Merge pull request #16 from CS3219-AY2526Sem1/ncduy0303/add-colab-service-auth

feat(collab-service): add authorization & integrate question service

Author: ncduy0303

backend/collaboration-service/.env.example

@@ -0,0 +1,2 @@
+# Should match the JWT_SECRET used in user-service
+JWT_SECRET=your-jwt-secret-here

backend/collaboration-service/package.json

@@ -17,6 +17,7 @@
     "@y/websocket-server": "^0.1.1",
     "cors": "^2.8.5",
     "express": "^5.1.0",
+    "jsonwebtoken": "^9.0.2",
     "kafkajs": "^2.2.4",
     "mongoose": "^8.19.1",
     "uuid": "^13.0.0",

backend/collaboration-service/src/config.js

@@ -3,13 +3,24 @@ export const config = {
   WS_PORT: process.env.WS_PORT || 8005,
   HTTP_PORT: process.env.HTTP_PORT || 8004,
   // Database
-  MONGO_URI: process.env.MONGODB_URI || "mongodb://admin:password@localhost:27017/peerprepCollabService?authSource=admin",
+  MONGO_URI:
+    process.env.MONGODB_URI ||
+    "mongodb://admin:password@localhost:27017/peerprepCollabService?authSource=admin",
   // Room Management
   ROOM_TIMEOUT_MINUTES: parseInt(process.env.ROOM_TIMEOUT_MINUTES) || 10,
   // Yjs MongoDB Provider Persistence Settings
   PERSISTENCE_CONFIG: {
     multipleCollections: true, // each document gets an own collection in the database
   },
+  // JWT Token (Should match the user-service JWT secret)
+  JWT_SECRET: process.env.JWT_SECRET || "your-jwt-secret-here",
+  // WebSocket Close Codes
+  WS_CLOSE_CODES: {
+    AUTH_FAILED: 4000, // Invalid/missing token
+    UNAUTHORIZED: 4001, // User not in room
+    ROOM_NOT_FOUND: 4002, // Room doesn't exist
+    ROOM_INACTIVE: 4003, // Room is closed
+  },
 };
 
 export default config;

backend/collaboration-service/src/http/httpServer.js

@@ -16,7 +16,12 @@ class HttpServer {
    * Set up Express middleware
    */
   setupMiddleware() {
-    this.app.use(cors());
+    this.app.use(
+      cors({
+        origin: process.env.WEB_BASE_URL,
+        credentials: true,
+      }),
+    );
     this.app.use(express.json());
   }
 

backend/collaboration-service/src/http/roomRoutes.js

@@ -1,128 +1,179 @@
 import express from "express";
 import roomController from "../controllers/roomController.js";
+import { authenticateHttp } from "../middleware/auth.js";
 
 const router = express.Router();
 
 /**
  * POST /api/v1/rooms
  * Create a new room
+ * @deprecated This route is disabled since room creation is now handled by matching service through Kafka
  */
-router.post("/", async (req, res) => {
-  try {
-    const { questionId, userIds, programmingLanguage } = req.body;
-    
-    if (!userIds || !Array.isArray(userIds) || userIds.length === 0) {
-      return res.status(400).json({
-        success: false,
-        error: "userIds is required and must be a non-empty array",
-      });
-    }
-    
-    const room = await roomController.create(null, questionId, userIds, programmingLanguage);
-    res.json({
-      success: true,
-      room,
-    });
-  } catch (error) {
-    console.error("Failed to create room:", error);
-    res.status(500).json({
-      success: false,
-      error: error.message,
-    });
-  }
-});
+// router.post("/", async (req, res) => {
+//   try {
+//     const { questionId, userIds, programmingLanguage } = req.body;
+
+//     if (!userIds || !Array.isArray(userIds) || userIds.length === 0) {
+//       return res.status(400).json({
+//         success: false,
+//         error: "userIds is required and must be a non-empty array",
+//       });
+//     }
+
+//     const room = await roomController.create(null, questionId, userIds, programmingLanguage);
+//     res.json({
+//       success: true,
+//       room,
+//     });
+//   } catch (error) {
+//     console.error("Failed to create room:", error);
+//     res.status(500).json({
+//       success: false,
+//       error: error.message,
+//     });
+//   }
+// });
 
 /**
  * GET /api/v1/rooms/:roomId
  * Get room information and document content
+ * Requires authentication and authorization (user must be in room)
  */
-router.get("/:roomId", async (req, res) => {
+router.get("/:roomId", authenticateHttp, async (req, res) => {
   try {
     const { roomId } = req.params;
+    const userId = req.userId; // Set by authenticateHttp middleware
+
     const room = await roomController.get(roomId);
-    if (room) {
-      const documentContent = await roomController.getDocumentContent(roomId);
-      res.json({
-        success: true,
-        room: room,
-        document: {
-          content: documentContent,
-        },
-      });
-    } else {
-      res.status(404).json({
+
+    // Check if room exists
+    if (!room) {
+      return res.status(404).json({
         success: false,
         error: "Room not found",
       });
     }
-  } catch (error) {
-    console.error("Failed to get room:", error);
-    res.status(500).json({
-      success: false,
-      error: error.message,
-    });
-  }
-});
 
-/**
- * PATCH /api/v1/rooms/:roomId/close
- * Close (stop) a room for collaboration
- */
-router.patch("/:roomId/close", async (req, res) => {
-  try {
-    const { roomId } = req.params;
-    const room = await roomController.get(roomId);
-    if (!room) {
+    // Check if user is authorized (part of the room)
+    if (!room.userIds.includes(userId)) {
+      // Return 404 to maintain privacy (don't reveal room exists)
       return res.status(404).json({
         success: false,
         error: "Room not found",
       });
-    } else if (!room.isActive) {
-      return res.status(400).json({
-        success: false,
-        error: "Room is already closed",
-      });
     }
-    await roomController.closeRoom(roomId);
+
+    const documentContent = await roomController.getDocumentContent(roomId);
     res.json({
       success: true,
-      message: "Room closed successfully. All clients have been notified.",
+      room: room,
+      document: {
+        content: documentContent,
+      },
     });
   } catch (error) {
-    console.error("Failed to close room:", error);
+    console.error("Failed to get room:", error);
     res.status(500).json({
       success: false,
       error: error.message,
     });
   }
 });
 
+/**
+ * PATCH /api/v1/rooms/:roomId/close
+ * Close (stop) a room for collaboration
+ * Requires authentication and authorization (user must be in room)
+ * @deprecated This route is disabled since room closing is automated by collaboration service
+ *             when no users are left in the room for a certain period
+ */
+// router.patch("/:roomId/close", authenticateHttp, async (req, res) => {
+//   try {
+//     const { roomId } = req.params;
+//     const userId = req.userId; // Set by authenticateHttp middleware
+
+//     const room = await roomController.get(roomId);
+
+//     // Check if room exists
+//     if (!room) {
+//       return res.status(404).json({
+//         success: false,
+//         error: "Room not found",
+//       });
+//     }
+
+//     // Check if user is authorized (part of the room)
+//     if (!room.userIds.includes(userId)) {
+//       return res.status(404).json({
+//         success: false,
+//         error: "Room not found",
+//       });
+//     }
+
+//     if (!room.isActive) {
+//       return res.status(400).json({
+//         success: false,
+//         error: "Room is already closed",
+//       });
+//     }
+
+//     await roomController.closeRoom(roomId);
+//     res.json({
+//       success: true,
+//       message: "Room closed successfully. All clients have been notified.",
+//     });
+//   } catch (error) {
+//     console.error("Failed to close room:", error);
+//     res.status(500).json({
+//       success: false,
+//       error: error.message,
+//     });
+//   }
+// });
+
 /**
  * PATCH /api/v1/rooms/:roomId/language
  * Set programming language for a room
+ * Requires authentication and authorization (user must be in room)
  */
-router.patch("/:roomId/language", async (req, res) => {
+router.patch("/:roomId/language", authenticateHttp, async (req, res) => {
   try {
     const { roomId } = req.params;
     const { language } = req.body;
+    const userId = req.userId; // Set by authenticateHttp middleware
+
     if (!language) {
       return res.status(400).json({
         success: false,
         error: "Programming language is required",
       });
     }
+
     const room = await roomController.get(roomId);
+
+    // Check if room exists
     if (!room) {
       return res.status(404).json({
         success: false,
         error: "Room not found",
       });
-    } else if (!room.isActive) {
+    }
+
+    // Check if user is authorized (part of the room)
+    if (!room.userIds.includes(userId)) {
+      return res.status(404).json({
+        success: false,
+        error: "Room not found",
+      });
+    }
+
+    if (!room.isActive) {
       return res.status(400).json({
         success: false,
         error: "Cannot set language for a closed room",
       });
     }
+
     await roomController.setProgrammingLanguage(roomId, language);
     res.json({
       success: true,

backend/collaboration-service/src/middleware/auth.js

@@ -0,0 +1,76 @@
+import jwt from "jsonwebtoken";
+import { URL } from "url";
+
+/**
+ * Middleware to authenticate WebSocket connections using JWT
+ * Extracts userId from JWT and returns it as part of the result
+ */
+export const authenticateWebSocket = async (req) => {
+  try {
+    // Try to extract token from query parameter
+    const url = new URL(req.url, `http://${req.headers.host}`);
+    const token = url.searchParams.get("token");
+
+    if (!token) {
+      return {
+        success: false,
+        error: "Missing authentication token",
+      };
+    }
+
+    // Verify the JWT
+    const decoded = jwt.verify(token, process.env.JWT_SECRET);
+
+    return {
+      success: true,
+      userId: decoded.username,
+    };
+  } catch (err) {
+    return {
+      success: false,
+      error: err.message,
+    };
+  }
+};
+
+/**
+ * Middleware to authenticate HTTP requests using JWT
+ * Extracts userId from JWT and attaches it to req.userId
+ */
+export const authenticateHttp = async (req, res, next) => {
+  try {
+    const authHeader = req.get("authorization");
+
+    if (!authHeader) {
+      return res.status(401).json({
+        success: false,
+        error: "Missing Authorization header",
+      });
+    }
+
+    // Expected format: "Bearer <token>"
+    const [scheme, token] = authHeader.split(" ");
+
+    if (scheme !== "Bearer" || !token) {
+      return res.status(401).json({
+        success: false,
+        error: "Invalid Authorization header format",
+      });
+    }
+
+    // Verify the JWT
+    const decoded = jwt.verify(token, process.env.JWT_SECRET);
+
+    // Attach user ID to request
+    req.userId = decoded.username;
+
+    next();
+  } catch (err) {
+    return res.status(401).json({
+      success: false,
+      error: err.message,
+    });
+  }
+};
+
+export default { authenticateWebSocket, authenticateHttp };