Merged PR 139: 認証・認可を宣言的に扱える仕組みを既存処理に適用する

## 概要 [Task1830: 認証・認可を宣言的に扱える仕組みを既存処理に適用する](https://paruru.nds-tyo.co.jp:8443/tfs/ReciproCollection/fa4924a4-d079-4fab-9fb5-a9a11eb205f0/_workitems/edit/1830) - 既存処理について、認証認可をガードで実施するよう以下のAPIに適用しました。 - ユーザー一覧 - GET /users - ユーザー追加 - POST /users/signup/ - 音声ファイルアップロード先取得 - GET /files/audio/upload-location/ - ライセンス注文 - POST /licenses/orders ロールガードのテストで定数を使うように修正 ## レビューポイント - 対応APIの抜け漏れはないか - 対応内容に問題はないか - 付与権限 - トークン内容取得 ## UIの変更 - なし ## 動作確認状況 - ローカルで確認
2023-06-09 08:39:44 +00:00 · 2023-06-09 08:39:44 +00:00 · 1082a48fe9
commit 1082a48fe9
parent 15ee0c2e98
7 changed files with 64 additions and 84 deletions
--- a/dictation_server/src/common/auth/auth.ts
+++ b/dictation_server/src/common/auth/auth.ts
@ -1,11 +0,0 @@
 /**
 * 権限の過不足を確認する
 * @param {string[]}
 * @return {boolean}
 */
 // XXX: deprecated 削除予定
 export const confirmPermission = (authority: string): boolean => {
  console.log(authority);
  return true;
 };
--- a/dictation_server/src/common/guards/role/roleguards.spec.ts
+++ b/dictation_server/src/common/guards/role/roleguards.spec.ts
@ -1,17 +1,18 @@
 import { ADMIN_ROLES, USER_ROLES } from '../../../constants';
 import { RoleGuard } from './roleguards';
 describe('RoleGuard', () => {
  it('1つの許可Roleが設定時、完全に一致するroleを持つ場合、許可される', () => {
-    const guards = RoleGuard.requireds({ roles: ['author'] });
+    const guards = RoleGuard.requireds({ roles: [USER_ROLES.AUTHOR] });
    expect(guards.checkRole('author')).toBeTruthy();
  });
  it('1つの許可Roleが設定時、その許可roleを含むroleを持つ場合、許可される', () => {
-    const guards = RoleGuard.requireds({ roles: ['author'] });
+    const guards = RoleGuard.requireds({ roles: [USER_ROLES.AUTHOR] });
    // 'author admin'が許可リスト(author)に含まれるので許可
    expect(guards.checkRole('author admin')).toBeTruthy();
  });
  it('author OR adminの許可Roleが設定時、その許可roleを含むroleを持つ場合、許可される', () => {
-    const guards = RoleGuard.requireds({ roles: ['author', 'admin'] });
+    const guards = RoleGuard.requireds({ roles: [USER_ROLES.AUTHOR, ADMIN_ROLES.ADMIN] });
    // authorが許可リスト([authorまたはadmin])に含まれるので許可
    expect(guards.checkRole('author')).toBeTruthy();
    // adminが許可リスト([authorまたはadmin])に含まれるので許可
@ -20,19 +21,25 @@ describe('RoleGuard', () => {
    expect(guards.checkRole('author admin')).toBeTruthy();
  });
  it('author OR adminの許可Roleが設定時、その許可roleを含むroleを持たない場合、拒否される', () => {
-    const guards = RoleGuard.requireds({ roles: ['author', 'admin'] });
+    const guards = RoleGuard.requireds({
      roles: [USER_ROLES.AUTHOR, ADMIN_ROLES.ADMIN],
    });
    // typistが許可リスト([authorまたはadmin])に含まれないので拒否
    expect(guards.checkRole('typist')).toBeFalsy();
  });
  it('author AND adminの許可Roleが設定時、その許可roleを含むroleを持つ場合、許可される', () => {
-    const guards = RoleGuard.requireds({ roles: [['author', 'admin']] });
+    const guards = RoleGuard.requireds({
      roles: [[USER_ROLES.AUTHOR, ADMIN_ROLES.ADMIN]],
    });
    // 'author admin'が許可リスト([authorかつadmin])に含まれるので許可
    expect(guards.checkRole('author admin')).toBeTruthy();
    // 'typist author admin'が許可リスト([authorかつadmin])に含まれるので許可
    expect(guards.checkRole('typist author admin')).toBeTruthy();
  });
  it('author AND adminの許可Roleが設定時、その許可roleに合致しないroleを持つ場合、拒否される', () => {
-    const guards = RoleGuard.requireds({ roles: [['author', 'admin']] });
+    const guards = RoleGuard.requireds({
      roles: [[USER_ROLES.AUTHOR, ADMIN_ROLES.ADMIN]],
    });
    // authorが許可リスト([authorかつadmin])に含まれないので拒否
    expect(guards.checkRole('author')).toBeFalsy();
    // adminが許可リスト([authorかつadmin])に含まれないので拒否
@ -42,7 +49,7 @@ describe('RoleGuard', () => {
  });
  it('(author AND admin) OR typistの許可Roleが設定時、その許可roleを含むroleを持つ場合、許可される', () => {
    const guards = RoleGuard.requireds({
-      roles: [['author', 'admin'], 'typist'],
+      roles: [[USER_ROLES.AUTHOR, ADMIN_ROLES.ADMIN], USER_ROLES.TYPIST],
    });
    // typistが許可リスト(typist)に含まれないので許可
    expect(guards.checkRole('typist')).toBeTruthy();
@ -53,7 +60,7 @@ describe('RoleGuard', () => {
  });
  it('(author AND admin) OR typistの許可Roleが設定時、その許可roleを含むroleを持たない場合、拒否される', () => {
    const guards = RoleGuard.requireds({
-      roles: [['author', 'admin'], 'typist'],
+      roles: [[USER_ROLES.AUTHOR, ADMIN_ROLES.ADMIN], USER_ROLES.TYPIST],
    });
    // authorが許可リスト([authorかつadmin])に含まれないので拒否
    expect(guards.checkRole('author')).toBeFalsy();
--- a/dictation_server/src/features/auth/auth.controller.ts
+++ b/dictation_server/src/features/auth/auth.controller.ts
@ -98,9 +98,9 @@ export class AuthController {
  })
  async accessToken(@Req() req): Promise<AccessTokenResponse> {
    const refreshToken = retrieveAuthorizationToken(req);
-    if (refreshToken !== undefined) {
+    if (!refreshToken) {
      throw new HttpException(
-        makeErrorResponse('E009999'),
+        makeErrorResponse('E000107'),
        HttpStatus.UNAUTHORIZED,
      );
    }
--- a/dictation_server/src/features/auth/auth.service.ts
+++ b/dictation_server/src/features/auth/auth.service.ts
@ -145,7 +145,11 @@ export class AuthService {
    const token = verify<RefreshToken>(refreshToken, pubkey);
    if (isVerifyError(token)) {
-      throw new Error(`${token.reason} | ${token.message}`);
+      this.logger.error(`${token.reason} | ${token.message}`);
      throw new HttpException(
        makeErrorResponse('E000101'),
        HttpStatus.UNAUTHORIZED,
      );
    }
    const accessToken = sign<AccessToken>(
--- a/dictation_server/src/features/files/files.controller.ts
+++ b/dictation_server/src/features/files/files.controller.ts
@ -30,6 +30,7 @@ import {
 } from './types/types';
 import { AuthGuard } from '../../common/guards/auth/authguards';
 import { RoleGuard } from '../../common/guards/role/roleguards';
 import { USER_ROLES } from '../../constants';
@ApiTags('files')
@Controller('files')
@ -63,7 +64,7 @@ export class FilesController {
  })
  @ApiBearerAuth()
  @UseGuards(AuthGuard)
-  @UseGuards(RoleGuard.requireds({ roles: ['author'] }))
+  @UseGuards(RoleGuard.requireds({ roles: [USER_ROLES.AUTHOR] }))
  @Post('audio/upload-finished')
  async uploadFinished(
    @Headers('authorization') authorization: string,
@ -134,12 +135,14 @@ export class FilesController {
      'ログイン中ユーザー用のBlob Storage上の音声ファイルのアップロード先アクセスURLを取得します',
  })
  @ApiBearerAuth()
  @UseGuards(AuthGuard)
  @UseGuards(RoleGuard.requireds({ roles: [USER_ROLES.AUTHOR] }))
  async uploadLocation(
    @Headers('authorization') authorization: string,
-    @Query() query: AudioUploadLocationRequest,
+    // クエリパラメータ AudioUploadLocationRequest は空であるため内部で使用しない。
-  ): Promise<AudioUploadLocationResponse> {
+    // 使用しないことを宣言するために先頭にプレフィックス_（アンダースコア）をつけている
-    const {} = query;
+    @Query() _query: AudioUploadLocationRequest,
-    //TODO Guardsで認証するからここではデコードするだけ
+  ): Promise<AudioUploadLocationResponse> { 
    const token = authorization.substring(
      'Bearer '.length,
      authorization.length,
--- a/dictation_server/src/features/licenses/licenses.controller.ts
+++ b/dictation_server/src/features/licenses/licenses.controller.ts
@ -8,21 +8,22 @@ import {
  UseGuards,
 } from '@nestjs/common';
 import {
  ApiBearerAuth,
  ApiOperation,
  ApiResponse,
-  ApiTags,
+  ApiTags,  
  ApiOperation,
  ApiBearerAuth,
 } from '@nestjs/swagger';
 import { Request } from 'express';
 import { decode } from 'jsonwebtoken';
 import { makeErrorResponse } from '../../common/error/makeErrorResponse';
 import { ErrorResponse } from '../../common/error/types/types';
-import { AuthGuard } from '../../common/guards/auth/authguards';
+import { LicensesService } from './licenses.service';
-import { RoleGuard } from '../../common/guards/role/roleguards';
+import { CreateOrdersResponse, CreateOrdersRequest } from './types/types';
 import { Request } from 'express';
 import { retrieveAuthorizationToken } from '../../common/http/helper';
 import { AccessToken } from '../../common/token';
-import { LicensesService } from './licenses.service';
+import { AuthGuard } from '../../common/guards/auth/authguards';
-import { CreateOrdersRequest, CreateOrdersResponse } from './types/types';
+import { RoleGuard } from '../../common/guards/role/roleguards';
 import { ADMIN_ROLES } from '../../constants';
 import jwt from 'jsonwebtoken';
@ApiTags('licenses')
@Controller('licenses')
@ -51,7 +52,7 @@ export class LicensesController {
  @ApiOperation({ operationId: 'createOrders' })
  @ApiBearerAuth()
  @UseGuards(AuthGuard)
-  @UseGuards(RoleGuard.requireds({ roles: ['admin', 'author'] }))
+  @UseGuards(RoleGuard.requireds({ roles: [ADMIN_ROLES.ADMIN] }))
  @Post('/orders')
  async createOrders(
    @Req() req: Request,
@ -60,22 +61,13 @@ export class LicensesController {
    console.log(req.header('Authorization'));
    console.log(body);
    // AuthGuardでチェック済みなのでここでのアクセストークンチェックはしない
    const accessToken = retrieveAuthorizationToken(req);
-
+    const payload = jwt.decode(accessToken, { json: true }) as AccessToken;
    //アクセストークンが存在しない場合のエラー
    if (accessToken == undefined) {
      throw new HttpException(
        makeErrorResponse('E000107'),
        HttpStatus.UNAUTHORIZED,
      );
    }
    const decodedToken = decode(accessToken, {
      json: true,
    }) as AccessToken;
    // ライセンス注文処理
    await this.licensesService.licenseOrders(
-      decodedToken,
+      payload,
      body.poNumber,
      body.orderCount,
    );
--- a/dictation_server/src/features/users/users.controller.ts
+++ b/dictation_server/src/features/users/users.controller.ts
@ -16,30 +16,31 @@ import {
  ApiTags,
 } from '@nestjs/swagger';
 import { Request } from 'express';
 import { decode } from 'jsonwebtoken';
 import { makeErrorResponse } from '../../common/error/makeErrorResponse';
 import { ErrorResponse } from '../../common/error/types/types';
 import { AuthGuard } from '../../common/guards/auth/authguards';
 import { RoleGuard } from '../../common/guards/role/roleguards';
 import { retrieveAuthorizationToken } from '../../common/http/helper';
 import { AccessToken } from '../../common/token';
 import {
  isSortDirection,
  isTaskListSortableAttribute,
 } from '../../common/types/sort';
 import {
  ConfirmRequest,
  ConfirmResponse,
  GetRelationsResponse,
  GetSortCriteriaRequest,
  GetSortCriteriaResponse,
  GetUsersResponse,
  PostSortCriteriaRequest,
  PostSortCriteriaResponse,
  SignupRequest,
  SignupResponse,
  PostSortCriteriaRequest,
  PostSortCriteriaResponse,
  GetSortCriteriaRequest,
  GetSortCriteriaResponse,
 } from './types/types';
 import { UsersService } from './users.service';
 import jwt from 'jsonwebtoken';
 import { AuthGuard } from '../../common/guards/auth/authguards';
 import {
  isSortDirection,
  isTaskListSortableAttribute,
 } from '../../common/types/sort';
 import { ADMIN_ROLES } from '../../constants';
 import { RoleGuard } from '../../common/guards/role/roleguards';
@ApiTags('users')
@Controller('users')
@ -111,21 +112,13 @@ export class UsersController {
  @ApiOperation({ operationId: 'getUsers' })
  @ApiBearerAuth()
  @UseGuards(AuthGuard)
-  @UseGuards(RoleGuard.requireds({ roles: ['admin', 'author'] }))
+  @UseGuards(RoleGuard.requireds({ roles: [ADMIN_ROLES.ADMIN] }))
  @Get()
  async getUsers(@Req() req: Request): Promise<GetUsersResponse> {
    console.log(req.header('Authorization'));
    const accessToken = retrieveAuthorizationToken(req);
-
+    const decodedToken = jwt.decode(accessToken, { json: true }) as AccessToken;
    // アクセストークンが存在しない場合のエラー
    if (accessToken == undefined) {
      throw new HttpException(
        makeErrorResponse('E000107'),
        HttpStatus.UNAUTHORIZED,
      );
    }
    const decodedToken = decode(accessToken, { json: true }) as AccessToken;
    const users = await this.usersService.getUsers(decodedToken);
    return { users };
@ -153,9 +146,9 @@ export class UsersController {
  })
  @ApiOperation({ operationId: 'signup' })
  @ApiBearerAuth()
  @UseGuards(AuthGuard)
  @UseGuards(RoleGuard.requireds({ roles: ['admin', 'author'] }))
  @Post('/signup')
  @UseGuards(AuthGuard)
  @UseGuards(RoleGuard.requireds({ roles: [ADMIN_ROLES.ADMIN] }))
  async signup(
    @Req() req: Request,
    @Body() body: SignupRequest,
@ -172,19 +165,11 @@ export class UsersController {
    } = body;
    const accessToken = retrieveAuthorizationToken(req);
-    // アクセストークンが存在しない場合のエラー
+    const payload = jwt.decode(accessToken, { json: true }) as AccessToken;
    if (accessToken == undefined) {
      throw new HttpException(
        makeErrorResponse('E000107'),
        HttpStatus.UNAUTHORIZED,
      );
    }
    const decodedToken = decode(accessToken, { json: true }) as AccessToken;
    //ユーザ作成処理
    await this.usersService.createUser(
-      decodedToken,
+      payload,
      name,
      role,
      email,
@ -276,7 +261,7 @@ export class UsersController {
  ): Promise<PostSortCriteriaResponse> {
    const { direction, paramName } = body;
    const accessToken = retrieveAuthorizationToken(req);
-    const decodedToken = decode(accessToken, { json: true }) as AccessToken;
+    const decodedToken = jwt.decode(accessToken, { json: true }) as AccessToken;
    //型チェック
    if (
@ -324,7 +309,7 @@ export class UsersController {
  ): Promise<GetSortCriteriaResponse> {
    const {} = query;
    const accessToken = retrieveAuthorizationToken(req);
-    const decodedToken = decode(accessToken, { json: true }) as AccessToken;
+    const decodedToken = jwt.decode(accessToken, { json: true }) as AccessToken;
    const { direction, paramName } = await this.usersService.getSortCriteria(
      decodedToken,