Merge pull request #6 from cuappdev/aayush/auth

Adding JWT auth

Author: Aayush-Agnihotri

.env.example

@@ -11,6 +11,9 @@ NODE_ENV=development
 CACHE_REFRESH_HEADER=
 CACHE_REFRESH_SECRET=
 
+# Authentication Configuration
+ACCESS_TOKEN_SECRET=
+
 # Database Configuration
 DATABASE_URL=
 

package-lock.json

@@ -32,6 +32,7 @@
     "express-rate-limit": "^8.1.0",
     "firebase-admin": "^13.5.0",
     "helmet": "^8.1.0",
+    "jsonwebtoken": "^9.0.2",
     "node-cache": "^5.1.2",
     "node-cron": "^4.2.1",
     "zod": "^4.1.12"

package.json

@@ -0,0 +1,26 @@
+/*
+  Warnings:
+
+  - You are about to drop the column `deviceId` on the `User` table. All the data in the column will be lost.
+  - A unique constraint covering the columns `[deviceUuid]` on the table `User` will be added. If there are existing duplicate values, this will fail.
+  - A unique constraint covering the columns `[refreshToken]` on the table `User` will be added. If there are existing duplicate values, this will fail.
+  - Added the required column `deviceUuid` to the `User` table without a default value. This is not possible if the table is not empty.
+  - Added the required column `refreshToken` to the `User` table without a default value. This is not possible if the table is not empty.
+
+*/
+-- DropIndex
+DROP INDEX "User_deviceId_idx";
+
+-- DropIndex
+DROP INDEX "User_deviceId_key";
+
+-- AlterTable
+ALTER TABLE "User" DROP COLUMN "deviceId",
+ADD COLUMN     "deviceUuid" TEXT NOT NULL,
+ADD COLUMN     "refreshToken" TEXT NOT NULL;
+
+-- CreateIndex
+CREATE UNIQUE INDEX "User_deviceUuid_key" ON "User"("deviceUuid");
+
+-- CreateIndex
+CREATE UNIQUE INDEX "User_refreshToken_key" ON "User"("refreshToken");

prisma/migrations/20251120022949/migration.sql

@@ -49,16 +49,16 @@ enum EventType {
 }
 
 model User {
-  id       Int    @id @default(autoincrement())
-  deviceId String @unique
+  id           Int    @id @default(autoincrement())
+  deviceUuid   String @unique
+  refreshToken String @unique
 
   fcmTokens          FCMToken[]
   reports            Report[]
   favoritedEateries  FavoritedEatery[]
   favoritedItemNames String[]
   userEventVotes     UserEventVote[]
 
-  @@index([deviceId])
   @@index(favoritedItemNames, type: Gin) // The performance magic
 }
 

prisma/schema.prisma

@@ -1,7 +1,13 @@
 import { z } from 'zod';
 
-export const authorizeDeviceIdSchema = z.object({
+export const verifyDeviceUuidSchema = z.object({
   body: z.object({
-    deviceId: z.string().nonempty('Device ID is required'),
+    deviceUuid: z.string().nonempty('Device UUID is required'),
+  }),
+});
+
+export const refreshAccessTokenSchema = z.object({
+  body: z.object({
+    refreshToken: z.string().nonempty('Refresh token is required'),
   }),
 });

src/auth/auth.schema.ts

@@ -1,30 +1,63 @@
+import crypto from 'crypto';
+import jwt from 'jsonwebtoken';
+
 import type { Request, Response } from 'express';
 
 import { prisma } from '../prisma.js';
+import { ForbiddenError } from '../utils/AppError.js';
 
-export const authorizeDeviceId = async (req: Request, res: Response) => {
-  const { deviceId } = req.body;
+export const verifyDeviceUuid = async (req: Request, res: Response) => {
+  const { deviceUuid } = req.body;
+  const refreshToken = crypto.randomBytes(64).toString('hex');
 
   const user = await prisma.user.upsert({
-    where: { deviceId },
-    update: {},
-    create: {
-      deviceId,
+    where: { deviceUuid },
+    // If the user exists, update the refreshToken
+    update: {
+      refreshToken,
     },
-    select: {
-      id: true,
-      deviceId: true,
-      favoritedEateries: {
-        select: {
-          eateryId: true,
-        },
-      },
-      favoritedItemNames: true,
+    // If the user does not exist, create a new user
+    create: {
+      deviceUuid,
+      refreshToken,
     },
   });
 
+  const accessToken = jwt.sign(
+    { userId: user.id },
+    process.env.ACCESS_TOKEN_SECRET!,
+    { expiresIn: '15m' },
+  );
+
+  return res.json({ accessToken, refreshToken });
+};
+
+export const refreshAccessToken = async (req: Request, res: Response) => {
+  const { refreshToken } = req.body;
+
+  const user = await prisma.user.findFirst({
+    where: { refreshToken },
+  });
+
+  if (!user) {
+    throw new ForbiddenError('Invalid refresh token');
+  }
+
+  const newAccessToken = jwt.sign(
+    { userId: user.id },
+    process.env.ACCESS_TOKEN_SECRET!,
+    { expiresIn: '15m' },
+  );
+
+  const newRefreshToken = crypto.randomBytes(64).toString('hex');
+
+  await prisma.user.update({
+    where: { id: user.id },
+    data: { refreshToken: newRefreshToken },
+  });
+
   return res.json({
-    ...user,
-    favoritedEateries: user.favoritedEateries.map((fe) => fe.eateryId),
+    accessToken: newAccessToken,
+    refreshToken: newRefreshToken,
   });
 };

src/auth/authController.ts

@@ -1,15 +1,23 @@
 import { Router } from 'express';
 
 import { validateRequest } from '../middleware/validateRequest.js';
-import { authorizeDeviceIdSchema } from './auth.schema.js';
-import { authorizeDeviceId } from './authController.js';
+import {
+  refreshAccessTokenSchema,
+  verifyDeviceUuidSchema,
+} from './auth.schema.js';
+import { refreshAccessToken, verifyDeviceUuid } from './authController.js';
 
 const router = Router();
 
 router.post(
-  '/authorize',
-  validateRequest(authorizeDeviceIdSchema),
-  authorizeDeviceId,
+  '/verify-token',
+  validateRequest(verifyDeviceUuidSchema),
+  verifyDeviceUuid,
+);
+router.post(
+  '/refresh-token',
+  validateRequest(refreshAccessTokenSchema),
+  refreshAccessToken,
 );
 
 export default router;

src/auth/authRouter.ts

@@ -1,12 +1,23 @@
+import jwt from 'jsonwebtoken';
+
 import type { NextFunction, Request, Response } from 'express';
 
+import type { AuthJwtPayload } from '../types/express/index.js';
 import { UnauthorizedError } from '../utils/AppError.js';
 
 export const requireAuth = (
   req: Request,
   _res: Response,
   next: NextFunction,
 ) => {
+  // Development bypass
+  if (process.env.NODE_ENV === 'development') {
+    req.user = {
+      userId: 1,
+    };
+    return next();
+  }
+
   const authHeader = req.headers.authorization;
   if (!authHeader || !authHeader.startsWith('Bearer ')) {
     throw new UnauthorizedError('No token provided or wrong format.');
@@ -17,8 +28,12 @@ export const requireAuth = (
     throw new UnauthorizedError('No token provided.');
   }
 
-  // TODO: Finish body when GET authentication is finalized
-  // Override Express Request type to include session info in the request object
+  jwt.verify(token, process.env.ACCESS_TOKEN_SECRET!, (err, decodedToken) => {
+    if (err || !decodedToken || typeof decodedToken === 'string') {
+      throw new UnauthorizedError('Invalid token.');
+    }
+    req.user = decodedToken as AuthJwtPayload;
+  });
 
   return next();
 };

src/middleware/authentication.ts

@@ -5,11 +5,13 @@ import express from 'express';
 import type { Request, Response } from 'express';
 
 import authRouter from './auth/authRouter.js';
+import { eateryRouter } from './eateries/eateryRouter.js';
 import { requireAuth } from './middleware/authentication.js';
 import { globalErrorHandler } from './middleware/errorHandler.js';
 import { requestLogger } from './middleware/logger.js';
 import { ipRateLimiter } from './middleware/rateLimit.js';
 import { prisma } from './prisma.js';
+import userRouter from './users/userRouter.js';
 import { refreshCacheFromDB } from './utils/cache.js';
 
 const app = express();
@@ -48,9 +50,11 @@ router.get('/health', async (_: Request, res: Response) => {
 
 // Public routes
 router.use('/auth', authRouter);
+router.use('/eateries', eateryRouter);
 
-// Protected routes (require GET authentication)
+// Protected routes
 router.use(requireAuth);
+router.use('/users', userRouter);
 
 app.use(router);