251206:1710 specs: frontend plan P1,P3 wait Verification

2025-12-06 17:10:56 +07:00
parent be3b71007a
commit 5c49bac772
40 changed files with 977 additions and 244 deletions
--- a/backend/src/common/auth/auth.controller.ts
+++ b/backend/src/common/auth/auth.controller.ts
@@ -18,10 +18,16 @@ import { LoginDto } from './dto/login.dto.js';
 import { RegisterDto } from './dto/register.dto.js';
 import { JwtAuthGuard } from '../guards/jwt-auth.guard.js';
 import { JwtRefreshGuard } from '../guards/jwt-refresh.guard.js';
-import { ApiTags, ApiOperation, ApiBearerAuth } from '@nestjs/swagger';
-import { Request } from 'express'; // ✅ Import Request
+import {
+  ApiTags,
+  ApiOperation,
+  ApiBearerAuth,
+  ApiResponse,
+  ApiBody,
+} from '@nestjs/swagger';
+import { Request } from 'express';

-// สร้าง Interface สำหรับ Request ที่มี User (เพื่อให้ TS รู้จัก req.user)
+// สร้าง Interface สำหรับ Request ที่มี User
 interface RequestWithUser extends Request {
  user: any;
 }
@@ -34,11 +40,24 @@ export class AuthController {
  @Post('login')
  @Throttle({ default: { limit: 5, ttl: 60000 } })
  @HttpCode(HttpStatus.OK)
-  @ApiOperation({ summary: 'เข้าสู่ระบบเพื่อรับ Access & Refresh Token' })
+  @ApiOperation({ summary: 'Login to get Access & Refresh Token' })
+  @ApiBody({ type: LoginDto })
+  @ApiResponse({
+    status: 200,
+    description: 'Login successful',
+    schema: {
+      type: 'object',
+      properties: {
+        access_token: { type: 'string' },
+        refresh_token: { type: 'string' },
+        user: { type: 'object' },
+      },
+    },
+  })
  async login(@Body() loginDto: LoginDto) {
    const user = await this.authService.validateUser(
      loginDto.username,
-      loginDto.password,
+      loginDto.password
    );

    if (!user) {
@@ -51,7 +70,9 @@ export class AuthController {
  @Post('register-admin')
  @UseGuards(JwtAuthGuard)
  @ApiBearerAuth()
-  @ApiOperation({ summary: 'สร้างบัญชีผู้ใช้ใหม่ (Admin Only)' })
+  @ApiOperation({ summary: 'Create new user (Admin Only)' })
+  @ApiBody({ type: RegisterDto })
+  @ApiResponse({ status: 201, description: 'User registered' })
  async register(@Body() registerDto: RegisterDto) {
    return this.authService.register(registerDto);
  }
@@ -59,9 +80,20 @@ export class AuthController {
  @UseGuards(JwtRefreshGuard)
  @Post('refresh')
  @HttpCode(HttpStatus.OK)
-  @ApiOperation({ summary: 'ขอ Access Token ใหม่ด้วย Refresh Token' })
+  @ApiBearerAuth()
+  @ApiOperation({ summary: 'Refresh Access Token using Refresh Token' })
+  @ApiResponse({
+    status: 200,
+    description: 'Token refreshed',
+    schema: {
+      type: 'object',
+      properties: {
+        access_token: { type: 'string' },
+        refresh_token: { type: 'string' },
+      },
+    },
+  })
  async refresh(@Req() req: RequestWithUser) {
-    // ✅ ระบุ Type ชัดเจน
    return this.authService.refreshToken(req.user.sub, req.user.refreshToken);
  }

@@ -69,23 +101,24 @@ export class AuthController {
  @Post('logout')
  @HttpCode(HttpStatus.OK)
  @ApiBearerAuth()
-  @ApiOperation({ summary: 'ออกจากระบบ (Revoke Token)' })
+  @ApiOperation({ summary: 'Logout (Revoke Tokens)' })
+  @ApiResponse({ status: 200, description: 'Logged out successfully' })
  async logout(@Req() req: RequestWithUser) {
-    // ✅ ระบุ Type ชัดเจน
    const token = req.headers.authorization?.split(' ')[1];
-    // ต้องเช็คว่ามี token หรือไม่ เพื่อป้องกัน runtime error
    if (!token) {
      return { message: 'No token provided' };
    }
+    // ส่ง refresh token ไปด้วยถ้ามี (ใน header หรือ body)
+    // สำหรับตอนนี้ส่งแค่ access token ไป blacklist
    return this.authService.logout(req.user.sub, token);
  }

  @UseGuards(JwtAuthGuard)
  @Get('profile')
  @ApiBearerAuth()
-  @ApiOperation({ summary: 'ดึงข้อมูลผู้ใช้ปัจจุบัน' })
+  @ApiOperation({ summary: 'Get current user profile' })
+  @ApiResponse({ status: 200, description: 'User profile' })
  getProfile(@Req() req: RequestWithUser) {
-    // ✅ ระบุ Type ชัดเจน
    return req.user;
  }
 }
--- a/backend/src/common/auth/auth.module.ts
+++ b/backend/src/common/auth/auth.module.ts
@@ -1,6 +1,7 @@
 // File: src/common/auth/auth.module.ts
 // บันทึกการแก้ไข: แก้ไข Type Mismatch ของ expiresIn (Fix TS2322)
 // [P0-1] เพิ่ม CASL RBAC Integration
+// [P2-2] Register RefreshToken Entity

 import { Module } from '@nestjs/common';
 import { JwtModule } from '@nestjs/jwt';
@@ -13,18 +14,19 @@ import { UserModule } from '../../modules/user/user.module.js';
 import { JwtStrategy } from './strategies/jwt.strategy.js';
 import { JwtRefreshStrategy } from './strategies/jwt-refresh.strategy.js';
 import { User } from '../../modules/user/entities/user.entity';
-import { CaslModule } from './casl/casl.module'; // [P0-1] Import CASL
-import { PermissionsGuard } from './guards/permissions.guard'; // [P0-1] Import Guard
+import { RefreshToken } from './entities/refresh-token.entity'; // [P2-2]
+import { CaslModule } from './casl/casl.module';
+import { PermissionsGuard } from './guards/permissions.guard';

@Module({
  imports: [
-    TypeOrmModule.forFeature([User]),
+    TypeOrmModule.forFeature([User, RefreshToken]), // [P2-2] Added RefreshToken
    UserModule,
    PassportModule,
    JwtModule.registerAsync({
      imports: [ConfigModule],
      inject: [ConfigService],
-      useFactory: async (configService: ConfigService) => ({
+      useFactory: (configService: ConfigService) => ({
        secret: configService.get<string>('JWT_SECRET'),
        signOptions: {
          expiresIn: (configService.get<string>('JWT_EXPIRATION') ||
@@ -32,18 +34,10 @@ import { PermissionsGuard } from './guards/permissions.guard'; // [P0-1] Import
        },
      }),
    }),
-    CaslModule, // [P0-1] Import CASL module
-  ],
-  providers: [
-    AuthService,
-    JwtStrategy,
-    JwtRefreshStrategy,
-    PermissionsGuard, // [P0-1] Register PermissionsGuard
+    CaslModule,
  ],
+  providers: [AuthService, JwtStrategy, JwtRefreshStrategy, PermissionsGuard],
  controllers: [AuthController],
-  exports: [
-    AuthService,
-    PermissionsGuard, // [P0-1] Export for use in other modules
-  ],
+  exports: [AuthService, PermissionsGuard],
 })
 export class AuthModule {}
--- a/backend/src/common/auth/auth.service.ts
+++ b/backend/src/common/auth/auth.service.ts
@@ -2,6 +2,7 @@
 // บันทึกการแก้ไข:
 // 1. แก้ไข Type Mismatch ใน signAsync
 // 2. แก้ไข validateUser ให้ดึง password_hash ออกมาด้วย (Fix HTTP 500: data and hash arguments required)
+// 3. [P2-2] Implement Refresh Token storage & rotation

 import {
  Injectable,
@@ -12,14 +13,16 @@ import {
 import { JwtService } from '@nestjs/jwt';
 import { ConfigService } from '@nestjs/config';
 import { CACHE_MANAGER } from '@nestjs/cache-manager';
-import { InjectRepository } from '@nestjs/typeorm'; // [NEW]
-import { Repository } from 'typeorm'; // [NEW]
+import { InjectRepository } from '@nestjs/typeorm';
+import { Repository } from 'typeorm';
 import type { Cache } from 'cache-manager';
 import * as bcrypt from 'bcrypt';
+import * as crypto from 'crypto';

 import { UserService } from '../../modules/user/user.service.js';
-import { User } from '../../modules/user/entities/user.entity.js'; // [NEW] ต้อง Import Entity เพื่อใช้ Repository
+import { User } from '../../modules/user/entities/user.entity.js';
 import { RegisterDto } from './dto/register.dto.js';
+import { RefreshToken } from './entities/refresh-token.entity.js'; // [P2-2]

@Injectable()
 export class AuthService {
@@ -28,31 +31,27 @@ export class AuthService {
    private jwtService: JwtService,
    private configService: ConfigService,
    @Inject(CACHE_MANAGER) private cacheManager: Cache,
-    // [NEW] Inject Repository เพื่อใช้ QueryBuilder
    @InjectRepository(User)
    private usersRepository: Repository<User>,
+    // [P2-2] Inject RefreshToken Repository
+    @InjectRepository(RefreshToken)
+    private refreshTokenRepository: Repository<RefreshToken>
  ) {}

  // 1. ตรวจสอบ Username/Password
  async validateUser(username: string, pass: string): Promise<any> {
-    console.log(`🔍 Checking login for: ${username}`); // [DEBUG]
-    // [FIXED] ใช้ createQueryBuilder เพื่อ addSelect field 'password' ที่ถูกซ่อนไว้
+    console.log(`🔍 Checking login for: ${username}`);
    const user = await this.usersRepository
      .createQueryBuilder('user')
-      .addSelect('user.password') // สำคัญ! สั่งให้ดึง column password มาด้วย
+      .addSelect('user.password')
      .where('user.username = :username', { username })
      .getOne();

    if (!user) {
-      console.log('❌ User not found in database'); // [DEBUG]
+      console.log('❌ User not found in database');
      return null;
    }

-    console.log('✅ User found. Hash from DB:', user.password); // [DEBUG]
-
-    const isMatch = await bcrypt.compare(pass, user.password);
-    console.log(`🔐 Password match result: ${isMatch}`); // [DEBUG]
-
    // ตรวจสอบว่ามี user และมี password hash หรือไม่
    if (user && user.password && (await bcrypt.compare(pass, user.password))) {
      // eslint-disable-next-line @typescript-eslint/no-unused-vars
@@ -62,7 +61,7 @@ export class AuthService {
    return null;
  }

-  // 2. Login: สร้าง Access & Refresh Token
+  // 2. Login: สร้าง Access & Refresh Token และบันทึกลง DB
  async login(user: any) {
    const payload = {
      username: user.username,
@@ -70,20 +69,20 @@ export class AuthService {
      scope: 'Global',
    };

-    const [accessToken, refreshToken] = await Promise.all([
-      this.jwtService.signAsync(payload, {
-        secret: this.configService.get<string>('JWT_SECRET'),
-        // ✅ Fix: Cast as any
-        expiresIn: (this.configService.get<string>('JWT_EXPIRATION') ||
-          '15m') as any,
-      }),
-      this.jwtService.signAsync(payload, {
-        secret: this.configService.get<string>('JWT_REFRESH_SECRET'),
-        // ✅ Fix: Cast as any
-        expiresIn: (this.configService.get<string>('JWT_REFRESH_EXPIRATION') ||
-          '7d') as any,
-      }),
-    ]);
+    const accessToken = await this.jwtService.signAsync(payload, {
+      secret: this.configService.get<string>('JWT_SECRET'),
+      expiresIn: (this.configService.get<string>('JWT_EXPIRATION') ||
+        '15m') as any,
+    });
+
+    const refreshToken = await this.jwtService.signAsync(payload, {
+      secret: this.configService.get<string>('JWT_REFRESH_SECRET'),
+      expiresIn: (this.configService.get<string>('JWT_REFRESH_EXPIRATION') ||
+        '7d') as any,
+    });
+
+    // [P2-2] Store Refresh Token in DB
+    await this.storeRefreshToken(user.user_id, refreshToken);

    return {
      access_token: accessToken,
@@ -92,10 +91,28 @@ export class AuthService {
    };
  }

+  // [P2-2] Store Refresh Token Logic
+  private async storeRefreshToken(userId: number, token: string) {
+    // Hash token before storing for security
+    const hash = crypto.createHash('sha256').update(token).digest('hex');
+    const expiresInDays = 7; // Should match JWT_REFRESH_EXPIRATION
+    const expiresAt = new Date();
+    expiresAt.setDate(expiresAt.getDate() + expiresInDays);
+
+    const refreshTokenEntity = this.refreshTokenRepository.create({
+      userId,
+      tokenHash: hash,
+      expiresAt,
+      isRevoked: false,
+    });
+
+    await this.refreshTokenRepository.save(refreshTokenEntity);
+  }
+
  // 3. Register (สำหรับ Admin)
  async register(userDto: RegisterDto) {
    const existingUser = await this.userService.findOneByUsername(
-      userDto.username,
+      userDto.username
    );
    if (existingUser) {
      throw new BadRequestException('Username already exists');
@@ -110,27 +127,79 @@ export class AuthService {
    });
  }

-  // 4. Refresh Token: ออก Token ใหม่
+  // 4. Refresh Token: ตรวจสอบและออก Token ใหม่ (Rotation)
  async refreshToken(userId: number, refreshToken: string) {
+    // Hash incoming token to match with DB
+    const hash = crypto.createHash('sha256').update(refreshToken).digest('hex');
+
+    // Find token in DB
+    const storedToken = await this.refreshTokenRepository.findOne({
+      where: { tokenHash: hash },
+    });
+
+    if (!storedToken) {
+      throw new UnauthorizedException('Invalid refresh token');
+    }
+
+    if (storedToken.isRevoked) {
+      // Possible token theft! Invalidate all user tokens family
+      await this.revokeAllUserTokens(userId);
+      throw new UnauthorizedException('Refresh token revoked - Security alert');
+    }
+
+    if (storedToken.expiresAt < new Date()) {
+      throw new UnauthorizedException('Refresh token expired');
+    }
+
+    // Valid token -> Rotate it
    const user = await this.userService.findOne(userId);
    if (!user) throw new UnauthorizedException('User not found');

    const payload = { username: user.username, sub: user.user_id };

-    const accessToken = await this.jwtService.signAsync(payload, {
+    // Generate NEW tokens
+    const newAccessToken = await this.jwtService.signAsync(payload, {
      secret: this.configService.get<string>('JWT_SECRET'),
-      // ✅ Fix: Cast as any
      expiresIn: (this.configService.get<string>('JWT_EXPIRATION') ||
        '15m') as any,
    });

+    const newRefreshToken = await this.jwtService.signAsync(payload, {
+      secret: this.configService.get<string>('JWT_REFRESH_SECRET'),
+      expiresIn: (this.configService.get<string>('JWT_REFRESH_EXPIRATION') ||
+        '7d') as any,
+    });
+
+    // Revoke OLD token and point to NEW one
+    const newHash = crypto
+      .createHash('sha256')
+      .update(newRefreshToken)
+      .digest('hex');
+
+    storedToken.isRevoked = true;
+    storedToken.replacedByToken = newHash;
+    await this.refreshTokenRepository.save(storedToken);
+
+    // Save NEW token
+    await this.storeRefreshToken(userId, newRefreshToken);
+
    return {
-      access_token: accessToken,
+      access_token: newAccessToken,
+      refresh_token: newRefreshToken,
    };
  }

-  // 5. Logout: นำ Token เข้า Blacklist ใน Redis
-  async logout(userId: number, accessToken: string) {
+  // [P2-2] Helper: Revoke all tokens for a user (Security Measure)
+  private async revokeAllUserTokens(userId: number) {
+    await this.refreshTokenRepository.update(
+      { userId, isRevoked: false },
+      { isRevoked: true }
+    );
+  }
+
+  // 5. Logout: Revoke current refresh token & Blacklist Access Token
+  async logout(userId: number, accessToken: string, refreshToken?: string) {
+    // Blacklist Access Token
    try {
      const decoded = this.jwtService.decode(accessToken);
      if (decoded && decoded.exp) {
@@ -139,13 +208,26 @@ export class AuthService {
          await this.cacheManager.set(
            `blacklist:token:${accessToken}`,
            true,
-            ttl * 1000,
+            ttl * 1000
          );
        }
      }
    } catch (error) {
      // Ignore decoding error
    }
+
+    // [P2-2] Revoke Refresh Token if provided
+    if (refreshToken) {
+      const hash = crypto
+        .createHash('sha256')
+        .update(refreshToken)
+        .digest('hex');
+      await this.refreshTokenRepository.update(
+        { tokenHash: hash },
+        { isRevoked: true }
+      );
+    }
+
    return { message: 'Logged out successfully' };
  }
 }
--- a/backend/src/common/auth/casl/ability.factory.ts
+++ b/backend/src/common/auth/casl/ability.factory.ts
@@ -1,11 +1,5 @@
 import { Injectable } from '@nestjs/common';
-import {
-  Ability,
-  AbilityBuilder,
-  AbilityClass,
-  ExtractSubjectType,
-  InferSubjects,
-} from '@casl/ability';
+import { Ability, AbilityBuilder, AbilityClass } from '@casl/ability';
 import { User } from '../../../modules/user/entities/user.entity';
 import { UserAssignment } from '../../../modules/user/entities/user-assignment.entity';

@@ -45,7 +39,7 @@ export class AbilityFactory {
   * - Level 4: Contract
   */
  createForUser(user: User, context: ScopeContext): AppAbility {
-    const { can, cannot, build } = new AbilityBuilder<AppAbility>(
+    const { can, build } = new AbilityBuilder<AppAbility>(
      Ability as AbilityClass<AppAbility>
    );

@@ -54,12 +48,13 @@ export class AbilityFactory {
      return build();
    }

+    // Iterate through user's role assignments
    // Iterate through user's role assignments
    user.assignments.forEach((assignment: UserAssignment) => {
      // Check if assignment matches the current context
      if (this.matchesScope(assignment, context)) {
        // Grant permissions from the role
-        assignment.role.permissions.forEach((permission) => {
+        assignment.role.permissions?.forEach((permission) => {
          const [action, subject] = this.parsePermission(
            permission.permissionName
          );
@@ -70,8 +65,10 @@ export class AbilityFactory {

    return build({
      // Detect subject type (for future use with objects)
-      detectSubjectType: (item) =>
-        item.constructor as ExtractSubjectType<Subjects>,
+      detectSubjectType: (item: any) => {
+        if (typeof item === 'string') return item;
+        return item.constructor;
+      },
    });
  }

@@ -120,17 +117,17 @@ export class AbilityFactory {
   *         "project.view" → ["view", "project"]
   */
  private parsePermission(permissionName: string): [string, string] {
+    // Fallback for special permissions like "system.manage_all"
+    if (permissionName === 'system.manage_all') {
+      return ['manage', 'all'];
+    }
+
    const parts = permissionName.split('.');
    if (parts.length === 2) {
      const [subject, action] = parts;
      return [action, subject];
    }

-    // Fallback for special permissions like "system.manage_all"
-    if (permissionName === 'system.manage_all') {
-      return ['manage', 'all'];
-    }
-
    throw new Error(`Invalid permission format: ${permissionName}`);
  }
 }
--- a/backend/src/common/auth/dto/login.dto.ts
+++ b/backend/src/common/auth/dto/login.dto.ts
@@ -1,10 +1,16 @@
 import { IsNotEmpty, IsString } from 'class-validator';
+import { ApiProperty } from '@nestjs/swagger';

 export class LoginDto {
+  @ApiProperty({
+    description: 'Username (Email)',
+    example: 'admin@np-dms.work',
+  })
  @IsString()
  @IsNotEmpty()
  username!: string;

+  @ApiProperty({ description: 'Password', example: 'password123' })
  @IsString()
  @IsNotEmpty()
  password!: string;
--- a/backend/src/common/auth/entities/refresh-token.entity.ts
+++ b/backend/src/common/auth/entities/refresh-token.entity.ts
@@ -0,0 +1,38 @@
+import {
+  Entity,
+  Column,
+  PrimaryGeneratedColumn,
+  CreateDateColumn,
+  ManyToOne,
+  JoinColumn,
+} from 'typeorm';
+import { User } from '../../../modules/user/entities/user.entity';
+
+@Entity('refresh_tokens')
+export class RefreshToken {
+  @PrimaryGeneratedColumn({ name: 'token_id' })
+  tokenId!: number;
+
+  @Column({ name: 'user_id' })
+  userId!: number;
+
+  @Column({ name: 'token_hash', length: 255 })
+  tokenHash!: string;
+
+  @Column({ name: 'expires_at' })
+  expiresAt!: Date;
+
+  @Column({ name: 'is_revoked', default: false })
+  isRevoked!: boolean;
+
+  @CreateDateColumn({ name: 'created_at' })
+  createdAt!: Date;
+
+  @Column({ name: 'replaced_by_token', nullable: true, length: 255 })
+  replacedByToken?: string; // For rotation support
+
+  // Relations
+  @ManyToOne(() => User, { onDelete: 'CASCADE' })
+  @JoinColumn({ name: 'user_id' })
+  user?: User;
+}
--- a/backend/src/common/auth/guards/permissions.guard.ts
+++ b/backend/src/common/auth/guards/permissions.guard.ts
@@ -43,7 +43,7 @@ export class PermissionsGuard implements CanActivate {
    // Check if user has ALL required permissions
    const hasPermission = requiredPermissions.every((permission) => {
      const [action, subject] = this.parsePermission(permission);
-      return ability.can(action, subject);
+      return ability.can(action as any, subject as any);
    });

    if (!hasPermission) {
--- a/backend/src/common/guards/rbac.guard.ts
+++ b/backend/src/common/guards/rbac.guard.ts
@@ -5,25 +5,25 @@ import {
  ForbiddenException,
 } from '@nestjs/common';
 import { Reflector } from '@nestjs/core';
-import { PERMISSION_KEY } from '../decorators/require-permission.decorator.js';
-import { UserService } from '../../modules/user/user.service.js';
+import { PERMISSIONS_KEY } from '../decorators/require-permission.decorator';
+import { UserService } from '../../modules/user/user.service';

@Injectable()
 export class RbacGuard implements CanActivate {
  constructor(
    private reflector: Reflector,
-    private userService: UserService,
+    private userService: UserService
  ) {}

  async canActivate(context: ExecutionContext): Promise<boolean> {
    // 1. ดูว่า Controller นี้ต้องการสิทธิ์อะไร?
-    const requiredPermission = this.reflector.getAllAndOverride<string>(
-      PERMISSION_KEY,
-      [context.getHandler(), context.getClass()],
+    const requiredPermissions = this.reflector.getAllAndOverride<string[]>(
+      PERMISSIONS_KEY,
+      [context.getHandler(), context.getClass()]
    );

    // ถ้าไม่ต้องการสิทธิ์อะไรเลย ก็ปล่อยผ่าน
-    if (!requiredPermission) {
+    if (!requiredPermissions || requiredPermissions.length === 0) {
      return true;
    }

@@ -36,17 +36,19 @@ export class RbacGuard implements CanActivate {
    // 3. (สำคัญ) ดึงสิทธิ์ทั้งหมดของ User คนนี้จาก Database
    // เราต้องเขียนฟังก์ชัน getUserPermissions ใน UserService เพิ่ม (เดี๋ยวพาทำ)
    const userPermissions = await this.userService.getUserPermissions(
-      user.userId,
+      user.userId
    );

-    // 4. ตรวจสอบว่ามีสิทธิ์ที่ต้องการไหม?
-    const hasPermission = userPermissions.some(
-      (p) => p === requiredPermission || p === 'system.manage_all', // Superadmin ทะลุทุกสิทธิ์
+    // 4. ตรวจสอบว่ามีสิทธิ์ที่ต้องการไหม? (User ต้องมีครบทุกสิทธิ์)
+    const hasPermission = requiredPermissions.every((req) =>
+      userPermissions.some(
+        (p) => p === req || p === 'system.manage_all' // Superadmin ทะลุทุกสิทธิ์
+      )
    );

    if (!hasPermission) {
      throw new ForbiddenException(
-        `You do not have permission: ${requiredPermission}`,
+        `You do not have permission: ${requiredPermissions.join(', ')}`
      );
    }