import { UserId } from 'omniboxd/decorators/user-id.decorator';
-import { Public } from 'omniboxd/auth/decorators/public.auth.decorator';
-import { Cookies } from 'omniboxd/decorators/cookie.decorators';
 import { AuthService } from 'omniboxd/auth/auth.service';
+import { CookieAuth } from 'omniboxd/auth';
 
 @Controller('api/v1/attachments')
 export class AttachmentsController {
@@ -62,65 +61,47 @@ export class AttachmentsController {
     );
   }
 
-  @Public()
+  setRedirect(req: Request, res: Response) {
+    res
+      .setHeader('Cache-Control', 'no-cache, no-store, must-revalidate')
+      .status(HttpStatus.FOUND)
+      .redirect(`/user/login?redirect=${encodeURIComponent(req.url)}`);
+  }
+
+  @CookieAuth({ onAuthFail: 'continue' })
   @Get('images/:attachmentId')
   async displayImage(
+    @UserId({ optional: true }) userId: string | undefined,
     @Req() req: Request,
     @Res() res: Response,
-    @Cookies('token') token: string,
     @Param('attachmentId') attachmentId: string,
   ) {
-    let userId = '';
-
-    if (token) {
-      const payload = this.authService.jwtVerify(token);
-      if (payload && payload.sub) {
-        userId = payload.sub;
-      }
-    }
-
-    this.logger.debug({ userId, token, cookies: req.cookies });
     if (userId) {
-      return await this.attachmentsService.displayImage(
+      return await this.attachmentsService.displayMedia(
         attachmentId,
         userId,
         res,
       );
     }
-    res
-      .setHeader('Cache-Control', 'no-cache, no-store, must-revalidate')
-      .status(HttpStatus.FOUND)
-      .redirect(`/user/login?redirect=${encodeURIComponent(req.url)}`);
+    this.setRedirect(req, res);
   }
 
-  @Public()
+  @CookieAuth({ onAuthFail: 'continue' })
   @Get('media/:attachmentId')
   async displayMedia(
+    @UserId({ optional: true }) userId: string | undefined,
     @Req() req: Request,
     @Res() res: Response,
-    @Cookies('token') token: string,
     @Param('attachmentId') attachmentId: string,
   ) {
-    let userId = '';
-
-    if (token) {
-      const payload = this.authService.jwtVerify(token);
-      if (payload && payload.sub) {
-        userId = payload.sub;
-      }
-    }
-
     if (userId) {
       return await this.attachmentsService.displayMedia(
         attachmentId,
         userId,
         res,
       );
     }
-    res
-      .setHeader('Cache-Control', 'no-cache, no-store, must-revalidate')
-      .status(HttpStatus.FOUND)
-      .redirect(`/user/login?redirect=${encodeURIComponent(req.url)}`);
+    this.setRedirect(req, res);
   }
 
   @Delete(':attachmentId')

src/attachments/attachments.e2e-spec.ts

@@ -339,7 +339,7 @@ describe('AttachmentsController (e2e)', () => {
   describe('GET /api/v1/attachments/media/:attachmentId (Public)', () => {
     let mediaAttachmentId: string;
     const mediaContent = Buffer.from('fake-media-content');
-    const mediaFilename = 'test-media.mp4';
+    const mediaFilename = 'test-media.mp3';
 
     beforeAll(async () => {
       // Upload a media file to test display

src/attachments/attachments.service.ts

@@ -162,6 +162,15 @@ export class AttachmentsService {
     return { id: attachmentId, success: true };
   }
 
+  isMedia(mimetype: string): boolean {
+    for (const type of ['image/', 'audio/']) {
+      if (mimetype.startsWith(type)) {
+        return true;
+      }
+    }
+    return false;
+  }
+
   async displayMedia(
     attachmentId: string,
     userId: string,
@@ -179,33 +188,11 @@ export class AttachmentsService {
       ResourcePermission.CAN_VIEW,
     );
     await this.checkAttachment(namespaceId, resourceId, attachmentId);
+    if (!this.isMedia(objectResponse.mimetype)) {
+      throw new BadRequestException(attachmentId);
+    }
     return objectStreamResponse(objectResponse, httpResponse, {
       forceDownload: false,
     });
   }
-
-  async displayImage(
-    attachmentId: string,
-    userId: string,
-    httpResponse: Response,
-  ) {
-    const objectResponse = await this.minioService.get(
-      this.minioPath(attachmentId),
-    );
-    const { namespaceId, resourceId } = objectResponse.metadata;
-
-    await this.checkPermission(
-      namespaceId,
-      resourceId,
-      userId,
-      ResourcePermission.CAN_VIEW,
-    );
-    await this.checkAttachment(namespaceId, resourceId, attachmentId);
-    if (objectResponse.mimetype.startsWith('image/')) {
-      return objectStreamResponse(objectResponse, httpResponse, {
-        forceDownload: false,
-      });
-    }
-    throw new BadRequestException(attachmentId);
-  }
 }

src/auth/auth.module.ts

@@ -2,6 +2,7 @@ import { Module } from '@nestjs/common';
 import { JwtModule } from '@nestjs/jwt';
 import { APP_GUARD } from '@nestjs/core';
 import { PassportModule } from '@nestjs/passport';
+
 import { MailModule } from 'omniboxd/mail/mail.module';
 import { UserModule } from 'omniboxd/user/user.module';
 import { AuthService } from 'omniboxd/auth/auth.service';
@@ -18,6 +19,7 @@ import { WechatService } from 'omniboxd/auth/wechat.service';
 import { WechatController } from 'omniboxd/auth/wechat.controller';
 import { APIKeyModule } from 'omniboxd/api-key/api-key.module';
 import { APIKeyAuthGuard } from 'omniboxd/auth/api-key/api-key-auth.guard';
+import { CookieAuthGuard } from 'omniboxd/auth/cookie/cookie-auth.guard';
 
 @Module({
   exports: [AuthService, WechatService],
@@ -35,6 +37,10 @@ import { APIKeyAuthGuard } from 'omniboxd/auth/api-key/api-key-auth.guard';
       provide: APP_GUARD,
       useClass: APIKeyAuthGuard,
     },
+    {
+      provide: APP_GUARD,
+      useClass: CookieAuthGuard,
+    },
   ],
   imports: [
     UserModule,
@@ -44,6 +50,7 @@ import { APIKeyAuthGuard } from 'omniboxd/auth/api-key/api-key-auth.guard';
     GroupsModule,
     PermissionsModule,
     APIKeyModule,
+
     JwtModule.registerAsync({
       imports: [ConfigModule],
       inject: [ConfigService],

src/auth/cookie/README.md

@@ -0,0 +1,58 @@
+# Cookie Authentication
+
+Cookie-based authentication for protecting endpoints with JWT token cookies.
+
+## Usage
+
+### Basic Usage
+
+```typescript
+import { Controller, Get } from '@nestjs/common';
+import { CookieAuth } from 'omniboxd/auth/decorators';
+import { UserId } from 'omniboxd/decorators/user-id.decorator';
+
+@Controller('api/v1/protected')
+export class ProtectedController {
+  @Get('data')
+  @CookieAuth()
+  getProtectedData(@UserId() userId: string) {
+    return { message: 'Authenticated user', userId };
+  }
+}
+```
+
+### Authentication Options
+
+```typescript
+// Strict authentication (default) - throws UnauthorizedException on failure
+@CookieAuth()
+
+// Continue without authentication on failure
+@CookieAuth({ onAuthFail: 'continue' })
+```
+
+## Authentication Flow
+
+1. Client sends request with `token` cookie containing a JWT
+2. `CookieAuthGuard` validates the JWT token using `AuthService.jwtVerify()`
+3. User data is extracted from JWT payload and set on `request.user`
+4. Controller methods access user data via `@UserId()` decorator
+
+## Requirements
+
+- **Cookie Name**: `token`
+- **Token Format**: Valid JWT with `sub` field (user ID)
+- **Optional Fields**: `email`, `username`
+
+## Error Handling
+
+- **Missing/Invalid Token**: Throws `UnauthorizedException` (unless `onAuthFail: 'continue'`)
+- **Invalid Payload**: Throws `UnauthorizedException` if `sub` field missing
+
+## Integration
+
+Works alongside JWT and API key authentication:
+- `@CookieAuth()`: Cookie authentication
+- `@APIKeyAuth()`: API key authentication
+- `@Public()`: Skip authentication
+- Default: JWT authentication