Implements authorization layer

.github/workflows/linting.yaml

@@ -11,7 +11,7 @@ jobs:
 
       - uses: actions/setup-node@v4
         with:
-          node-version: "lts/hydrogen"
+          node-version-file: "package.json"
 
       - run: npm ci
 
@@ -24,7 +24,7 @@ jobs:
 
       - uses: actions/setup-node@v4
         with:
-          node-version: "lts/hydrogen"
+          node-version-file: "package.json"
 
       - run: npm ci
 
@@ -39,7 +39,7 @@ jobs:
 
       - uses: actions/setup-node@v4
         with:
-          node-version: "lts/hydrogen"
+          node-version-file: "package.json"
 
       - run: npm ci
 

.github/workflows/tests.yaml

@@ -11,7 +11,7 @@ jobs:
 
       - uses: actions/setup-node@v4
         with:
-          node-version: "lts/hydrogen"
+          node-version-file: "package.json"
 
       - run: npm ci
 

.npmrc

@@ -1 +1,2 @@
-save-exact=true
+save-exact=true
+engine-strict=true

.nvmrc

@@ -1 +1 @@
-lts/hydrogen
+24

infra/controller.js

@@ -1,21 +1,28 @@
 import * as cookie from "cookie";
 import session from "models/session";
+import user from "models/user";
+import authorization from "models/authorization";
 
 import {
   InternalServerError,
   MethodNotAllowedError,
   NotFoundError,
   UnauthorizedError,
   ValidationError,
+  ForbiddenError,
 } from "infra/errors";
 
 function onNoMatchHandler(request, response) {
-  const puclicErrorObjcet = new MethodNotAllowedError();
-  response.status(puclicErrorObjcet.statusCode).json(puclicErrorObjcet);
+  const publicErrorObject = new MethodNotAllowedError();
+  response.status(publicErrorObject.statusCode).json(publicErrorObject);
 }
 
 function onErrorHandler(error, request, response) {
-  if (error instanceof ValidationError || error instanceof NotFoundError) {
+  if (
+    error instanceof ValidationError ||
+    error instanceof NotFoundError ||
+    error instanceof ForbiddenError
+  ) {
     return response.status(error.statusCode).json(error);
   }
 
@@ -24,17 +31,17 @@ function onErrorHandler(error, request, response) {
     return response.status(error.statusCode).json(error);
   }
 
-  const puclicErrorObjcet = new InternalServerError({
+  const publicErrorObject = new InternalServerError({
     cause: error,
   });
-  console.error(puclicErrorObjcet);
-  response.status(puclicErrorObjcet.statusCode).json(puclicErrorObjcet);
+  console.error(publicErrorObject);
+  response.status(publicErrorObject.statusCode).json(publicErrorObject);
 }
 
 async function setSessionCookie(sessionToken, response) {
   const setCookie = cookie.serialize("session_id", sessionToken, {
     path: "/",
-    maxAge: session.EXPIRATION_IN_MILISECONS / 1000,
+    maxAge: session.EXPIRATION_IN_MILLISECONDS / 1000,
     secure: process.env.NODE_ENV === "production",
     httpOnly: true,
   });
@@ -51,13 +58,59 @@ async function clearSessionCookie(response) {
   response.setHeader("Set-Cookie", setCookie);
 }
 
+async function injectAnonymousOrUser(request, response, next) {
+  let userObject;
+  if (request?.cookies.session_id) {
+    const sessionToken = request.cookies.session_id;
+    userObject = await getAuthenticatedUser(sessionToken);
+  } else {
+    userObject = await getAnonymousUser();
+  }
+
+  request.context = {
+    ...request.context,
+    user: userObject,
+  };
+
+  return next();
+}
+
+async function getAuthenticatedUser(sessionToken) {
+  const sessionObject = await session.findOneValidByToken(sessionToken);
+  const userObject = await user.findOneById(sessionObject.user_id);
+  return userObject;
+}
+
+async function getAnonymousUser() {
+  const anonymousUser = {
+    features: ["read:activation_token", "create:session", "create:user"],
+  };
+  return anonymousUser;
+}
+
+function canRequest(feature) {
+  return async function canRequestMiddleware(request, response, next) {
+    const userTryingToRequest = request.context.user;
+    if (authorization.can(userTryingToRequest, feature)) {
+      return next();
+    }
+
+    throw new ForbiddenError({
+      message: "User do not have permission to perform this action.",
+      action: `Check user permissions has a feature ${feature}.`,
+    });
+  };
+}
+
 const controller = {
   errorHandlers: {
     onNoMatch: onNoMatchHandler,
     onError: onErrorHandler,
   },
   setSessionCookie,
   clearSessionCookie,
+  injectAnonymousOrUser,
+  canRequest,
 };
 
 export default controller;

infra/email.js

@@ -1,4 +1,5 @@
 import nodemailer from "nodemailer";
+import { ServiceError } from "./errors";
 
 const transporter = nodemailer.createTransport({
   host: process.env.EMAIL_SMTP_HOST,
@@ -11,7 +12,16 @@ const transporter = nodemailer.createTransport({
 });
 
 async function send(mailOptions) {
-  await transporter.sendMail(mailOptions);
+  try {
+    await transporter.sendMail(mailOptions);
+  } catch (error) {
+    throw new ServiceError({
+      message: "It was not possble to sent the mail.",
+      action: "Check if the email service is avalible.",
+      cause: error,
+      context: mailOptions,
+    });
+  }
 }
 
 const email = {

infra/errors.js

@@ -19,13 +19,14 @@ export class InternalServerError extends Error {
 }
 
 export class ServiceError extends Error {
-  constructor({ message, cause }) {
+  constructor({ message, cause, action, context }) {
     super(message || "Service currently unavailable", {
       cause,
     });
     this.name = "ServiceError";
-    this.action = "Check if the service is available";
+    this.action = action || "Check if the service is available";
     this.statusCode = 503;
+    this.context = context;
   }
 
   toJSON() {
@@ -34,6 +35,7 @@ export class ServiceError extends Error {
       message: this.message,
       action: this.action,
       status_code: this.statusCode,
+      context: this.context,
     };
   }
 }
@@ -116,3 +118,23 @@ export class UnauthorizedError extends Error {
     };
   }
 }
+
+export class ForbiddenError extends Error {
+  constructor({ message, cause, action }) {
+    super(message || "Access denied", {
+      cause,
+    });
+    this.name = "ForbiddenError";
+    this.action = action || "Check user permissions before to continue.";
+    this.statusCode = 403;
+  }
+
+  toJSON() {
+    return {
+      name: this.name,
+      message: this.message,
+      action: this.action,
+      status_code: this.statusCode,
+    };
+  }
+}

infra/migrations/1740080557717_create-users.js

@@ -11,13 +11,13 @@ exports.up = (pgm) => {
       notNull: true,
       unique: true,
     },
-    //Why 254 in lenght? https://stackoverflow.com/a/1199238
+    //Why 254 in length? https://stackoverflow.com/a/1199238
     email: {
       type: "varchar(254)",
       notNull: true,
       unique: true,
     },
-    //Why 60 in lenght? https://www.npmjs.com/package/bcrypt#hash-info
+    //Why 60 in length? https://www.npmjs.com/package/bcrypt#hash-info
     password: {
       type: "varchar(60)",
       notNull: true,

infra/migrations/1768554236308_add-features-to-users.js

@@ -0,0 +1,11 @@
+exports.up = (pgm) => {
+  pgm.addColumn("users", {
+    features: {
+      type: "varchar[]",
+      notNull: true,
+      default: "{}",
+    },
+  });
+};
+
+exports.down = false;

infra/migrations/1768565094427_create-user-activation-tokens.js

@@ -0,0 +1,38 @@
+exports.up = (pgm) => {
+  pgm.createTable("user_activation_tokens", {
+    id: {
+      type: "uuid",
+      primaryKey: true,
+      default: pgm.func("gen_random_uuid()"),
+    },
+
+    used_at: {
+      type: "timestamptz",
+      notNull: false,
+    },
+
+    user_id: {
+      type: "uuid",
+      notNull: true,
+    },
+
+    expires_at: {
+      type: "timestamptz",
+      notNull: true,
+    },
+
+    created_at: {
+      type: "timestamptz",
+      notNull: true,
+      default: pgm.func("timezone('utc', now())"),
+    },
+
+    updated_at: {
+      type: "timestamptz",
+      notNull: true,
+      default: pgm.func("timezone('utc', now())"),
+    },
+  });
+};
+
+exports.down = false;

infra/scripts/wait-for-postgres.js

@@ -7,12 +7,12 @@ function checkPostgres() {
       return checkPostgres();
     }
     loader.stopLoader();
-    console.log("🟢 Postgres esta aceitando conexões.\n");
+    console.log("🟢 Postgres is accepting connections..\n");
   }
 
   exec("docker exec postgres-dev pg_isready --host localhost", handleReturn);
 }
 loader.startLoader({
-  text: "🔴 Aguardando o postgres aceitar conexõe",
+  text: "🔴 Waiting for Postgres to accept connections...",
 });
 checkPostgres();

infra/webserver.js

@@ -0,0 +1,29 @@
+function getOrigin() {
+  if (
+    ["development", "test"].includes(process.env.NODE_ENV) &&
+    !process.env.CODESPACES
+  ) {
+    return "http://localhost:3000";
+  }
+
+  if (process.env.CODESPACES === "true") {
+    const port = process.env.PORT ?? "3000";
+    const codespaceName = process.env.CODESPACE_NAME;
+    const forwardingDomain =
+      process.env.GITHUB_CODESPACES_PORT_FORWARDING_DOMAIN;
+
+    return `https://${codespaceName}-${port}.${forwardingDomain}`;
+  }
+
+  if (process.env.VERCEL_ENV === "preview") {
+    return `https://${process.env.VERCEL_URL}`;
+  }
+
+  return "https://iisrael.com.br";
+}
+
+const webserver = {
+  origin: getOrigin(),
+};
+
+export default webserver;