Merge pull request #7 from getlarge/feat-enable-custom-unauthorized-error-in-guards

feat: enable custom unauthorized error in guards

Author: getlarge

.github/workflows/ci.yaml

@@ -53,6 +53,13 @@ jobs:
       # requires kratos and keto to be running
       - run: npx nx affected -t lint,test,build --parallel=3
 
+      - uses: actions/upload-artifact@v4
+        with:
+          name: coverage
+          path: coverage
+          overwrite: true
+          retention-days: 1
+
   sonarcloud:
     name: SonarCloud
     runs-on: ubuntu-latest
@@ -66,6 +73,11 @@ jobs:
       - uses: martinbeentjes/[email protected]
         id: package-version
 
+      - uses: actions/download-artifact@v4
+        with:
+          name: coverage
+          path: coverage
+
       - name: SonarCloud Scan
         uses: SonarSource/sonarcloud-github-action@master
         env:

jest.preset.js

@@ -1,3 +1,3 @@
 const nxPreset = require('@nx/jest/preset').default;
 
-module.exports = { ...nxPreset };
+module.exports = { ...nxPreset, coverageReporters: ['json', 'lcov'] };

packages/base-client-wrapper/project.json

@@ -30,7 +30,8 @@
       "executor": "@nx/jest:jest",
       "outputs": ["{workspaceRoot}/coverage/{projectRoot}"],
       "options": {
-        "jestConfig": "packages/base-client-wrapper/jest.config.ts"
+        "jestConfig": "packages/base-client-wrapper/jest.config.ts",
+        "codeCoverage": true
       }
     }
   },

packages/keto-client-wrapper/project.json

@@ -36,7 +36,8 @@
       "executor": "@nx/jest:jest",
       "outputs": ["{workspaceRoot}/coverage/{projectRoot}"],
       "options": {
-        "jestConfig": "packages/keto-client-wrapper/jest.config.ts"
+        "jestConfig": "packages/keto-client-wrapper/jest.config.ts",
+        "codeCoverage": true
       }
     },
     "docker-push": {

packages/keto-client-wrapper/src/lib/ory-authorization.guard.ts

@@ -5,6 +5,7 @@ import {
 import {
   CanActivate,
   ExecutionContext,
+  ForbiddenException,
   Injectable,
   mixin,
   Type,
@@ -17,10 +18,17 @@ import { OryPermissionsService } from './ory-permissions';
 export interface OryAuthorizationGuardOptions {
   errorFactory?: (error: Error) => Error;
   postCheck?: (relationTuple: RelationTuple, isPermitted: boolean) => void;
+  unauthorizedFactory: (ctx: ExecutionContext, error: unknown) => Error;
 }
 
+const defaultOptions: OryAuthorizationGuardOptions = {
+  unauthorizedFactory: () => {
+    return new ForbiddenException();
+  },
+};
+
 export const OryAuthorizationGuard = (
-  options: OryAuthorizationGuardOptions = {}
+  options: Partial<OryAuthorizationGuardOptions> = {}
 ): Type<CanActivate> => {
   @Injectable()
   class AuthorizationGuard implements CanActivate {
@@ -35,22 +43,31 @@ export const OryAuthorizationGuard = (
       if (!factories?.length) {
         return true;
       }
+      const { postCheck, unauthorizedFactory } = {
+        ...defaultOptions,
+        ...options,
+      };
       for (const { relationTupleFactory } of factories) {
         const relationTuple = relationTupleFactory(context);
         const result = createPermissionCheckQuery(relationTuple);
         if (result.hasError()) {
-          if (options.errorFactory) {
-            throw options.errorFactory(result.error);
-          }
-          return false;
+          throw unauthorizedFactory(context, result.error);
+        }
+        let isPermitted = false;
+        try {
+          const { data } = await this.oryService.checkPermission(result.value);
+          isPermitted = data.allowed;
+        } catch (error) {
+          throw unauthorizedFactory(context, error);
         }
-        const { data } = await this.oryService.checkPermission(result.value);
-        const isPermitted = data.allowed;
-        if (options.postCheck) {
-          options.postCheck(relationTuple, isPermitted);
+        if (postCheck) {
+          postCheck(relationTuple, isPermitted);
         }
         if (!isPermitted) {
-          return false;
+          throw unauthorizedFactory(
+            context,
+            new Error(`Unauthorized access for ${relationTuple.toString()}`)
+          );
         }
       }
       return true;

packages/keto-client-wrapper/test/keto-client-wrapper.spec.ts

@@ -111,8 +111,7 @@ describe('Keto client wrapper E2E', () => {
         'x-current-user-id': subjectObject,
       });
     expect(body).toEqual({
-      error: 'Forbidden',
-      message: 'Forbidden resource',
+      message: 'Forbidden',
       statusCode: 403,
     });
   });

packages/keto-relations-parser/project.json

@@ -35,7 +35,8 @@
       "executor": "@nx/jest:jest",
       "outputs": ["{workspaceRoot}/coverage/{projectRoot}"],
       "options": {
-        "jestConfig": "packages/keto-relations-parser/jest.config.ts"
+        "jestConfig": "packages/keto-relations-parser/jest.config.ts",
+        "codeCoverage": true
       }
     }
   },

packages/keto-relations-parser/src/lib/relation-tuple-parser.ts

@@ -2,7 +2,7 @@ import { error, Result, value } from 'defekt';
 
 import { RelationTupleSyntaxError } from './errors/relation-tuple-syntax.error';
 import { UnknownError } from './errors/unknown.error';
-import { RelationTuple } from './relation-tuple';
+import { type IRelationTuple, RelationTuple } from './relation-tuple';
 
 type Namespace = string;
 type TupleObject = string;
@@ -102,12 +102,7 @@ export function parseRelationTuple(
   ] = match.map((str) => str?.trim() ?? '');
 
   try {
-    const result: RelationTuple = {
-      namespace: namespace,
-      object: object,
-      relation: relation,
-      subjectIdOrSet: '',
-    };
+    const result = new RelationTuple(namespace, object, relation, '');
 
     if (subjectRelation) {
       result.subjectIdOrSet = {
@@ -142,7 +137,7 @@ export function parseRelationTuple(
  * @returns
  */
 export const relationTupleToString = (
-  tuple: Partial<RelationTuple>
+  tuple: Partial<IRelationTuple>
 ): RelationTupleString => {
   const base: `${string}:${string}#${string}` = `${tuple.namespace}:${tuple.object}#${tuple.relation}`;
   if (!tuple.subjectIdOrSet) {

packages/kratos-client-wrapper/project.json

@@ -43,7 +43,8 @@
       "executor": "@nx/jest:jest",
       "outputs": ["{workspaceRoot}/coverage/{projectRoot}"],
       "options": {
-        "jestConfig": "packages/kratos-client-wrapper/jest.config.ts"
+        "jestConfig": "packages/kratos-client-wrapper/jest.config.ts",
+        "codeCoverage": true
       }
     },
     "docker-push": {

packages/kratos-client-wrapper/src/lib/ory-authentication.guard.ts

@@ -2,9 +2,9 @@ import {
   CanActivate,
   ExecutionContext,
   Injectable,
-  Logger,
   mixin,
   Type,
+  UnauthorizedException,
 } from '@nestjs/common';
 import type { Session } from '@ory/client';
 
@@ -18,6 +18,7 @@ export interface OryAuthenticationGuardOptions {
     ctx: ExecutionContext,
     session: Session
   ) => void | Promise<void>;
+  unauthorizedFactory: (ctx: ExecutionContext, error: unknown) => Error;
 }
 
 const defaultOptions: OryAuthenticationGuardOptions = {
@@ -30,15 +31,16 @@ const defaultOptions: OryAuthenticationGuardOptions = {
       .getRequest()
       ?.headers?.authorization?.replace('Bearer ', ''),
   cookieResolver: (ctx) => ctx.switchToHttp().getRequest()?.headers?.cookie,
+  unauthorizedFactory() {
+    return new UnauthorizedException();
+  },
 };
 
 export const OryAuthenticationGuard = (
   options: Partial<OryAuthenticationGuardOptions> = defaultOptions
 ): Type<CanActivate> => {
   @Injectable()
   class AuthenticationGuard implements CanActivate {
-    readonly logger = new Logger(AuthenticationGuard.name);
-
     constructor(readonly oryService: OryFrontendService) {}
 
     async canActivate(context: ExecutionContext): Promise<boolean> {
@@ -47,29 +49,32 @@ export const OryAuthenticationGuard = (
         sessionTokenResolver,
         isValidSession,
         postValidationHook,
+        unauthorizedFactory,
       } = {
         ...defaultOptions,
         ...options,
       };
 
+      let session: Session;
       try {
         const cookie = cookieResolver(context);
         const xSessionToken = sessionTokenResolver(context);
-        const { data: session } = await this.oryService.toSession({
+        const { data } = await this.oryService.toSession({
           cookie,
           xSessionToken,
         });
-        if (!isValidSession(session)) {
-          return false;
-        }
-        if (typeof postValidationHook === 'function') {
-          await postValidationHook(context, session);
-        }
-        return true;
+        session = data;
       } catch (error) {
-        this.logger.error(error);
-        return false;
+        throw unauthorizedFactory(context, error);
+      }
+
+      if (!isValidSession(session)) {
+        throw unauthorizedFactory(context, new Error('Invalid session'));
+      }
+      if (typeof postValidationHook === 'function') {
+        await postValidationHook(context, session);
       }
+      return true;
     }
   }
   return mixin(AuthenticationGuard);