nik/OMDSCloud
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
OMDSCloud/dictation_server/src/features/auth/auth.controller.ts
maruyama.t 35923f84e2 Merged PR 576: dev環境不具合修正 
## 概要
[Task3046: dev環境不具合修正](https://paruru.nds-tyo.co.jp:8443/tfs/ReciproCollection/fa4924a4-d079-4fab-9fb5-a9a11eb205f0/_workitems/edit/3046)

- 元PBI or タスクへのリンク(内容・目的などはそちらにあるはず)
- 何をどう変更したか、追加したライブラリなど
- このPull Requestでの対象/対象外
- 影響範囲(他の機能にも影響があるか)

## レビューポイント
- 特にレビューしてほしい箇所
- 軽微なものや自明なものは記載不要
- 修正範囲が大きい場合などに記載
- 全体的にや仕様を満たしているか等は本当に必要な時のみ記載

## UIの変更
- Before/Afterのスクショなど
- スクショ置き場

## 動作確認状況
- ローカルで確認、develop環境で確認など

## 補足
- 相談、参考資料などがあれば
2023-11-13 06:01:49 +00:00

286 lines
8.0 KiB
TypeScript
Raw Blame History

import {
Body,
Controller,
HttpException,
HttpStatus,
Post,
Req,
UseGuards,
} from '@nestjs/common';
import {
ApiResponse,
ApiOperation,
ApiBearerAuth,
ApiTags,
} from '@nestjs/swagger';
import { makeErrorResponse } from '../../common/error/makeErrorResponse';
import { ErrorResponse } from '../../common/error/types/types';
import { AuthService } from './auth.service';
import {
AccessTokenResponse,
TokenRequest,
TokenResponse,
DelegationTokenRequest,
DelegationTokenResponse,
DelegationAccessTokenResponse,
} from './types/types';
import { retrieveAuthorizationToken } from '../../common/http/helper';
import { makeContext } from '../../common/log';
import { v4 as uuidv4 } from 'uuid';
import { Request } from 'express';
import { AuthGuard } from '../../common/guards/auth/authguards';
import { RoleGuard } from '../../common/guards/role/roleguards';
import { ADMIN_ROLES, TIERS } from '../../constants';
import jwt from 'jsonwebtoken';
import { AccessToken, RefreshToken } from '../../common/token';
import { makeIDTokenKey } from '../../common/cache';
import { RedisService } from '../../gateways/redis/redis.service';
@ApiTags('auth')
@Controller('auth')
export class AuthController {
constructor(
// TODO「タスク 1828: IDトークンを一度しか使えないようにする」で使用する予定
// private readonly redisService: RedisService,
private readonly authService: AuthService,
private readonly redisService: RedisService,
) {}
@Post('token')
@ApiResponse({
status: HttpStatus.OK,
type: TokenResponse,
description: '成功時のレスポンス',
})
@ApiResponse({
status: HttpStatus.UNAUTHORIZED,
description: '認証エラー/同意済み利用規約が最新でない場合',
type: ErrorResponse,
})
@ApiResponse({
status: HttpStatus.INTERNAL_SERVER_ERROR,
description: '想定外のサーバーエラー',
type: ErrorResponse,
})
@ApiOperation({
description:
'AzureADB2Cでのサインイン後に払いだされるIDトークンを元に認証用のアクセストークンとリフレッシュトークンを生成します',
operationId: 'token',
})
async token(@Body() body: TokenRequest): Promise<TokenResponse> {
const idToken = await this.authService.getVerifiedIdToken(body.idToken);
const isVerified = await this.authService.isVerifiedUser(idToken);
if (!isVerified) {
throw new HttpException(
makeErrorResponse('E010201'),
HttpStatus.BAD_REQUEST,
);
}
const context = makeContext(uuidv4());
const key = makeIDTokenKey(body.idToken);
const isTokenExists = await this.redisService.get<boolean>(key);
if (!isTokenExists) {
// IDトークンがキャッシュに存在しない場合(idTokenの有効期限をADB2Cの有効期限と合わせる(300秒))
await this.redisService.set(key, true, 300);
} else {
// IDトークンがキャッシュに存在する場合エラー
throw new HttpException(
makeErrorResponse('E000106'),
HttpStatus.UNAUTHORIZED,
);
}
// 同意済み利用規約バージョンが最新かチェック
const isAcceptedLatestVersion =
await this.authService.isAcceptedLatestVersion(context, idToken);
// 最新でなければエラー
if (!isAcceptedLatestVersion) {
throw new HttpException(
makeErrorResponse('E010209'),
HttpStatus.UNAUTHORIZED,
);
}
const refreshToken = await this.authService.generateRefreshToken(
context,
idToken,
body.type,
);
const accessToken = await this.authService.generateAccessToken(
context,
refreshToken,
);
return {
accessToken,
refreshToken,
};
}
@Post('accessToken')
@ApiBearerAuth()
@ApiResponse({
status: HttpStatus.OK,
type: AccessTokenResponse,
description: '成功時のレスポンス',
})
@ApiResponse({
status: HttpStatus.UNAUTHORIZED,
description: '認証エラー',
type: ErrorResponse,
})
@ApiResponse({
status: HttpStatus.INTERNAL_SERVER_ERROR,
description: '想定外のサーバーエラー',
type: ErrorResponse,
})
@ApiOperation({
operationId: 'accessToken',
description: 'リフレッシュトークンを元にアクセストークンを再生成します',
})
async accessToken(@Req() req: Request): Promise<AccessTokenResponse> {
const refreshToken = retrieveAuthorizationToken(req);
if (!refreshToken) {
throw new HttpException(
makeErrorResponse('E000107'),
HttpStatus.UNAUTHORIZED,
);
}
const context = makeContext(uuidv4());
const accessToken = await this.authService.generateAccessToken(
context,
refreshToken,
);
return { accessToken };
}
@Post('delegation/token')
@ApiBearerAuth()
@ApiResponse({
status: HttpStatus.OK,
type: DelegationTokenResponse,
description: '成功時のレスポンス',
})
@ApiResponse({
status: HttpStatus.UNAUTHORIZED,
description: '認証エラー',
type: ErrorResponse,
})
@ApiResponse({
status: HttpStatus.BAD_REQUEST,
description: '指定したアカウントが代行操作を許可していない場合',
type: ErrorResponse,
})
@ApiResponse({
status: HttpStatus.INTERNAL_SERVER_ERROR,
description: '想定外のサーバーエラー',
type: ErrorResponse,
})
@ApiOperation({
operationId: 'delegationToken',
description:
'代行操作用のリフレッシュトークン・アクセストークンを生成します',
})
@UseGuards(AuthGuard)
@UseGuards(
RoleGuard.requireds({
roles: [ADMIN_ROLES.ADMIN],
tiers: [TIERS.TIER4],
}),
)
async delegationToken(
@Req() req: Request,
@Body() body: DelegationTokenRequest,
): Promise<DelegationTokenResponse> {
const { delegatedAccountId } = body;
const token = retrieveAuthorizationToken(req);
if (!token) {
throw new HttpException(
makeErrorResponse('E000107'),
HttpStatus.UNAUTHORIZED,
);
}
const decodedAccessToken = jwt.decode(token, { json: true });
if (!decodedAccessToken) {
throw new HttpException(
makeErrorResponse('E000101'),
HttpStatus.UNAUTHORIZED,
);
}
const { userId } = decodedAccessToken as AccessToken;
const context = makeContext(userId);
const refreshToken = await this.authService.generateDelegationRefreshToken(
context,
userId,
delegatedAccountId,
);
const accessToken = await this.authService.generateDelegationAccessToken(
context,
refreshToken,
);
return { accessToken, refreshToken };
}
@Post('delegation/access-token')
@ApiBearerAuth()
@ApiResponse({
status: HttpStatus.OK,
type: DelegationAccessTokenResponse,
description: '成功時のレスポンス',
})
@ApiResponse({
status: HttpStatus.UNAUTHORIZED,
description: '認証エラー',
type: ErrorResponse,
})
@ApiResponse({
status: HttpStatus.INTERNAL_SERVER_ERROR,
description: '想定外のサーバーエラー',
type: ErrorResponse,
})
@ApiOperation({
operationId: 'delegationAccessToken',
description: '代行操作用のアクセストークンを再生成します',
})
async delegationAccessToken(
@Req() req: Request,
): Promise<DelegationAccessTokenResponse> {
const refreshToken = retrieveAuthorizationToken(req);
if (!refreshToken) {
throw new HttpException(
makeErrorResponse('E000107'),
HttpStatus.UNAUTHORIZED,
);
}
const decodedRefreshToken = jwt.decode(refreshToken, { json: true });
if (!decodedRefreshToken) {
throw new HttpException(
makeErrorResponse('E000101'),
HttpStatus.UNAUTHORIZED,
);
}
const { userId, delegateUserId } = decodedRefreshToken as RefreshToken;
const context = makeContext(userId);
const accessToken = await this.authService.updateDelegationAccessToken(
context,
delegateUserId,
userId,
refreshToken,
);
return { accessToken };
}
}
Reference in New Issue View Git Blame Copy Permalink