basic RBAC system

api/src/app.module.ts

@@ -5,10 +5,15 @@ import { ApiConfigModule } from '@api/modules/config/app-config.module';
 import { APP_GUARD } from '@nestjs/core';
 import { AuthModule } from '@api/modules/auth/auth.module';
 import { JwtAuthGuard } from '@api/modules/auth/guards/jwt-auth.guard';
+import { RolesGuard } from '@api/modules/auth/guards/roles.guard';
 
 @Module({
   imports: [ApiConfigModule, AuthModule],
   controllers: [AppController],
-  providers: [AppService, { provide: APP_GUARD, useClass: JwtAuthGuard }],
+  providers: [
+    AppService,
+    { provide: APP_GUARD, useClass: JwtAuthGuard },
+    { provide: APP_GUARD, useClass: RolesGuard },
+  ],
 })
 export class AppModule {}

api/src/modules/auth/authorisation/roles.enum.ts

@@ -0,0 +1,11 @@
+export enum ROLES {
+  ADMIN = 'admin',
+  PARTNER = 'partner',
+  GENERAL_USER = 'general_user',
+}
+
+export const ROLES_HIERARCHY = {
+  [ROLES.ADMIN]: [ROLES.PARTNER, ROLES.GENERAL_USER],
+  [ROLES.PARTNER]: [ROLES.GENERAL_USER],
+  [ROLES.GENERAL_USER]: [],
+};

api/src/modules/auth/decorators/roles.decorator.ts

@@ -0,0 +1,6 @@
+import { SetMetadata } from '@nestjs/common';
+import { ROLES } from '@api/modules/auth/authorisation/roles.enum';
+
+export const ROLES_KEY = 'roles';
+export const RequiredRoles = (...roles: ROLES[]) =>
+  SetMetadata(ROLES_KEY, roles);

api/src/modules/auth/guards/roles.guard.ts

@@ -0,0 +1,33 @@
+import { Injectable, CanActivate, ExecutionContext } from '@nestjs/common';
+import { Reflector } from '@nestjs/core';
+import {
+  ROLES,
+  ROLES_HIERARCHY,
+} from '@api/modules/auth/authorisation/roles.enum';
+import { ROLES_KEY } from '@api/modules/auth/decorators/roles.decorator';
+
+@Injectable()
+export class RolesGuard implements CanActivate {
+  constructor(private reflector: Reflector) {}
+
+  canActivate(context: ExecutionContext): boolean {
+    const requiredRoles: ROLES[] = this.reflector.getAllAndOverride<ROLES[]>(
+      ROLES_KEY,
+      [context.getHandler(), context.getClass()],
+    );
+    if (!requiredRoles) {
+      return true;
+    }
+    const { user } = context.switchToHttp().getRequest();
+
+    return this.hasRequiredRole(user.role, requiredRoles);
+  }
+
+  private hasRequiredRole(userRole: ROLES, requiredRoles: ROLES[]): boolean {
+    return requiredRoles.some(
+      (requiredRole) =>
+        userRole === requiredRole ||
+        ROLES_HIERARCHY[userRole]?.includes(requiredRole),
+    );
+  }
+}

api/src/modules/users/users.controller.ts

@@ -0,0 +1,26 @@
+import { Controller, Get } from '@nestjs/common';
+import { RequiredRoles } from '@api/modules/auth/decorators/roles.decorator';
+import { ROLES } from '@api/modules/auth/authorisation/roles.enum';
+
+@Controller('users')
+export class UsersController {
+  // TODO: All of these endpoints are fake, only to test the role guard
+
+  @RequiredRoles(ROLES.ADMIN)
+  @Get('admin')
+  async createUserAsAdmin() {
+    return [ROLES.ADMIN];
+  }
+
+  @RequiredRoles(ROLES.PARTNER)
+  @Get('partner')
+  async createUserAsPartner() {
+    return [ROLES.PARTNER, ROLES.ADMIN];
+  }
+
+  @RequiredRoles(ROLES.GENERAL_USER)
+  @Get('user')
+  async createUserAsUser() {
+    return [ROLES.GENERAL_USER, ROLES.PARTNER, ROLES.ADMIN];
+  }
+}

api/src/modules/users/users.module.ts

@@ -2,10 +2,12 @@ import { Module } from '@nestjs/common';
 import { UsersService } from './users.service';
 import { TypeOrmModule } from '@nestjs/typeorm';
 import { User } from '@shared/entities/users/user.entity';
+import { UsersController } from '@api/modules/users/users.controller';
 
 @Module({
   imports: [TypeOrmModule.forFeature([User])],
   providers: [UsersService],
   exports: [UsersService],
+  controllers: [UsersController],
 })
 export class UsersModule {}

api/test/auth/authorization.spec.ts

@@ -0,0 +1,42 @@
+import { TestManager } from '../utils/test-manager';
+
+import { User } from '@shared/entities/users/user.entity';
+import { ROLES } from '@api/modules/auth/authorisation/roles.enum';
+
+describe('Authorization', () => {
+  let testManager: TestManager;
+
+  beforeAll(async () => {
+    testManager = await TestManager.createTestManager();
+  });
+
+  afterEach(async () => {
+    await testManager.clearDatabase();
+  });
+
+  afterAll(async () => {
+    await testManager.close();
+  });
+  test('a user should have a default general user role when signing up', async () => {
+    await testManager
+      .request()
+      .post('/authentication/signup')
+      .send({ email: '[email protected]', password: '123456' });
+
+    const user = await testManager
+      .getDataSource()
+      .getRepository(User)
+      .findOne({ where: { email: '[email protected]' } });
+
+    expect(user.role).toEqual(ROLES.GENERAL_USER);
+
+    describe('ROLE TEST ENDPOINTS, REMOVE!', () => {
+      test('when role required is general user, the general user and above roles should have access', async () => {
+        const user = await testManager
+          .mocks()
+          .createUser({ role: ROLES.GENERAL_USER });
+        const { jwtToken } = await testManager.logUserIn(user);
+      });
+    });
+  });
+});

api/test/utils/test-manager.ts

@@ -80,7 +80,7 @@ export class TestManager {
 
   mocks() {
     return {
-      createUser: (additionalData: Partial<User>) =>
+      createUser: (additionalData?: Partial<User>) =>
         createUser(this.getDataSource(), additionalData),
     };
   }

shared/entities/users/user.entity.ts

@@ -6,6 +6,7 @@ import {
   PrimaryGeneratedColumn,
 } from "typeorm";
 import { Exclude } from "class-transformer";
+import { ROLES } from "@api/modules/auth/authorisation/roles.enum";
 
 @Entity({ name: "users" })
 export class User {
@@ -19,6 +20,14 @@ export class User {
   @Exclude()
   password: string;
 
+  @Column({
+    type: "enum",
+    default: ROLES.GENERAL_USER,
+    enum: ROLES,
+    enumName: "user_roles",
+  })
+  role: ROLES;
+
   @CreateDateColumn({ name: "created_at" })
   createdAt: Date;
 }