Merge pull request #46 from Adrianmjim/feat/add-auth-guard

adrianmjim · web-flow · commit 2f28cc4002f5 · 2024-10-24T09:12:11.000+02:00
feat(auth): Add BaseSupabaseAuthGuard
diff --git a/README.md b/README.md
@@ -213,6 +213,32 @@ export class CatService {
 }
 ```
 
+## Authentication
+
+This library provides a base guard to authenticate requests using the Supabase auth client.
+
+### Usage
+To use the `BaseSupabaseAuthGuard`, you need to create a subclass that implements the `extractTokenFromRequest` method. This implementation should define how to extract the token from the request, which might be in the headers, cookies, or query parameters.
+
+```typescript
+import { Injectable, ExecutionContext } from '@nestjs/common';
+import { SupabaseClient } from '@supabase/supabase-js';
+import { BaseSupabaseAuthGuard } from 'nestjs-supabase-js';
+
+@Injectable()
+export class MyAuthGuard extends BaseSupabaseAuthGuard {
+  public constructor(supabaseClient: SupabaseClient) {
+    super(supabaseClient);
+  }
+
+  protected extractTokenFromRequest(request: Request): string | undefined {
+    return request.headers.authorization;
+  }
+}
+```
+
+Then, you can bind the guard as described in the [NestJS documentation](https://docs.nestjs.com/guards#binding-guards).
+
 ## 🤝 Contributing [![contributions welcome](https://img.shields.io/badge/contributions-welcome-brightgreen.svg?style=flat)](https://github.com/adrianmjim/nestjs-supabase-js/issues)
 
 Contributions, issues and feature requests are welcome.
@@ -233,4 +259,4 @@ Please ⭐️ this repository if this project helped you!
 
 Copyright © 2024 [Adrián Martínez Jiménez](https://github.com/adrianmjim).
 
-This project is licensed under the MIT License - see the [LICENSE file](LICENSE) for details.
+This project is licensed under the MIT License - see the [LICENSE file](LICENSE) for details.
diff --git a/src/guards/BaseSupabaseAuthGuard.spec.ts b/src/guards/BaseSupabaseAuthGuard.spec.ts
@@ -0,0 +1,211 @@
+import { afterAll, beforeAll, describe, expect, it, Mock, Mocked, vitest } from 'vitest';
+
+import { ExecutionContext, UnauthorizedException } from '@nestjs/common';
+import { HttpArgumentsHost } from '@nestjs/common/interfaces';
+import { AuthError, SupabaseClient, User } from '@supabase/supabase-js';
+import { SupabaseAuthClient } from '@supabase/supabase-js/dist/module/lib/SupabaseAuthClient';
+
+import { BaseSupabaseAuthGuard } from './BaseSupabaseAuthGuard';
+
+class TestSupabaseAuthGuard extends BaseSupabaseAuthGuard {
+  public constructor(
+    private readonly getToken: () => string | undefined,
+    supabaseClient: SupabaseClient,
+  ) {
+    super(supabaseClient);
+  }
+
+  protected extractTokenFromRequest(_request: Request): (string | undefined) | Promise<string | undefined> {
+    return this.getToken();
+  }
+}
+
+describe(BaseSupabaseAuthGuard.name, () => {
+  let testSupabaseAuthGuard: TestSupabaseAuthGuard;
+  let supabaseAuthClientMock: Mocked<SupabaseAuthClient>;
+  let supabaseClientMock: Mocked<SupabaseClient>;
+  let getTokenMock: Mock<() => string | undefined>;
+
+  beforeAll(() => {
+    supabaseAuthClientMock = {
+      getUser: vitest.fn(),
+    } as Partial<Mocked<SupabaseAuthClient>> as Mocked<SupabaseAuthClient>;
+
+    supabaseClientMock = {
+      auth: supabaseAuthClientMock,
+    } as Partial<Mocked<SupabaseClient>> as Mocked<SupabaseClient>;
+
+    getTokenMock = vitest.fn();
+
+    testSupabaseAuthGuard = new TestSupabaseAuthGuard(getTokenMock, supabaseClientMock);
+  });
+
+  describe('canActivate', () => {
+    describe('when called and getToken() returns undefined', () => {
+      let switchToHttpMock: Mocked<HttpArgumentsHost>;
+      let executionContextMock: Mocked<ExecutionContext>;
+      let result: unknown;
+
+      beforeAll(async () => {
+        switchToHttpMock = {
+          getRequest: vitest.fn(),
+        } as Partial<Mocked<HttpArgumentsHost>> as Mocked<HttpArgumentsHost>;
+
+        executionContextMock = {
+          switchToHttp: vitest.fn().mockReturnValueOnce(switchToHttpMock),
+        } as Partial<Mocked<ExecutionContext>> as Mocked<ExecutionContext>;
+
+        try {
+          await testSupabaseAuthGuard.canActivate(executionContextMock);
+        } catch (error: unknown) {
+          result = error;
+        }
+      });
+
+      afterAll(() => {
+        vitest.clearAllMocks();
+      });
+
+      it('should call executionContext.switchToHttp()', () => {
+        expect(executionContextMock.switchToHttp).toHaveBeenCalledTimes(1);
+        expect(executionContextMock.switchToHttp).toHaveBeenCalledWith();
+      });
+
+      it('should call executionContext.switchToHttp().getRequest()', () => {
+        expect(switchToHttpMock.getRequest).toHaveBeenCalledTimes(1);
+        expect(switchToHttpMock.getRequest).toHaveBeenCalledWith();
+      });
+
+      it('should call getToken()', () => {
+        expect(getTokenMock).toHaveBeenCalledTimes(1);
+        expect(getTokenMock).toHaveBeenCalledWith();
+      });
+
+      it('should throw a UnauthorizedException', () => {
+        expect(result).toBeInstanceOf(UnauthorizedException);
+        expect(result).toHaveProperty('message', 'Unauthorized');
+      });
+    });
+
+    describe('when called and userResponse.error is not null', () => {
+      let switchToHttpMock: Mocked<HttpArgumentsHost>;
+      let executionContextMock: Mocked<ExecutionContext>;
+      let tokenFixture: string;
+      let result: unknown;
+
+      beforeAll(async () => {
+        switchToHttpMock = {
+          getRequest: vitest.fn(),
+        } as Partial<Mocked<HttpArgumentsHost>> as Mocked<HttpArgumentsHost>;
+
+        executionContextMock = {
+          switchToHttp: vitest.fn().mockReturnValueOnce(switchToHttpMock),
+        } as Partial<Mocked<ExecutionContext>> as Mocked<ExecutionContext>;
+
+        tokenFixture = 'token';
+
+        getTokenMock.mockReturnValueOnce(tokenFixture);
+
+        supabaseAuthClientMock.getUser.mockResolvedValueOnce({
+          data: { user: null },
+          error: {} as AuthError,
+        });
+
+        try {
+          await testSupabaseAuthGuard.canActivate(executionContextMock);
+        } catch (error: unknown) {
+          result = error;
+        }
+      });
+
+      afterAll(() => {
+        vitest.clearAllMocks();
+      });
+
+      it('should call executionContext.switchToHttp()', () => {
+        expect(executionContextMock.switchToHttp).toHaveBeenCalledTimes(1);
+        expect(executionContextMock.switchToHttp).toHaveBeenCalledWith();
+      });
+
+      it('should call executionContext.switchToHttp().getRequest()', () => {
+        expect(switchToHttpMock.getRequest).toHaveBeenCalledTimes(1);
+        expect(switchToHttpMock.getRequest).toHaveBeenCalledWith();
+      });
+
+      it('should call getToken()', () => {
+        expect(getTokenMock).toHaveBeenCalledTimes(1);
+        expect(getTokenMock).toHaveBeenCalledWith();
+      });
+
+      it('should call supabaseClient.auth.getUser()', () => {
+        expect(supabaseClientMock.auth.getUser).toHaveBeenCalledTimes(1);
+        expect(supabaseClientMock.auth.getUser).toHaveBeenCalledWith(tokenFixture);
+      });
+
+      it('should throw a UnauthorizedException', () => {
+        expect(result).toBeInstanceOf(UnauthorizedException);
+        expect(result).toHaveProperty('message', 'Unauthorized');
+      });
+    });
+
+    describe('when called and userResponse.data is not null', () => {
+      let switchToHttpMock: Mocked<HttpArgumentsHost>;
+      let executionContextMock: Mocked<ExecutionContext>;
+      let tokenFixture: string;
+      let requestFixture: unknown;
+      let result: unknown;
+
+      beforeAll(async () => {
+        switchToHttpMock = {
+          getRequest: vitest.fn(),
+        } as Partial<Mocked<HttpArgumentsHost>> as Mocked<HttpArgumentsHost>;
+
+        executionContextMock = {
+          switchToHttp: vitest.fn().mockReturnValueOnce(switchToHttpMock),
+        } as Partial<Mocked<ExecutionContext>> as Mocked<ExecutionContext>;
+
+        tokenFixture = 'token';
+        requestFixture = {};
+
+        switchToHttpMock.getRequest.mockReturnValueOnce(requestFixture);
+
+        getTokenMock.mockReturnValueOnce(tokenFixture);
+
+        supabaseAuthClientMock.getUser.mockResolvedValueOnce({
+          data: { user: {} as User },
+          error: null,
+        });
+
+        result = await testSupabaseAuthGuard.canActivate(executionContextMock);
+      });
+
+      afterAll(() => {
+        vitest.clearAllMocks();
+      });
+
+      it('should call executionContext.switchToHttp()', () => {
+        expect(executionContextMock.switchToHttp).toHaveBeenCalledTimes(1);
+        expect(executionContextMock.switchToHttp).toHaveBeenCalledWith();
+      });
+
+      it('should call executionContext.switchToHttp().getRequest()', () => {
+        expect(switchToHttpMock.getRequest).toHaveBeenCalledTimes(1);
+        expect(switchToHttpMock.getRequest).toHaveBeenCalledWith();
+      });
+
+      it('should call getToken()', () => {
+        expect(getTokenMock).toHaveBeenCalledTimes(1);
+        expect(getTokenMock).toHaveBeenCalledWith();
+      });
+
+      it('should call supabaseClient.auth.getUser()', () => {
+        expect(supabaseClientMock.auth.getUser).toHaveBeenCalledTimes(1);
+        expect(supabaseClientMock.auth.getUser).toHaveBeenCalledWith(tokenFixture);
+      });
+
+      it('should return true', () => {
+        expect(result).toBeTruthy();
+      });
+    });
+  });
+});
diff --git a/src/guards/BaseSupabaseAuthGuard.ts b/src/guards/BaseSupabaseAuthGuard.ts
@@ -0,0 +1,29 @@
+import { CanActivate, ExecutionContext, Injectable, UnauthorizedException } from '@nestjs/common';
+import { SupabaseClient, User, UserResponse } from '@supabase/supabase-js';
+
+@Injectable()
+export abstract class BaseSupabaseAuthGuard implements CanActivate {
+  public constructor(protected readonly supabaseClient: SupabaseClient) {}
+
+  public async canActivate(context: ExecutionContext): Promise<boolean> {
+    const request: unknown = context.switchToHttp().getRequest();
+
+    const token: string | undefined = await this.extractTokenFromRequest(request);
+
+    if (token === undefined) {
+      throw new UnauthorizedException();
+    }
+
+    const userResponse: UserResponse = await this.supabaseClient.auth.getUser(token);
+
+    if (userResponse.error !== null) {
+      throw new UnauthorizedException();
+    }
+
+    (request as { user: User }).user = userResponse.data.user;
+
+    return true;
+  }
+
+  protected abstract extractTokenFromRequest(request: unknown): (string | undefined) | Promise<string | undefined>;
+}
diff --git a/src/index.ts b/src/index.ts
@@ -1,3 +1,4 @@
+export { BaseSupabaseAuthGuard } from './guards/BaseSupabaseAuthGuard';
 export { InjectSupabaseClient } from './decorators/InjectSupabaseClient';
 export { NestSupabaseConfig } from './models/NestSupabaseConfig';
 export { NestSupabaseConfigAsync } from './models/NestSupabaseConfigAsync';
@@ -6,4 +7,4 @@ export { NestSupabaseConfigFactory } from './models/NestSupabaseConfigFactory';
 export { NestSupabaseConfigFactoryAsyncOptions } from './models/NestSupabaseConfigFactoryAsyncOptions';
 export { NameSupabaseConfigPair } from './models/NameSupabaseConfigPair';
 export { SupabaseConfig } from './models/SupabaseConfig';
-export { SupabaseModule } from './modules/SupabaseModule';
+export { SupabaseModule } from './modules/SupabaseModule';
