Merge branch 'main' into table-view-fixes

Author: lyubov-voloshko

backend/src/authorization/auth-with-api.middleware.ts

@@ -1,11 +1,11 @@
 import {
-  BadRequestException,
-  HttpException,
-  Injectable,
-  InternalServerErrorException,
-  NestMiddleware,
-  NotFoundException,
-  UnauthorizedException,
+	BadRequestException,
+	HttpException,
+	Injectable,
+	InternalServerErrorException,
+	NestMiddleware,
+	NotFoundException,
+	UnauthorizedException,
 } from '@nestjs/common';
 import { InjectRepository } from '@nestjs/typeorm';
 import { UserEntity } from '../entities/user/user.entity.js';
@@ -23,93 +23,109 @@ import { IRequestWithCognitoInfo } from './cognito-decoded.interface.js';
 
 @Injectable()
 export class AuthWithApiMiddleware implements NestMiddleware {
-  public constructor(
-    @InjectRepository(UserEntity)
-    private readonly userRepository: Repository<UserEntity>,
-  ) {}
+	public constructor(
+		@InjectRepository(UserEntity)
+		private readonly userRepository: Repository<UserEntity>,
+	) {}
 
-  async use(req: IRequestWithCognitoInfo, _res: Response, next: (err?: any, res?: any) => void): Promise<void> {
-    try {
-      await this.authenticateRequest(req);
-      next();
-    } catch (error) {
-      Sentry.captureException(error);
-      this.handleAuthenticationError(error);
-    }
-  }
+	async use(req: IRequestWithCognitoInfo, _res: Response, next: (err?: any, res?: any) => void): Promise<void> {
+		try {
+			await this.authenticateRequest(req);
+			next();
+		} catch (error) {
+			Sentry.captureException(error);
+			this.handleAuthenticationError(error);
+		}
+	}
 
-  private async authenticateRequest(req: IRequestWithCognitoInfo): Promise<void> {
-    const tokenFromCookie = this.getTokenFromCookie(req);
-    if (tokenFromCookie) {
-      await this.authenticateWithToken(tokenFromCookie, req);
-    } else {
-      await this.authenticateWithApiKey(req);
-    }
-  }
+	private async authenticateRequest(req: IRequestWithCognitoInfo): Promise<void> {
+		const tokenFromCookie = this.getTokenFromCookie(req);
+		if (tokenFromCookie) {
+			await this.authenticateWithToken(tokenFromCookie, req);
+		} else {
+			await this.authenticateWithApiKey(req);
+		}
+	}
 
-  private getTokenFromCookie(req: Request): string | undefined {
-    return req.cookies?.[Constants.JWT_COOKIE_KEY_NAME];
-  }
+	private getTokenFromCookie(req: Request): string | undefined {
+		return req.cookies?.[Constants.JWT_COOKIE_KEY_NAME];
+	}
 
-  private handleAuthenticationError(error: any): void {
-    if (error instanceof HttpException || error instanceof UnauthorizedException) {
-      throw error;
-    }
-    throw new InternalServerErrorException(Messages.AUTHORIZATION_REJECTED);
-  }
+	private handleAuthenticationError(error: any): void {
+		if (error instanceof HttpException || error instanceof UnauthorizedException) {
+			throw error;
+		}
+		throw new InternalServerErrorException(Messages.AUTHORIZATION_REJECTED);
+	}
 
-  private async authenticateWithToken(tokenFromCookie: string, req: IRequestWithCognitoInfo): Promise<void> {
-    try {
-      const jwtSecret = process.env.JWT_SECRET;
-      const data = jwt.verify(tokenFromCookie, jwtSecret) as jwt.JwtPayload;
-      const userId = data.id;
-      if (!userId) {
-        throw new UnauthorizedException('JWT verification failed');
-      }
-      const addedScope: Array<JwtScopesEnum> = data.scope;
-      if (addedScope && addedScope.length > 0) {
-        if (addedScope.includes(JwtScopesEnum.TWO_FA_ENABLE)) {
-          throw new BadRequestException(Messages.TWO_FA_REQUIRED);
-        }
-      }
+	private async authenticateWithToken(tokenFromCookie: string, req: IRequestWithCognitoInfo): Promise<void> {
+		try {
+			const jwtSecret = process.env.JWT_SECRET;
+			const data = jwt.verify(tokenFromCookie, jwtSecret) as jwt.JwtPayload;
+			const userId = data.id;
 
-      const payload = {
-        sub: userId,
-        email: data.email,
-        exp: data.exp,
-        iat: data.iat,
-      };
-      if (!payload || isObjectEmpty(payload)) {
-        throw new UnauthorizedException('JWT verification failed');
-      }
-      req.decoded = payload;
-    } catch (error) {
-      Sentry.captureException(error);
-      throw error;
-    }
-  }
+			if (!userId) {
+				throw new UnauthorizedException('JWT verification failed');
+			}
 
-  private async authenticateWithApiKey(req: IRequestWithCognitoInfo): Promise<void> {
-    let apiKey = req.headers?.['x-api-key'];
-    if (Array.isArray(apiKey)) {
-      apiKey = apiKey[0];
-    }
-    if (!apiKey) {
-      throw new UnauthorizedException(Messages.NO_AUTH_KEYS_FOUND);
-    }
-    const apiKeyHash = await Encryptor.processDataWithAlgorithm(apiKey, EncryptionAlgorithmEnum.sha256);
-    const foundUserByApiKey = await this.userRepository
-      .createQueryBuilder('user')
-      .innerJoinAndSelect('user.api_keys', 'api_key')
-      .where('api_key.hash = :hash', { hash: apiKeyHash })
-      .getOne();
+			const userExists = await this.userRepository.findOne({ where: { id: userId } });
+			if (!userExists) {
+				throw new UnauthorizedException('JWT verification failed');
+			}
 
-    if (!foundUserByApiKey) {
-      throw new NotFoundException(Messages.NO_AUTH_KEYS_FOUND);
-    }
-    req.decoded = {
-      sub: foundUserByApiKey.id,
-      email: foundUserByApiKey.email,
-    };
-  }
+			if (userExists.suspended) {
+				throw new UnauthorizedException(Messages.ACCOUNT_SUSPENDED);
+			}
+
+			const addedScope: Array<JwtScopesEnum> = data.scope;
+			if (addedScope && addedScope.length > 0) {
+				if (addedScope.includes(JwtScopesEnum.TWO_FA_ENABLE)) {
+					throw new BadRequestException(Messages.TWO_FA_REQUIRED);
+				}
+			}
+
+			const payload = {
+				sub: userId,
+				email: data.email,
+				exp: data.exp,
+				iat: data.iat,
+			};
+			if (!payload || isObjectEmpty(payload)) {
+				throw new UnauthorizedException('JWT verification failed');
+			}
+			req.decoded = payload;
+		} catch (error) {
+			Sentry.captureException(error);
+			throw error;
+		}
+	}
+
+	private async authenticateWithApiKey(req: IRequestWithCognitoInfo): Promise<void> {
+		let apiKey = req.headers?.['x-api-key'];
+		if (Array.isArray(apiKey)) {
+			apiKey = apiKey[0];
+		}
+		if (!apiKey) {
+			throw new UnauthorizedException(Messages.NO_AUTH_KEYS_FOUND);
+		}
+		const apiKeyHash = await Encryptor.processDataWithAlgorithm(apiKey, EncryptionAlgorithmEnum.sha256);
+		const foundUserByApiKey = await this.userRepository
+			.createQueryBuilder('user')
+			.innerJoinAndSelect('user.api_keys', 'api_key')
+			.where('api_key.hash = :hash', { hash: apiKeyHash })
+			.getOne();
+
+		if (!foundUserByApiKey) {
+			throw new NotFoundException(Messages.NO_AUTH_KEYS_FOUND);
+		}
+
+		if (foundUserByApiKey.suspended) {
+			throw new UnauthorizedException(Messages.API_KEY_SUSPENDED);
+		}
+
+		req.decoded = {
+			sub: foundUserByApiKey.id,
+			email: foundUserByApiKey.email,
+		};
+	}
 }

backend/src/authorization/auth.middleware.ts

@@ -1,10 +1,10 @@
 import {
-  BadRequestException,
-  HttpException,
-  Injectable,
-  InternalServerErrorException,
-  NestMiddleware,
-  UnauthorizedException,
+	BadRequestException,
+	HttpException,
+	Injectable,
+	InternalServerErrorException,
+	NestMiddleware,
+	UnauthorizedException,
 } from '@nestjs/common';
 import { InjectRepository } from '@nestjs/typeorm';
 import { Response } from 'express';
@@ -21,61 +21,73 @@ import { IRequestWithCognitoInfo } from './cognito-decoded.interface.js';
 
 @Injectable()
 export class AuthMiddleware implements NestMiddleware {
-  public constructor(
-    @InjectRepository(UserEntity)readonly _userRepository: Repository<UserEntity>,
-    @InjectRepository(LogOutEntity)
-    private readonly logOutRepository: Repository<LogOutEntity>,
-  ) {}
-  async use(req: IRequestWithCognitoInfo, _res: Response, next: (err?: any, res?: any) => void): Promise<void> {
-    let token: string;
-    try {
-      token = req.cookies[Constants.JWT_COOKIE_KEY_NAME];
-    } catch (_e) {
-      if (process.env.NODE_ENV !== 'test') {
-        throw new UnauthorizedException('JWT verification failed');
-      }
-    }
+	public constructor(
+		@InjectRepository(UserEntity)
+		private readonly userRepository: Repository<UserEntity>,
+		@InjectRepository(LogOutEntity)
+		private readonly logOutRepository: Repository<LogOutEntity>,
+	) {}
+	async use(req: IRequestWithCognitoInfo, _res: Response, next: (err?: any, res?: any) => void): Promise<void> {
+		let token: string;
+		try {
+			token = req.cookies[Constants.JWT_COOKIE_KEY_NAME];
+		} catch (_e) {
+			if (process.env.NODE_ENV !== 'test') {
+				throw new UnauthorizedException('JWT verification failed');
+			}
+		}
 
-    if (!token) {
-      throw new UnauthorizedException('Token is missing');
-    }
+		if (!token) {
+			throw new UnauthorizedException('Token is missing');
+		}
 
-    const isLoggedOut = !!(await this.logOutRepository.findOne({ where: { jwtToken: token } }));
-    if (isLoggedOut) {
-      throw new UnauthorizedException('Token is invalid');
-    }
+		const isLoggedOut = !!(await this.logOutRepository.findOne({ where: { jwtToken: token } }));
+		if (isLoggedOut) {
+			throw new UnauthorizedException('Token is invalid');
+		}
 
-    try {
-      const jwtSecret = process.env.JWT_SECRET;
-      const data = jwt.verify(token, jwtSecret) as jwt.JwtPayload;
-      const userId = data.id;
-      if (!userId) {
-        throw new UnauthorizedException('JWT verification failed');
-      }
-      const addedScope: Array<JwtScopesEnum> = data.scope;
-      if (addedScope && addedScope.length > 0) {
-        if (addedScope.includes(JwtScopesEnum.TWO_FA_ENABLE)) {
-          throw new BadRequestException(Messages.TWO_FA_REQUIRED);
-        }
-      }
+		try {
+			const jwtSecret = process.env.JWT_SECRET;
+			const data = jwt.verify(token, jwtSecret) as jwt.JwtPayload;
+			const userId = data.id;
 
-      const payload = {
-        sub: userId,
-        email: data.email,
-        exp: data.exp,
-        iat: data.iat,
-      };
-      if (!payload || isObjectEmpty(payload)) {
-        throw new UnauthorizedException('JWT verification failed');
-      }
-      req.decoded = payload;
-      next();
-    } catch (e) {
-      Sentry.captureException(e);
-      if (e instanceof HttpException || e instanceof UnauthorizedException) {
-        throw e;
-      }
-      throw new InternalServerErrorException(Messages.AUTHORIZATION_REJECTED);
-    }
-  }
+			if (!userId) {
+				throw new UnauthorizedException('JWT verification failed');
+			}
+
+			const userExists = await this.userRepository.findOne({ where: { id: userId } });
+			if (!userExists) {
+				throw new UnauthorizedException('JWT verification failed');
+			}
+
+			if (userExists.suspended) {
+				throw new UnauthorizedException(Messages.ACCOUNT_SUSPENDED);
+			}
+
+			const addedScope: Array<JwtScopesEnum> = data.scope;
+			if (addedScope && addedScope.length > 0) {
+				if (addedScope.includes(JwtScopesEnum.TWO_FA_ENABLE)) {
+					throw new BadRequestException(Messages.TWO_FA_REQUIRED);
+				}
+			}
+
+			const payload = {
+				sub: userId,
+				email: data.email,
+				exp: data.exp,
+				iat: data.iat,
+			};
+			if (!payload || isObjectEmpty(payload)) {
+				throw new UnauthorizedException('JWT verification failed');
+			}
+			req.decoded = payload;
+			next();
+		} catch (e) {
+			Sentry.captureException(e);
+			if (e instanceof HttpException || e instanceof UnauthorizedException) {
+				throw e;
+			}
+			throw new InternalServerErrorException(Messages.AUTHORIZATION_REJECTED);
+		}
+	}
 }

backend/src/exceptions/text/messages.ts

@@ -13,6 +13,7 @@ import { TableActionMethodEnum } from '../../enums/table-action-method-enum.js';
 import { enumToString } from '../../helpers/enum-to-string.js';
 import { toPrettyErrorsMsg } from '../../helpers/index.js';
 export const Messages = {
+	API_KEY_SUSPENDED: 'API key is suspended',
 	AI_REQUESTS_NOT_ALLOWED: 'AI requests are not allowed for this connection',
 	AI_THREAD_NOT_FOUND: 'Thread with specified parameters not found',
 	ACCOUNT_SUSPENDED:

backend/test/ava-tests/non-saas-tests/non-saas-company-info-e2e.test.ts

@@ -658,5 +658,5 @@ test.serial(`${currentTest} should delete company`, async (t) => {
     .set('Cookie', adminUserToken)
     .set('Accept', 'application/json');
 
-  t.is(foundCompanyInfoAfterDelete.status, 403);
+  t.is(foundCompanyInfoAfterDelete.status, 401);
 });

backend/test/ava-tests/non-saas-tests/non-saas-user-e2e.test.ts

@@ -95,7 +95,7 @@ test.serial(`${currentTest} should return user deletion result`, async (t) => {
       .set('Cookie', token)
       .set('Content-Type', 'application/json')
       .set('Accept', 'application/json');
-    t.is(getUserResult.status, 404);
+    t.is(getUserResult.status, 401);
   t.pass();
 });
 

backend/test/ava-tests/saas-tests/company-info-e2e.test.ts

@@ -726,7 +726,7 @@ test.serial(`${currentTest} should delete company`, async (t) => {
     .set('Cookie', adminUserToken)
     .set('Accept', 'application/json');
 
-  t.is(foundCompanyInfoAfterDelete.status, 403);
+  t.is(foundCompanyInfoAfterDelete.status, 401);
 });
 
 currentTest = `PUT company/2fa/:companyId`;
@@ -905,7 +905,7 @@ test.serial(
       .set('Accept', 'application/json');
 
     const findAllConnectionsResponseRO = JSON.parse(findAllConnectionsResponse.text);
-    t.is(findAllConnectionsResponse.status, 403);
+    t.is(findAllConnectionsResponse.status, 401);
     t.is(findAllConnectionsResponseRO.message, Messages.ACCOUNT_SUSPENDED);
   },
 );