fix: jwt for current user required for update

VASHvic · Oct 16, 2022 · ecced5e · ecced5e
1 parent 46d4ec4
commit ecced5e
Show file tree

Hide file tree

Showing 10 changed files with 56 additions and 32 deletions.
diff --git a/src/auth/auth.controller.spec.ts b/src/auth/auth.controller.spec.ts
@@ -7,7 +7,6 @@ import { JwtService } from "@nestjs/jwt";
 import { getModelToken } from "@nestjs/mongoose";
 import { User, UserDocument } from "src/user/schemas/user.schema";
 import { Model } from "mongoose";
-import { newMockUser, randomMockUser } from "test/e2e.constants";
 
 describe("AuthController", () => {
   let controller: AuthController;

diff --git a/src/auth/guards/jwt-auth.guard.ts b/src/auth/guards/jwt-auth.guard.ts
@@ -5,7 +5,7 @@ import { Observable } from "rxjs";
 import { IS_PUBLIC_KEY } from "../decorators/public.decorator";
 
 @Injectable()
-export class JwtAuthGuard extends AuthGuard("Jwt") {
+export class JwtAuthGuard extends AuthGuard("jwt") {
   constructor(private reflector: Reflector) {
     super();
   }

diff --git a/src/auth/services/auth.service.spec.ts b/src/auth/services/auth.service.spec.ts
@@ -33,16 +33,4 @@ describe("AuthService", () => {
   it("should be defined", () => {
     expect(service).toBeDefined();
   });
-  // it('should return a user doc', async () => {
-  //   // arrange
-  //   const user = new User();
-  //   const userID = '12345';
-  //   const spy = jest
-  //     .spyOn(mockUserModel, 'findById') // <- spy on what you want
-  //     .mockResolvedValue(user as UserDocument); // <- Set your resolved value
-  //   // act
-  //   await mockRepository.findOneById(userID);
-  //   // assert
-  //   expect(spy).toBeCalled();
-  // });
 });
diff --git a/src/auth/services/auth.service.ts b/src/auth/services/auth.service.ts
@@ -2,7 +2,7 @@ import { Injectable } from "@nestjs/common";
 import { JwtService } from "@nestjs/jwt";
 import * as bcrypt from "bcrypt";
 import { UserService } from "src/user/user.service";
-import { PayloadToken, SafeUserType } from "../types/types";
+import { SafeUserType } from "../types/types";
 
 @Injectable()
 export class AuthService {
@@ -21,7 +21,7 @@ export class AuthService {
   }
 
   generateJWT(user: SafeUserType) {
-    const payload: PayloadToken = { sub: user._id };
+    const payload = { sub: user._id };
     return {
       access_token: this.jwtService.sign(payload),
       user,

diff --git a/src/auth/types/types.d.ts b/src/auth/types/types.d.ts
@@ -2,6 +2,8 @@ import { User } from "src/user/schemas/user.schema";
 
 export interface PayloadToken {
   sub: string;
+  iat: number;
+  exp: number;
 }
 export type UserType = {
   _id: string;

diff --git a/src/user/user-error.service.ts b/src/user/user-error.service.ts
@@ -1,4 +1,4 @@
-import { BadRequestException, Injectable } from "@nestjs/common";
+import { BadRequestException, Injectable, HttpException } from "@nestjs/common";
 import { InjectModel } from "@nestjs/mongoose";
 import { Model } from "mongoose";
 import { UserErrorDocument } from "./schemas/user-error.schema";
@@ -13,7 +13,7 @@ export class UserErrorService {
     if (e.code === 11000) {
       errorMesage = `A User with ${Object.entries(e.keyValue)} already exists`;
     }
-    const error = new BadRequestException(errorMesage ?? "Unknow Error");
+    const error = new HttpException(errorMesage ?? e.message, e.status);
     const newUserError = new this.userErrorModel({ error });
     await newUserError.save();
     return error;

diff --git a/src/user/user.controller.ts b/src/user/user.controller.ts
@@ -3,11 +3,14 @@ import {
   Controller,
   Delete,
   Get,
+  Header,
+  Headers,
   Param,
   Patch,
   Post,
   UseGuards,
 } from "@nestjs/common";
+import { JwtAuthGuard } from "src/auth/guards/jwt-auth.guard";
 import { DeleteUserDto } from "src/dto/deleteUser.dto";
 import { Public } from "../auth/decorators/public.decorator";
 import { ApiKeyGuard } from "../auth/guards/api-key.guard";
@@ -53,12 +56,23 @@ export class UserController {
     return rta;
   }
 
+  @UseGuards(JwtAuthGuard)
   @UseGuards(LocalAuthGuard)
   @Patch("update")
-  public async updateUser(@Body() dto: UpdateUserDto): Promise<SafeUserType> {
-    return this.userService.update(dto);
-  }
+  public async updateUser(
+    @Body() dto: UpdateUserDto,
+    @Headers() headers,
+  ): Promise<SafeUserType> {
+    const { authorization } = headers;
+    try {
+      return await this.userService.update(dto, authorization);
+    } catch (e) {
+      const error = await this.userErrorService.saveError(e);
 
+      throw error;
+    }
+  }
+  @UseGuards(JwtAuthGuard)
   @UseGuards(LocalAuthGuard)
   @Delete("delete")
   public async deleteUser(@Body() dto: DeleteUserDto): Promise<boolean> {
@@ -72,7 +86,6 @@ export class UserController {
       return await this.userService.signUp(dto);
     } catch (e) {
       console.log(e);
-
       const error = await this.userErrorService.saveError(e);
       throw error;
     }

diff --git a/src/user/user.module.ts b/src/user/user.module.ts
@@ -1,4 +1,5 @@
 import { Module } from "@nestjs/common";
+import { JwtService } from "@nestjs/jwt";
 import { MongooseModule } from "@nestjs/mongoose";
 import { ErrorSchema } from "./schemas/user-error.schema";
 import { User, UserSchema } from "./schemas/user.schema";
@@ -13,7 +14,7 @@ import { UserService } from "./user.service";
       { name: "userError", schema: ErrorSchema },
     ]),
   ],
-  providers: [UserService, UserErrorService],
+  providers: [UserService, UserErrorService, JwtService],
   controllers: [UserController],
   exports: [UserService, MongooseModule],
 })

diff --git a/src/user/user.service.ts b/src/user/user.service.ts
@@ -1,4 +1,4 @@
-import { Injectable } from "@nestjs/common";
+import { Inject, Injectable, UnauthorizedException } from "@nestjs/common";
 import { InjectModel } from "@nestjs/mongoose";
 import { Model } from "mongoose";
 import { createUserDto } from "src/dto/createUser.dto";
@@ -7,10 +7,14 @@ import { User, UserDocument } from "./schemas/user.schema";
 import * as bycript from "bcrypt";
 import { SafeUserType, UserType } from "src/auth/types/types";
 import { DeleteUserDto } from "src/dto/deleteUser.dto";
+import { JwtService } from "@nestjs/jwt";
 
 @Injectable()
 export class UserService {
-  constructor(@InjectModel(User.name) private userModel: Model<UserDocument>) {}
+  constructor(
+    @InjectModel(User.name) private userModel: Model<UserDocument>,
+    private readonly jwtService: JwtService,
+  ) {}
 
   public async signUp(dto: createUserDto): Promise<SafeUserType> {
     const newUser = new this.userModel(dto);
@@ -33,17 +37,30 @@ export class UserService {
     return user ? (user.toJSON() as UserType) : null;
   }
 
-  public async update(changes: UpdateUserDto) {
-    const { _id } = (await this.findByEmail(changes.email)) as UserType;
+  public async update(changes: UpdateUserDto, auth: string) {
+    const token = auth.split(" ")[1];
+    const { sub } = this.jwtService.decode(token);
+    const userFromToken = await this.findById(sub);
+
+    const userFromEmail = (await this.findByEmail(changes.email)) as UserType;
+    if (
+      JSON.stringify(userFromToken) !== JSON.stringify(userFromEmail) // diuen que millorable
+    ) {
+      throw new Error("Authorization token doesnt belong to User");
+    }
     const updated = {} as User;
     if (changes.newName) updated.name = changes.newName;
     if (changes.newPassword)
       updated.password = await bycript.hash(changes.newPassword, 10);
     if (changes.newEmail) updated.email = changes.newEmail;
 
-    const updatedUser = await this.userModel.findByIdAndUpdate(_id, updated, {
-      returnOriginal: false,
-    });
+    const updatedUser = await this.userModel.findByIdAndUpdate(
+      userFromEmail._id,
+      updated,
+      {
+        returnOriginal: false,
+      },
+    );
     const { password, __v, ...rta } = updatedUser.toJSON();
     return rta as SafeUserType;
   }

diff --git a/test/app.e2e-spec.ts b/test/app.e2e-spec.ts
@@ -13,6 +13,7 @@ import {
 describe("Starting App", () => {
   let app: INestApplication;
   let httpServer: any;
+  let token;
   //mirar si pug afafar la conexió com michael guay
 
   jest.setTimeout(120000);
@@ -68,7 +69,7 @@ describe("Starting App", () => {
       const response = await request(httpServer)
         .post("/auth/login")
         .send(newMockUser);
-
+      token = response.body.access_token;
       expect(response.status).toBe(201);
       expect(response.body).toMatchObject({
         access_token: expect.any(String),
@@ -89,10 +90,12 @@ describe("Starting App", () => {
       expect(response.body).toMatchObject(newMockUserNoPass);
     });
   });
+
   describe("USER update the user just created /user/update (PATCH)", () => {
-    it("should uypdate the user", async () => {
+    it("should update the user", async () => {
       const response = await request(httpServer)
         .patch("/user/update")
+        .set("Authorization", `Bearer ${token}`)
         .send(updatedMockUserDto);
       expect(response.status).toBe(200);
     });
@@ -107,6 +110,7 @@ describe("Starting App", () => {
     it("should delete the user", async () => {
       const response = await request(httpServer)
         .delete("/user/delete")
+        .set("Authorization", `Bearer ${token}`)
         .send(updatedMockUser);
       expect(response.status).toBe(200);
       expect(response.text).toBe("true");